The Cayman public has two months to digest the Data Protection Bill 2014. It seems a long time but with the draft bill being over 50 pages with legalistic writing you will need all that time.

And you need to read it.

The document speaks to the circumstances in which data is obtained, maintained and protected. It also outlines the rights of persons about whom data is collected (data subjects) and the duties of the persons who are collecting data (data controllers).

The draft bill outlines examples of personal data and sensitive personal data. The broader term includes data that relates to the individual’s location, that person’s online identifier, or one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity.

It also encompasses expressions of opinion about the individual; and any indication of the intentions of the data controller or anyone else in respect of that person.

The draft goes on to detail the procedures by which data subjects may request information about themselves from data controllers, and outlines fines for any failure to comply. It also requires the registration of data controllers.

This is the final public consultation on the Bill before Cabinet completes its review.

What do we mean by a data protection policy?

From Taylor Wessing’s “Why do we need data protection policies?”

It is worth considering what we mean when we talk about a data protection policy. Policies can take many different forms. They may be public facing statements of a company’s commitment and approach to the collection and use of customer personal data or an internal policy directed at telling employees how personal data collected about them will be handled.

Policies are also used to foster certain behaviours, limit negative actions or drive forward particular good practices so that employees, for example, can do their jobs with knowledge and confidence. A policy can, therefore, be a guide to action with detailed information on the steps to achieve the objective of the policy being delivered by separate procedures.

There are a number of reasons why we need data protection policies, with legal requirements being foremost. Data protection laws in the EU place legal responsibility upon the shoulders of the data controller who determines how and why personal data of individuals is processed. Central to these obligations are eight data protection principles, comprising enforceable standards over the way personal data is collected, managed and used.

The principles do not, however, provide a template for compliance. They typically use non-specific terms to describe processing such as “adequate”, “relevant” “fair” and “appropriate” and for this reason, compliance by the controller is down to interpretation – applying the principles to specific circumstances. Although there is no explicit statement in the law that policies must be used, there is an implicit presumption that policies are needed to deliver compliance by helping an organisation and its employees to understand the nuances, consider the data and apply the law appropriately.

If we take, for example, the first of the data protection principles, this requires that personal data is processed “fairly”. The UK data protection Act 1998 (DPA) does not comprehensively explain the concept of fairness, it merely explains in the schedule to the DPA that personal data will only be processed fairly if the data controller has ensured, as far as reasonably practicable, that individuals have information communicated to them. A website privacy policy may be one of the ways this is achieved.

Another example can be found in the security principle. A core requirement of this principle is that security measures must be “appropriate” to prevent data from being accidentally or deliberately compromised. This must include the use of organisational measures, meaning robust policies and procedures that define the security processes of the organisation and clearly delineate the responsibilities for security within the organisation and by any third parties processing personal data on its behalf.

Legal reasons for using policies are clearly very important but equally important are the practical and commercial risks of not having policies. In reality damage to brand and reputation can be more dangerous for an organisation than any risk of action or a fine by the IC.

Business report That said, it is not just about the law or avoiding bad press. There are also positive and practical commercial benefits from using data protection policies. These include enabling uniformity and consistency in decision making, helping to build a culture of awareness and responsibility, making personal data management and infrastructure more resilient; and, through greater transparency, instilling trust and confidence in individuals when they are deciding whether to share their data.

To read the whole article, go to: http://www.taylorwessing.com/globaldatahub/article_why_need_dp_policies.html

See also iNews Cayman article published September 21 2014 “Cayman Islands launches public consultation on data protection” at: http://www.ieyenews.com/wordpress/cayman-islands-launches-public-consultation-on-data-protection/

You can find the link to download the whole draft bill. I urge you to do so.