From Ombudsman CAYMAN ISLANDS

Ombudsman oversees data-related complaints, breaches  

26 January 2023 

The Cayman Islands Office of the Ombudsman marks International Data Protection Day (28 January) having received over 360 reports of data protection-related complaints and personal data breaches since the commencement of the Data Protection Act on 30 September 2019, as well as more than 650 inquiries. 

During 2022 alone, the Ombudsman was notified of 101 data breaches, and received 28 complaints under the Act, as well as 136 inquiries. 

Also last year, the Ombudsman completed an own-motion investigation into a data protection complaint regarding the government’s “Vaccine Challenge” event. The Office also investigated its first criminal prosecution under the Act, a matter that is currently before the courts. 

The Act contains important privacy rights for individuals, including the right to be informed about how personal data is being used. Individuals also have the right to request corrections to inaccurate personal data, to object to direct marketing and to request access to their personal data. The Act sets rules for the use of personal data by public and private sector organizations based on eight core principles. Those include fairness, data minimisation, adequacy, retention and security of personal data processing, among other requirements.  

The Office of the Ombudsman is tasked with oversight and enforcement of the Act. Individuals have the right to complain to the Ombudsman if they believe their data is not being processed legally or fairly. Businesses, organisations and public authorities must report personal data breaches to the Ombudsman as well as to the individuals affected. 

In the coming year the Office of the Ombudsman will continue periodic outreach and public education efforts to ensure compliance with the important privacy protection requirements contained in the Act.

Please visit the Ombudsman website for more information including FAQs, guidance and other resources to help you understand your data protection rights and obligations: www.ombudsman.ky/data-protection or send your questions to: [email protected]  

Sample Data Protection Cases – 2022

Financial services business suffers cyberattack due to deficient security measures – 2 August 2022

A financial services company suffered a cybersecurity incident when its systems were hacked. Personal data of some 26,290 individuals with differing risk profiles was accessed or exfiltrated. The data breach was notified to the Ombudsman and the data subjects, as required under the DPA. Two IT firms conducted a forensic investigation. 

The breach resulted from an existing vulnerability due to an apparent lack of adequate security standards to safeguard systems and data which were not maintained; up-to-date security patches were not installed; regular vulnerability assessments or penetration testing were not undertaken; and staff awareness was lacking, contrary to industry best practice. The potential exfiltration of personal data continues to represent a risk for the affected individuals. 

On the balance of probabilities, the Ombudsman concluded that the data controller had violated the seventh data protection principle which requires appropriate organizational and security measures. However, there was no substantial harm or substantial distress, as no sensitive data were involved. As such, a monetary penalty was not considered appropriate. The Ombudsman also took into consideration the swift action taken by the data controller in implementing immediate and long-term technical and organizational measures to improve its infrastructure security. The data controller is required to continue carrying out regular (at least annual) security audits, and ensure that it stays up to date.

“Vaccine Challenge” violates the DPA – Own Motion Investigation – 14 March 2022

The Ministry of Tourism & Transport held a “Vaccine Challenge” to incentivize the public to get vaccinated against COVID-19, which involved the publication of winners’ names. The data was sensitive personal data under the DPA, as it revealed the vaccination status of the data subjects. 

The Ombudsman conducted an own-motion investigation and found that the Ministry did not meet the requirements of the first data protection principle because it did not provide an adequate privacy notice explaining the purposes for processing the data. As well, the Ministry did not have valid consent or another legal basis for the processing as required by law. In addition, publication of the data was excessive in relation to the stated purposes, in breach of the third data protection principle.

Since the Ministry fully cooperated with the Ombudsman and ceased the publication of the sensitive personal data of the winners of the challenge, including its removal from all media and social media under its control, the case was closed. The Ombudsman made recommendations for any similar initiative in the future, including that individuals should be provided with a compliant privacy notice, that a legal basis for processing should exist, and that more privacy-friendly options be found.

Financial service provider neglects to update their paper files – 31 January 2022

Two individuals opened a joint investment account with a local financial planner. One of the account holders sold his interest in the investment account to the other and notified the data controller. In response, the data controller updated its electronic system, but did not update its paper-based filing system to reflect the change. A new staff member assigned to the investment account erroneously used the outdated information in the paper file to review the account and contact third parties. In doing so, the staff member shared personal data belonging to the account holder with the previous account owner, causing a personal data breach.

The Ombudsman investigated the matter and recommended that the data controller: (1) implement better controls to ensure that data held on all filing systems are up to date; (2) ensure that all employees routinely receive data protection training relevant to their job functions; and, (3) publish an internal written policy or procedure on how staff process personal data in the course of an investment portfolio review.