Cayman: Ombudsman issues enforcement order under Data Protection Act
21 April 2023
The Ombudsman has issued an enforcement order under the Data Protection Act (DPA) based on the following facts:
In September 2021 employees of CIBC First Caribbean Bank (Cayman) (the Data Controller) were informed that a new policy was being implemented, requiring them to provide proof of Covid-19 vaccination or weekly negative PCR test results. Employees who failed to comply were required to go on unpaid leave.
Two employees complained to the Office of the Ombudsman, alleging violations of the DPA. The Ombudsman investigated the allegations and noted that employees were properly informed of the purpose for the data gathering, that this purpose was legitimate and that the data was not kept for longer than required.
However, the Ombudsman also noted the following violations under the DPA:
- The Data Controller did not have a valid legal basis (data processing condition) for the processing, as required under the first data protection principle;
- The processing of the data relating to the data subjects’ vaccination status and PCR testing was excessive as it was not necessary to meet the Data Controller’s obligations under the Labour Act, which was the legal basis relied on.
- A reminder email to employees who had not yet provided their data, sent without use of BCC, risked inferences to be made about the individuals’ health and/or medical status, and therefore violated the seventh data protection principle which requires appropriate technical or organizational measures to protect against the unauthorized or unlawful processing of personal data.
The data processing that led to the complaints is no longer in practice and, therefore, the Ombudsman determined that no corrective action was required. The Ombudsman however required the Data Controller to demonstrate how it is meeting the requirements of the eighth data protection principle which regulates the international transfer of personal data, as this was insufficiently explained during the investigation.
The full text of the order can be found here: https://www.ombudsman.ky/images/pdf/decisions/dp_decisions/DP%20Enforcement%20Order%20CIBC%20FCIB%20202100552-553.pdf
Anyone with questions about Cayman’s Data Protection Act should go to our website www.ombudsman.ky for further information. Data protection complaints can be made to the Ombudsman’s office at 946-6283 or via email at [email protected].