(CMR) The Ombudsman's office is warning people to discard personal data with best practices in mind whilst being aware of the legal penalties under the Data Protection Law after someone discovered “a significant number of abandoned documents at the George Town landfill.
The astute citizen found the documents and which include sensitive personal information and talk a sample of them to the Office of the Ombudsman for further examination. Their Data Protection Team reviewed the material in detail and found that it contained recording which included publicly available court records, handwritten notebooks (in shorthand) and autopsy reports – some of which contained confidential and sensitive personal information.
They were not able to ascertain the source of the records and if they were publically or privately held. However, they are using this opportunity to remind the public of the importance of proper data management and record-keeping procedures. Proper records management includes the authorized and responsible disposal of documents, especially when documents contain personal information.
It is both a legal requirement and best practice to ensure that measures are taken to protect personal data throughout its life cycle and to only retain personal data for as long as necessary. Disposing of confidential records by abandoning them is not acceptable and should be avoided at all costs. Doing so could constitute a data breach under the Data Protection Law and may be punishable with a fine of up to $250,000.
Government entities are subject to strict retention and disposal rules, and should only dispose of records in an authorized and transparent way, e.g. by shredding or otherwise irreversibly destroying the records in accordance with an approved records disposal schedule, after consultation with the Cayman Islands National Archive.
Private sector entities must be aware of their obligations under the Data Protection Law which recently came into effect. The private sector is not required to adopt a retention and disposal schedule to manage the life cycle of their records and information but it is considered best practice to do so.
For more information on the retention of personal data and the technical and organizational measures that should be put in place to protect personal data. see the Data Protection Guidance for Organizations on the Ombudsman website.