The much anticipated Data Protection Law (the “Law”) which was passed on June 5, 2017 is yet to come into effect, with the commencement date now set for January 2019. However, until then it is important that individuals and entities who are ordinarily resident or engaged in some activity in the Cayman Islands understand how the Law might affect them and what, if any, changes may be required in preparation for its commencement.
Purpose of the Law
The purpose of the Law is to control the way personal information is obtained, recorded, stored and handled as well as to provide rights for the protection of this information. No longer will it be acceptable for organizations to simply collect and store in their databases, personal information about their employees, customers and contractors, for example, without ensuring that proper safeguards, policies and procedures are in place for the information to be processed fairly and in the manner prescribed under the Law.
How does the Law affect you?
The Law provides a legal framework for the processing of personal data by a data controller, who is a person, firm or company who, alone or jointly with others determines the purposes, conditions and manner in which any personal data is, or is to be, processed.
The Law applies to any data controller that is (a) established in the Cayman Islands and the personal data is processed in the context of that establishment; or (b) is not established in the Cayman Islands but the personal data is processed in the Cayman Islands otherwise than for the purposes of transit of the data through the Islands.
Personal data has been widely defined as data relating to a living individual who can be identified. It includes data such as a living individual’s location, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual. There are certain conditions which the Law prescribes for the processing of sensitive personal data which includes ethnic origin, religious beliefs, physical and mental health, proceedings for any offence committed or alleged to have been committed and the disposal of or sentence in any such proceeding.
Except for a number of exemptions (including exemptions pertaining to national security, health, education, social work, journalism, legal proceedings, legal professional privilege and trusts) the Law will affect a wide cross section of individuals and entities across all industries – once they are involved in the processing of an individual’s personal information in the Cayman Islands.
Basic Requirements for Data Processing
Under the Law, a data controller has the legal obligation to ensure that it adheres to the following data protection principles in processing personal data:
- incompatible with that purpose or those purposes.
- Personal data must be adequate, relevant and not excessive in relation to the purpose or purposes for which it is collected or processed.
- Personal data should be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose should not be kept for longer than is necessary for that purpose.
- Personal data must be processed in accordance with the rights of data subjects under the Law.
- Appropriate technical and organizational measures should be taken against unauthorized or unlawful processing of personal data
- and against accidental loss or destruction of, or damage to, personal data.
- Personal data must not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Know your rights
The individual to whom the personal data relates is entitled to certain rights which include a right to:
- be informed by a data collector whether their personal data is being processed and by whom;
- request in writing their personal data and the source of the personal data held by the data controller;
- be informed of any decision which significantly affects the individual and which was made solely on the basis of the processing by automatic means of the personal data for the purpose of evaluating the individual’s performance at work, creditworthiness, reliability, conduct or any other matter relating to the individual;
- require the data controller to ensure that no decision is taken by or on behalf of the data;
- require the data controller to cease processing or not to begin
- processing or to cease processing for a specified purpose or in a specified manner, the individual’s personal data;
- receive compensation for damages suffered by reason of a data controller’s contravention of any requirement under the Law; and
- file a complaint with the Commission about the processing of personal data which is not carried out in compliance with the Law.
While some individuals and companies may have already implemented systems that are compliant with the Law, others will need to conduct an assessment of the way they obtain, record and carry out any operation on personal data, whether it relates to employees, suppliers or customers. Data protection policies and best practice guidelines will need to be adopted to ensure for example, integrity of stored personal data, validation and authentication procedures to protect against unauthorized access, disclosure controls, backup and archiving, data destruction process as well as the appointment of an information compliance officer who will be responsible for monitoring and ensuring compliance under the Law.