(CMR) The CIBC First Caribbean Bank (Cayman) has been given 45 days to explain and provide documentation on the transfer of employees' personal data to other jurisdictions for review by the Office of the Ombudsman.
The order, dated March 21, 2023, was made under the Data Protection Act following an investigation of complaints made by CIBC Cayman employees to the Office of the Ombudsman.
In September 2021 employees of CIBC First Caribbean Bank were informed that a new policy was being implemented, requiring them to provide proof of COVID-19 vaccination or weekly negative PCR test results. Employees who failed to comply were required to go on unpaid leave.
Two employees complained to the Office of the Ombudsman, alleging violations of the DPA. The Ombudsman investigated the allegations and noted that employees were properly informed of the purpose for the data gathering, that this purpose was legitimate and that the data was not kept for longer than required.
However, the Ombudsman also noted several violations under the DPA. The CIBC or Data Controller did not have a valid legal basis (data processing condition) for the processing, as required under the first data protection principle.
It was also found that the processing of the data relating to the data subjects’ vaccination status and PCR testing was excessive as it was not necessary to meet the Data Controller’s obligations under the Labour Act, which was the legal basis relied on.
The Ombudsman also found that a reminder email to employees who had not yet provided their data, sent without use of BCC, risked inferences to be made about the individuals’ health and/or medical status, and therefore violated the seventh data protection principle which requires appropriate technical or organizational measures to protect against the unauthorized or unlawful processing of personal data.
The data processing that led to the complaints is no longer in practice and, therefore, the Ombudsman determined that no corrective action was required. The Ombudsman however required the Data Controller to demonstrate how it is meeting the requirements of the eighth data protection principle which regulates the international transfer of personal data, as this was insufficiently explained during the investigation.
The eighth data protection principle states that “Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
According to the Enforcement order, the Office of the Ombudsman received contradictory accounts of whether employees’ data was sent abroad or not. One complainant stated that she was told to send her information to the HR department, which she and some others interpreted as the HR department in the Bahamas, while employees in another section of the office had their HR department in the Cayman Islands. According to this version, the data were sent to the Bahamas and were then returned to the Cayman Islands for further action.
CIBC initially contradicted this version of events, stating that individual employees may have misunderstood where to send their information, but that it was the controller's intention that the information should be sent to the local HR department in the Cayman Islands. The instructions provided to staff seem to only refer to “sending the information to HR” without specifying whether this was in the Bahamas or the Cayman
Islands.
However, CIBC confirmed that some employees sent their data to the HR officer in the Bahamas, but it was immediately returned.
Since CIBC has not demonstrated how it is meeting the requirements of the eighth data protection principle, and since it appears that it is transferring personal data to jurisdictions that do not have an adequate level of protection (including, but not limited to, the Bahamas), CIBC was given 45 days to explain and provide documentation for review by the Office of the Ombudsman.
The financial institution will need to provide information on the precise nature of its international transfers of personal data to any non-adequacy countries and the safeguards to protect this data.
Data protection complaints can be made to the Ombudsman’s office at 946-6283 or via email at [email protected].
- Fascinated
- Happy
- Sad
- Angry
- Bored
- Afraid