Guide to Data Protection Act for Data Controllers
- Change log
- Introduction
- How to use this guidance
- Key definitions
- Who does the DPA apply to?
- What is processing of personal data?
- What is a data controller?
- What is a data processor?
- What information does the DPA apply to?
- Data Protection Principles
- First Data Protection Principle - Fair and lawful processing
- Second Data Protection Principle - Purpose limitation
- Third Data Protection Principle - Data minimization
- Fourth Data Protection Principle – Data accuracy
- Fifth Data Protection Principle - Storage limitation
- Sixth Data Protection Principle – Respect for the individual’s rights
- Seventh Data Protection Principle - Security – integrity and confidentiality
- Eighth Data Protection Principle - International transfers
- Legal basis for processing
- Sensitive personal data
- Individual rights
- Personal data breaches
- Exemptions
- National Security
- Crime, government fees and duties
- Health
- Education
- Social Work
- Monitoring, inspection or regulatory function
- Journalism, literature or art
- Research, history or statistics
- Information available to public by or under enactments
- Disclosures required by law or made in connection with legal proceedings
- Personal, family or household affairs
- Honours
- Corporate finance
- Negotiations
- Legal professional privilege and trusts
- Contracts between data controllers and data processors
- Questions or comments?
Introduction
The Data Protection Act (2021 Revision) (the “DPA”) is a powerful piece of legislation. It introduces globally recognized principles about the use of personal data to the Cayman Islands. The DPA aligns the Cayman Islands with other major jurisdictions around the world, notably the European Union, and thereby facilitates the free flow of data – a pre-requisite for the Cayman Islands being an equal and competitive participant in today’s globalized economy.
Moreover, the DPA provides a standard framework for both public and private entities in the management of the personal data they use. Internationally active organisations will find many similarities between the data protection act of the Cayman Islands and of other jurisdictions where they are active. The DPA aims to reduce the administrative burden of operating internationally and cement the Cayman Islands as an attractive jurisdiction in line with international developments.
The DPA also serves as a guide to provide assurance to individuals whose personal data is being processed. Indeed, where individuals feel that they are empowered to manage and control their personal data, they are more likely to share personal data with the organisation, to the benefit of both parties.
The Office of the Ombudsman is the Cayman Islands’ supervisory authority for data protection. As part of this role, the Ombudsman
- hears, investigates, and rules on complaints;
- monitors, investigates, and reports on compliance by data controllers;
- intervenes and delivers opinions and orders related to processing operations;
- gives orders on rectification, blocking, erasure, or destruction of data;
- imposes temporary and permanent bans on processing;
- makes recommendations for reform both generally and targeted at specific data controllers;
- engages in proceedings where there are violations, and refer violations to the appropriate authorities;
- co-operates with other supervisory authorities;
- publicizes and promotes the requirements of the act and the rights of data subjects; and
- anything else that is conducive or incidental to the Office’s functions.
The Office of the Ombudsman’s approach to data protection is a practical one. We recognize and respect the fundamental right to privacy. At the same time, we understand that fair and lawful processing of personal data is essential to the modern service economy.
The DPA is modelled on European data protection legislation. Supervisory authorities and court decisions in the European Union will be an important resource for organisations and the Office of the Ombudsman in interpreting and applying the DPA. However, there are a number of differences between the EU legislation and the DPA which must be taken into account when interpreting the legislation.
The guidance in this document is issued pursuant to sections 34(1) and 41 DPA. It aims to explain how the Office of the Ombudsman will likely interpret certain provisions of the DPA, and is not binding.
Acknowledgment
We would like to thank all those who have contributed to this guidance, including Peter Colegate and Peter A. Broadhurst.
Previous Next