Knowledge

The Cayman Islands ("Cayman") Ombudsman has issued new guidance ("Guidance") concerning the effect of the Covid-19 pandemic on the management of personal data under the Data Protection Law, 2017 ("Law") which came into force on 30 September 2019.

For more information on this legislation, including the definitions of key terms, see our briefing on Cayman Islands Data Protection Law – Obligations for Cayman Islands Businesses.

The Cayman Public Health Law (2002 Revision) ("PHL") has been amended to include Covid-19 as a notifiable disease. Consequently, under the Public Health (Communicable Diseases) Regulations (1997 Revision) occupiers, controllers of premises, and medical practitioners are obliged to share data which is relevant to identifying a notifiable disease with appropriate parties. Employers, landlords and heads of a household have a legal obligation to notify the appropriate parties concerning potentially infected individuals under public health law. The Guidance advises that this would constitute a legal basis for processing data under the Law, and that employers can share staff health data with authorities for public health purposes.

What sort of information would this cover?
Information on an individual's physical or mental health or condition is classed as sensitive personal information and additional rules apply. The Guidance gives key examples of when sensitive personal data can be processed legally.

• Consent: - Where the processing is done with the consent of the individual;
• Vital Interests: - Where the processing is necessary because there is a medical emergency and it is necessary for the protection of life;
• Medical purposes: - Where the processing is necessary for medical professionals to perform their duties, including public health messaging.

The Guidance advises organisations to review the Ombudsman's advice on the legal basis for processing data on their website, here, to find if there is a legal basis appropriate to their work.

Do the Law's protection principles still apply to health information?
The Law's protection principles still apply, so those processing an individual's data should consider whether their collection and processing of an individual's personal data is necessary to combat risks associated with Covid-19. The third data protection principle requires personal data collected and processed to be adequate, relevant and not excessive in relation to the purpose or purposes for which the data are collected or processed.

What would be acceptable?
The Guidance offers a general guide that whilst an organisation may have an obligation to protect its employees' health, that obligation does not create a need to gather more information than necessary. If information is collected then it must be treated with appropriate safeguards. It suggests it is reasonable to:

• ask people to tell you if they have visited a particular country or are experiencing Covid-19 symptoms;
• ask visitors to consider government advice before they decide to come to your office.

It also suggests that one way an organisation can minimise the information it might need to collect would be to advise staff to call the 24-hour Flu Hotline or email flu@hsa.ky if they are experiencing symptoms or have visited particular countries.

What about harvesting by conferencing etc apps?
The Guidance points out concerns by other regulators about the use of such apps. It urges those collecting and processing data to verify that the apps they use for videoconferencing and online communication are suitable. Your organisation should ensure that it is not capturing any more personal data from people than you would be doing in a face-to-face meeting and that the data collected online is verified – as it would be in a face to face meeting. Any app used should minimise the data collected and the Guidance recommends:

• consider updating your organisation's privacy notice explaining how data will be collected and used by use of the app;
• ensure that the online tool you choose does not further process the personal data you provide to it for any incompatible purposes (such as harvesting contact details to disclose to third parties for targeted online advertising or sending direct marketing communications);
• check the retention periods for personal data are on the online service or app and find out whether you can define or amend these periods to comply with your organisation's retention policies;
• if an individual makes a subject access request your organisation must provide them with access to their personal data;
• check the security provisions such as access control and encryption of the data both in transit and at rest. Make sure there are appropriate agreements required by the Law with any third party software provider engaged as a data processor.
• check whether the country where the app is based is on the European Union's list of countries which have an adequate level of data protection, here. If the app is based in a country not on that list, and none of the exceptions in Schedule 4 of the Law apply, you will have to make your own assessment of the adequacy of the transfer.

How will the Covid-19 pandemic affect enforcement?
The Ombudsman is aware of the difficulties the pandemic is causing and will take those difficulties into account and where the pandemic may result in delays an adjustment to enforcement action, including penalties, will be considered. However the statutory timelines remain in force.

In a separate Press Release dated 3 April 2020, here, the Ombudsman points out that personal data must only be used for a proper purpose, for example treating a patient, and that any medical or administrative staff members who release sensitive personal data to people and who are not authorised to do so can be guilty of an offence under the Law and liable on conviction to a fine of up to $100,000. The Law may also apply to private citizens who disclose information about another person's health, such as whether they have Covid-19. The Ombudsman warns against disclosing any such information as it could result in the same penalties outlined above.