Legislation that is likely to mean at least some change for everyone who does business, operates a non-profit or works in the public sector in the Cayman Islands is being contemplated in draft form. Have you heard of data protection yet?
“This is big.” That was the way Cayman Islands Chamber of Commerce President David Kirkaldy described it during a Wednesday, 26 September, afternoon meeting at Chamber headquarters.
The usually docile ‘Be informed’ gathering at the Governors Square offices was packed with business owners wondering how the government’s proposed Data Protection Draft Bill might affect them.
Chamber members heard that the draft bill seeks to strike a balance between the needs of personal privacy protection, the rights of individuals to know what records government or organisations maintain on them and the rights and responsibilities of certain organisations that may use that data for specific purposes.
“It’s actually quite a complex piece of legislation,” says Deputy Information Commissioner Jan Liebaers.
The Data Protection Draft Bill, 2011, is similar to legislation approved by the European Union and the United Kingdom in the 1990s, which seeks to regulate the processing of personal data to ensure those records are maintained fairly, accurately and kept from those with no right to see them. The proposal also has major implications for the territory’s Freedom of Information Law and how journalists, writers and artists can make use of personal information.
“Data protection is aimed principally at giving effect to the rights to privacy in relation to data while ensuring that certain exceptions are allowed,” states a memorandum attached to the draft bill, which was released in early September for public comment. The public review period will last until 2 November.
There was no stated timeline for when the bill was expected to come before the Legislative Assembly. Liebaers said the public sector would likely adopt the tenets of the bill first, if it was passed into law. Private sector businesses might not see the results of the legal changes until around 2015.
Bill ‘affects everyone’
The Data Protection Bill applies to everyone in the Cayman Islands, public and private sector alike, and entities outside the country that have certain data processing functions here.
Information and Communications Technology Authority Chairman David Archbold directed the efforts of a public-private sector working group that reviewed that draft bill during the last two years. Mr. Archbold said in a statement that many businesses and organisations already comply with data-handling requirements, but that a “minimum standard” for protection of personal data was needed.
First, the bill seeks to define who handles the data as “data controllers” and “data processors”. The draft gives both those groups specific responsibilities, which are generally set out in the “Data Protection Principles”.
“Personal data shall be obtained only for one or more specified, explicit and legitimate purposes and shall not be further processed in any manner incompatible with that purpose or other purposes,” according to the second principle of data protection. A data controller can be a person, corporation, business, non-profit entity, strata or church.
The bill also defines personal data, replacing the definition of that subject contained within the Freedom of Information Law: “Personal data means data related to a data subject and includes an expression of opinion about a data subject and any indication of the intentions of the data controller or any other person in respect of a data subject.”
It also further defines sensitive personal data as issues like a person’s racial or ethnic origin, political opinions, religious beliefs, membership in a trade union, mental or physical health, sex life or any alleged commission of crime.
The law allows anyone whose data is being processed to be granted access to that data, the purposes for which it is being processed and the recipients. These items can include reviews of the person’s performance at work, creditworthiness and “reliability or conduct”.
Liebaers – who was also a member of the government working group on data protection – said another right allows individuals to stop certain people from processing their personal data.
That right is not absolute, however.
“You can’t say to the police: ‘I want you to stop processing my personal data because I don’t want you investigating me’,” Liebaers says. “It doesn’t work like that.”
If the data controller cannot comply with a request from an individual seeking their personal records, they must tell why. The person may ask that data processing stop or not begin if the activity causes them “distress or damage”, including certain “direct marketing” activities.
“An individual who suffers damage by reason of any contravention by a data controller of any requirement of this law has a cause of action for compensation from the data controller for that damage,” according to section 14 of the draft.
Part three of the draft would require the registration of individuals, corporations, businesses, etc. defined as “data controllers”.
The registration includes the name and address of the data controller, descriptions of the type of data they process and of their purposes in doing so, and of individuals to whom that individual may disclose the data.
According to the bill, no one may process personal data unless they are registered by the government. It would be considered a criminal offence to do otherwise.
Fines for non-compliance can total $250,000.
The information commissioner is required under the draft to make information on the data controller register available to the public.
The draft also gives the commissioner broad powers to regulate the processing of personal information.
The commissioner’s office would essentially act as the public complaints body with regard to cases where individuals believe their personal data has been mishandled. For the maintenance of the data controller register, the commissioner’s office is allowed to charge a fee. Office members have expressed a desire not to do so.
Asked recently if she thought the bill as proposed would require her office to hire more staff, Information Commissioner Jennifer Dilbert simply replied, “Yes.”
The commissioner is also allowed to obtain search warrants in cases where proof of suspected violations of the Data Protection Bill have occurred and can also make “special information orders” in cases where personal data purported for a specific purpose is actually being used for something else.
Kirkaldy says mid-to-small size businesses were likely to have some concerns about the costs and additional staff time associated with such a proposal.
Liebaers says the problem with data protection internationally was serious and that only a handful of countries outside the European Union actually maintain “adequacy status” of data protection according to EU standards. Nowhere in Asia does; the United States doesn’t either.
Large businesses, particularly in Cayman’s financial services sector, almost certainly comply with the requirements of data protection already, Liebaers says. However, there were no few questions from the Chamber audience about what effect data protection might have on Cayman compliance with US tax rules for foreign banks, defined under the Foreign Account Tax Compliance Act or FATCA legislation.
FATCA requires that foreign banks proactively report all accounts maintained by US passport holders for taxation purposes.
Attorney Peter Broadhurst, who also served on the data protection working group, says he believes that any problems with FATCA could probably be resolved by requiring bank customers to “check a box” allowing for their personal data to be transferred out of the country. One of the principles of data protection contained in the draft bill allows the use of personal data if the individual involved gives their consent.
Broadhurst also stressed the importance of businesses proactively registering with the information commissioner’s office if the law is passed by the Legislative Assembly and comes into effect.
“If somebody comes to you and says I want to see my file, and you haven’t registered, you could have problems,” he says.
Russell Richardson of the Cayman Islands Information and Communication Technology Authority also served on the data protection working group.
“For medium to small businesses, there’s not that much that needs to be done,” Richardson says. “But how you keep your data is important. Don’t put personal data in your bin that people can go through.”
Also, accidental emails that inadvertently send personal information to the wrong accounts can be a problem, he says. A lot more guidance for local business owners can be found at www.dataprotection.ky.
There are a number of exemptions to the application of the Data Protection Draft Bill for certain public service functions or industries.
Personal data are exempt from the data protection principles if the exemption was at any time required for the purposes of safeguarding national security. Certain exemptions are also made in cases where economic interests of the Cayman Islands must be safeguarded.
Personal records processed during activities aimed at the prevention, detection and investigation of crimes are exempted under the bill, along with the processing of personal data for the purposes of taxation or for investigation of corruption-related claims.
Certain government functions are also exempted from the bill as well, including situations that “would likely prejudice the proper discharge of the functions” of the law, the Crown or the Cabinet or other public functions.
“Special purpose” exemptions are set aside for the processing of data “undertaken with a view to the publication by a person of any journalistic, literary or artistic material”.
However, there are certain requirements placed on data controllers in “special purpose” exemption situations.
The data controller must reasonably believe that publication of that data would be in the public interest and that compliance with the data protection requirements would be “incompatible with special purposes”. The bill also requires a data controller to believe the public interest publication of the personal data was “a feasible one”, in line with any code of practice relevant to the publication in question.
Personal data held by public authorities that are normally required to be made public under the Freedom of Information law would also be exempted from provisions of the Data Protection Bill.