(CMR) The Data Protection Act is proving important in the Cayman Islands, not only because of the large number of reports the Office of the Ombudsman has received since the Act commenced in 2019, but it has highlighted a number of shortfalls in several institutions.
The Cayman Islands Office of the Ombudsman marks International Data Protection Day (28 January) having received over 360 reports of data protection-related complaints and personal data breaches since the commencement of the Data Protection Act on 30 September 2019, as well as more than 650 inquiries.
During 2022 alone, the Ombudsman was notified of 101 data breaches, and received 28 complaints under the Act, as well as 136 inquiries.
Financial services business data breach
One data breach investigated was in a financial services business which suffered a cybersecurity attack when its systems were hacked. The Ombudsman found that the financial services business suffered cyberattack due to deficient security measures.
Another breach in the financial services industry occurred when financial institution failed to update records which resulted in personal information being shared with someone who was no longer on an account.
According to the Office of the Ombudsman, two individuals opened a joint investment account; however, one of the account holders sold his interest in the investment account to the other and notified the data controller. In response, the data controller updated its electronic system, but did not update its paper-based filing system to reflect the change. A new staff member assigned to the investment account erroneously used the outdated information in the paper file to review the account and contact third parties. In doing so, the staff member shared personal data belonging to the account holder with the previous account owner, causing a personal data breach.
Also, last year, the Ombudsman completed an own-motion investigation into a data protection complaint regarding the government’s “Vaccine Challenge” event. The Office also investigated its first criminal prosecution under the Act, a matter that is currently before the courts.
What are your rights under the Act?
The Act contains important privacy rights for individuals, including the right to be informed about how personal data is being used. Individuals also have the right to request corrections to inaccurate personal data, to object to direct marketing, and to request access to their personal data.
The Act sets rules for the use of personal data by public and private sector organizations based on eight core principles. Those include fairness, data minimization, adequacy, retention and security of personal data processing, among other requirements.
The Office of the Ombudsman is tasked with oversight and enforcement of the Act. Individuals have the right to complain to the Ombudsman if they believe their data is not being processed legally or fairly. Businesses, organizations, and public authorities must report personal data breaches to the Ombudsman as well as to the individuals affected.
In the coming year, the Office of the Ombudsman will continue periodic outreach and public education efforts to ensure compliance with the important privacy protection requirements contained in the Act.
Please visit the Ombudsman website for more information, including FAQs, guidance and other resources to help you understand your data protection rights and obligations: www.ombudsman.ky/data-protection or send your questions to: [email protected]