Cayman publishes its data protection regulations and sets a date
10 April 2019
On 2 April 2019 the Cayman Islands ('Cayman') Data Protection Regulations, 2018 ('Regulations') were published in the Gazette, together with a Commencement Order setting a date of 30 September 2019 for the Data Protection Law, 2017 ('Law') to come into force. The Regulations will come into force immediately after the Law comes into force.
What is the new regime?
The regime will protect the storage and use of personal data by those that hold it. When it comes into force, the Law will affect any individual or organisation established in Cayman which processes personal data, even where the processing is conducted outside Cayman. For more information on the start date see here, and for more information on what is personal data, and what counts as processing personal data and a summary of the eight ‘Data Protection Principles’ with which the Data Controller must comply, see here.
What is personal data and who processes it?
To recap, the Law proposes restrictions on the ‘Processing’ of any ‘Personal Data’ relating to any ‘Data Subject’ by or on behalf of a ‘Data Controller’. In this context:
- You are Processing Personal Data if you obtain, record, hold or carry out any operation(s) on Personal Data, such as retrieving, consulting or using it, organising, adapting, altering, combining, erasing or destroying it, or disclosing it by sending it or making it available to a third party.
- Personal Data is any data relating to a living individual who can be identified, and includes but is not limited to their address, any online identifier, their appearance, psychological, genetic, mental, cultural or social identity, or the Data Controller’s (or any other person’s) opinions of or planned action towards them.
- a Data Subject is any living individual who is either identified or who might be identified directly or indirectly.
- a Data Controller is a Cayman established individual or responsible for determining the manner in which Personal Data
What is in the Regulations?
The Regulations set out:
Definitions - primarily in relation to children and those responsible for children;
Charges - information provided in response to a request by a Data Subject shall be provided free of charge, except where the request is proven to be manifestly unfounded or excessive or where it may be obtained under different legislation or administrative procedures, when either reasonable fees or fees which cover the cost of providing the information may be charged;
Extensions of time - there are set conditions for when a Data Controller can extend the time to respond to a request for information;
Not giving a reply - there are circumstances where a Data Controller may apply to the Ombudsman to ask for approval for not giving a reply to a request.
Are there any exemptions?
The Regulations set out the following exemptions and procedures:
Health exemption – for example where the release of Personal Data could reasonably cause mental or physical harm to the Data Subject or any other person;
Education exemption – for example where release of Personal Data in an educational record would be likely to cause serious harm to the physical or mental health or condition of the Data Subject or any other person. (This also covers not having to give answers to questions on upcoming tests or examinations.);
Social work exemption - for example where the release of Personal Data would be likely to prejudice the carrying out of social work by reason of the fact that serious harm to the physical or mental health or condition of the Data Subject or any other person would be likely;
International co-operation – which covers data transfer for the purposes of international cooperation between intelligence or regulatory agencies and is limited to a disclosure that is permitted or required under legislation current at the time or compliance with an order issued by the Grand Court.
Is there a right to complain?
The Law provides a right to complain to the Ombudsman in set circumstances, and under the Regulations a Data Controller has a duty to inform Data Subjects of that right when it applies.