The Cayman Islands government has signaled its intention to proceed with enacting a Data Protection Law, aimed generally at shielding the privacy of individuals’ personal information.
Cabinet members announced their “final” attempt at public consultation on the proposed legislation Friday.
“While the proposed legislation requires that individuals must be able to access information about themselves, it further states that such data must be properly handled by any public and private sector agencies which retain it,” the government statement read.
The bill also outlines what is considered “personal data” and “sensitive personal data” regarding any individual that must not be disclosed, purposefully or accidentally, except in specific circumstances.
Sensitive personal data includes information relating to racial or ethnic origins, political opinions, religious beliefs, membership in a trade union, health-related data, sexual preferences and information related to the commission of an offense.
The government has been attempting to enact some form of data protection legislation since 2011 without much success. Pushback from local business owners concerned about what it would cost them to comply with such legislation has previously been a major concern.
The Data Protection Draft Bill, 2011, was similar to legislation approved in the 1990s by the European Union and the United Kingdom, seeking to regulate the processing of personal data to ensure those records are maintained fairly, accurately and kept from those with no right to see them. The proposal also had major implications for the territory’s Freedom of Information Law and how government employees, journalists and artists can make use of personal information.
Under the current draft bill, the Information Commissioner’s Office, which handles FOI appeals, would also oversee data protection legislation. The Cayman Islands Human Rights Commission, then headed by chairman Richard Coles, reviewed the bill late in 2012 and reported on it to the Legislative Assembly. Among the concerns identified by the commission was that the general complexity of the bill makes it unfriendly for users.
“The aim of the Data Protection Law is to protect individuals’ rights with regard to data specific to them; persons cannot grasp, defend, nor exercise such rights without the requisite understanding of the law itself,” according to the commission’s report. “The extent to which persons, especially small business owners, will receive assistance in adhering to this new piece of legislation was also very concerning.”
Cayman Islands Chamber of Commerce members raised several issues in 2012 during a discussion of data protection, including what new costs would be placed on local firms seeking to comply with the bill’s requirements.
Russell Richardson of the Cayman Islands Information and Communication Technology Authority served on the data protection working group that drafted the discussion bills. “For medium to small businesses, there’s not that much that needs to be done,” Mr. Richardson told Chamber members.
“But how you keep your data is important. Don’t put personal data in your bin that people can go through.”
Also, accidental emails that inadvertently send personal information to the wrong accounts can be a problem, he said.
Exemptions
One effect of the initial legislation was that, for the first time, a formal complaints process could be used against public and private entities that process personal information, including government and the media.
The first draft bill set out a number of exemptions from application of the law, including national security, police and court matters and certain functions of the Crown. For instance, police investigating a criminal complaint would not be prevented from accessing a person’s personal records and, conversely, that person could not request information about what records the criminal investigation held against him or her.
Included among the original exemptions was a “special purpose” exemption for the sake of journalism, literature or art. That means certain requirements under the initial draft of the Data Protection Bill, such as turning over someone’s personal records kept by the organization or person that holds them, would not apply to journalists or artists.
There are some caveats to that exception, according to the draft bill. The person or organization processing the personal data ensures that task is “undertaken with a view to the publication by a person of any journalistic, literary or artistic material.”
Also, according to the draft bill, the person or organization processing the information – known as the data controller – must “reasonably believe” that publication of the matter would be in the public interest and that compliance with data protection legislation is “incompatible” with the special purpose exemption.
Related Videos
