Cayman’s Tourism and Transport Ministry was found in breach of local data protection principles when it published the names of the winners of its “vaccine challenge” in mid-2021.
Anyone who received a jab during the vaccination drive, which ran from 8 May to 9 June 2021, had been eligible to enter their names in a draw, which offered more than 500 prizes donated by local businesses.
The winners’ names were subsequently published by the ministry, prompting an own-motion investigation by the Office of the Ombudsman, which deemed that this information was sensitive personal data under the Data Protection Act, as it revealed the vaccination status of the winners.
After the ministry removed the names of the winners from its media sites, the Ombudsman took no further action in relation to the breach.
“Since the Ministry fully cooperated with the Ombudsman and ceased the publication of the sensitive personal data of the winners of the challenge, including its removal from all media and social media under its control, the case was closed,” the Office of the Ombudsman said in a statement ahead of International Data Protection Day, which is annually celebrated on 28 Jan.
It added, “The Ombudsman conducted an own-motion investigation and found that the Ministry did not meet the requirements of the first data protection principle because it did not provide an adequate privacy notice explaining the purposes for processing the data. As well, the Ministry did not have valid consent or another legal basis for the processing as required by law.”
The first data protection principle is “fair and lawful processing”, which the Ombudsman explained, “means that you should always handle personal data in ways that people would reasonably expect. You should also not handle personal data in any way that would have an unjustifiable adverse effect on them.”
The Ombudsman added that the publication of the data was excessive in relation to the stated purposes – in breach of the third data protection principle, which states that “personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed”.
The Ombudsman, the statement said, made recommendations for any similar initiative in the future, including “that individuals should be provided with a compliant privacy notice, that a legal basis for processing should exist, and that more privacy-friendly options be found”.
The ministry’s breach was one of a number of cases highlighted by the Office of the Ombudsman in its roundup of data protection cases to mark International Data Protection Day.
It noted that more than 360 reports of data protection-related complaints and personal data breaches has been received since the commencement of the Data Protection Act on 30 Sept. 2019, as well as more than 650 inquiries.
During 2022 alone, the Ombudsman was notified of 101 data breaches, and received 28 complaints under the act, as well as 136 inquiries.
“The Act contains important privacy rights for individuals, including the right to be informed about how personal data is being used. Individuals also have the right to request corrections to inaccurate personal data, to object to direct marketing and to request access to their personal data,” the Office of the Ombudsman said.
It added that the act also sets rules for the use of personal data by public and private sector organisations based on eight core principles, which include fairness, data minimisation, adequacy, retention and security of personal data processing.
The Ombudsman’s Office is tasked with oversight and enforcement of the Data Protection Act and it reminds that individuals have the right to complain to the Ombudsman if they believe their data is not being processed legally or fairly.
“Businesses, organisations and public authorities must report personal data breaches to the Ombudsman as well as to the individuals affected. In the coming year, the Office of the Ombudsman will continue periodic outreach and public education efforts to ensure compliance with the important privacy protection requirements contained in the Act,” it added.
Cyber attack triggered concern
Apart from the public sector breach, the Ombudsman also looked into a private sector breach at a financial services company following a cybersecurity incident when its systems were hacked.
In that incident, the personal data of some 26,290 individuals with differing risk profiles was accessed or exfiltrated.
The Ombudsman and the data subjects, as required under the Data Protection Act, were notified of the data breach.
Two IT firms conducted a forensic investigation which found that the breach resulted from an existing vulnerability due to an apparent lack of adequate security standards to safeguard systems and data which were not maintained.
Additionally, it was found that up-to-date security patches were not installed, regular vulnerability assessments or penetration testing were not undertaken, and staff awareness was lacking, contrary to industry best practice.
“The potential exfiltration of personal data continues to represent a risk for the affected individuals. On the balance of probabilities, the Ombudsman concluded that the data controller had violated the seventh data protection principle which requires appropriate organizational and security measures,” the Ombudsman’s Office said.
However, it ruled that there was no substantial harm or substantial distress, as no sensitive data were involved.
“As such, a monetary penalty was not considered appropriate. The Ombudsman also took into consideration the swift action taken by the data controller in implementing immediate and long-term technical and organizational measures to improve its infrastructure security. The data controller is required to continue carrying out regular (at least annual) security audits, and ensure that it stays up to date,” it said.
Related Videos
