Outcomes - Selected Case Summaries
Categories
Monitoring of access to CBC database
Whistleblowing | 09 March 2023
Cayman Islands Customs & Border Control (CBC)
The Office of the Ombudsman (Ombudsman) received a Confidential Whistleblower complaint, which provided notification that the Cayman Islands Customs and Border Control (CBC) appears not to monitor if/when its officers and other public officials access CBC's computerised records management system. These systems contain commercially sensitive information about private businesses and a significant amount of personal information supplied by various users.
The Ombudsman investigated this complaint under the authority granted by section 30 of the Whistleblower Protection Law, 2015.
Based on our findings, it appears the CBC is not currently able to log or audit any user's query "footprint"; the user's access to its computerised record-keeping system is not obvious. The system has the ability to add an audit log function. However, such a function has to be developed for a cost. The Ombudsman has recommended that CBC implement such functionality as soon as possible, if it is not considered impractical in terms of budget constraints, and should then develop a policy and procedure around how it periodically tracks or audits user queries in that system.
Issues identified in our report present significant risks to the CBC as long as they continue. Those risks include potential violation of the Data Protection Act, 2021 Revision (DPA) if unauthorised users access personal information for unintended purposes or in the event CBC does not have appropriate organisational or technical measures in place to protect any personal data that is contained in its IT systems.
The CBC responded to five recommendations made by the Ombudsman as a result of this investigation. Four recommendation responses are currently in progress and CBC has requested additional information from the Ombudsman on the fifth. Our office will continue to monitor CBC’s progress on this throughout 2023.