The Office of the Ombudsman has ordered the Public Lands Commission to stop collecting “excessive” personal data on people organising weddings on Cayman’s beaches.
The action comes after a member of the public submitted a complaint to the ombudsman earlier this year, according to details in an enforcement order published online on 9 Nov.
The complainant said the commission was unnecessarily collecting personal data from marriage officers, their staff and clients, when requesting to use public land for weddings.
They also said the frequency with which the personal data was being collected was excessive.
In May, the office began an investigation into the matter and requested information from the commission.
However, due to a lack of response from the commission, the office issued a formal information order.
“Cooperation with the investigations of the Office of the Ombudsman is not voluntary, and data controllers are obligated to answer our reasonable questions,” Ombudsman Sharon Roulstone said in the order.
“We prefer to rely on amicable cooperation rather than on formal orders.”
A month later, in June, the commission responded, clarifying that it is an enforcement entity established under the Public Lands Act (2020 Revision), according to the order.
It said the non-vendor application form, which is used to collect personal data, sets out what is required to process an application for the use of public land.
The commission said the complainant is linked with a “commercial entity” and has filed several non-vendor applications to host weddings for cruise ship passengers this year.
It added “it is the responsibility of the Public Lands Inspectorate to conduct its due diligence as part of the normal course of business of a compliance and law enforcement entity”.
The commission admitted it does not have a standard privacy policy, but argued it operates under guidelines in the Data Protection Act and the Freedom of Information Act.
No privacy notice
Following the investigation, Roulstone found that the Public Lands Commission did in fact have a “valid legal basis” for processing personal data.
“But only to the extent that the processing is strictly necessary to exercise its public functions,” she said.
Meanwhile, it contravened two of the Data Protection Act (2021 Revision)’s data protection principles by not providing a privacy notice and “excessively” collecting personal data.
The commission had requested copies of driver’s licences and passports on multiple occasions from the complainant.
As a result, the ombudsman issued an enforcement order to the body demanding that it provide a privacy notice to data subjects when their data is being collected.
As well as to cease collecting excessive personal data on people organising weddings on public land or engaging in other activities detailed in the Public Lands Regulations (2021 Revision).
However, Roulstone said, the Public Lands Commission may continue to process personal data, such as the organiser’s name and contact details, necessary for two purposes.
These purposes are avoiding scheduling conflicts and ensuring accountability for potential damage to public lands or facilities.
The ombudsman added that personal data should only be retained for as long as required for the purposes for which it was gathered.
The actions must be taken within 30 days of the order.
Robust data framework
A spokesperson for the Ministry of District Administration and Lands told the Compass in response to a request for comment that it accepts the ombudsman’s findings.
It added that as the entity responsible for the administrative work of the Public Lands Commission Inspectorate it is committed to implementing the recommended measures.
“The PLC Inspectorate has responsibility for processing the booking of public lands and facilities and will work to ensure a more robust data protection framework is in place.
“This move is part of our proactive approach to streamline operations and enhance security,” the spokesperson said.
They added that the ministry is conducting a review of personal data requirements for all inspectorate-received applications.
This covers areas such as cabana bookings, non-vendor permit applications, and vendor and non-vendor permit applications, the spokesperson said.
“This comprehensive assessment underscores our dedication to aligning our practices in compliance with the Data Protection Act (2021 Revision).
“We believe that these measures not only address the concerns raised but also contribute to an elevated level of service for all individuals engaging with the Public Lands Commission Inspectorate.”
EDITOR’S NOTE: This article was updated on 22 Nov. at 1.05pm to add comments from the Ministry of District Administration and Lands and on 24 Nov. to remove the word ‘foreign’.
Related Videos
