Data Protection for the Public

Learn what data protection is and what powerful rights it grants you as an individual.

What is Data Protection?

The Data Protection Act, 2017, (DPA) is a powerful piece of legislation that introduces globally recognized principles surrounding the use of personal information to the Cayman Islands. Most importantly for individuals, it introduces several rights that you can exercise and enjoy to your benefit – both towards public and private organizations. If you think about it, almost everything we do today, whether online or offline, leads to information about us being gathered, stored and otherwise used.

Our guidance for individuals helps you understand the Act and your rights. 

Be sure to also check out our list of Frequently Asked Questions at the bottom of this page.

A Set of Rules

Data protection is a set of rules that defines what organizations may and may not do with the information they hold about an individual. Importantly, it applies equally whether you are dealing with government administration or with a private business.

Personal Data

The technical term for the information regulated by data protection rules is ‘personal data’, and it covers any type of information that can be used to identify you. This may be your employee file, the history of your posts to your favorite social network, or a record of your bank transactions.

Data Controller

This is the technical term for the business, public authority or organization that uses your personal data and is responsible for what happens with it. For your bank transactions this will be your bank, for your employee file it will be your employer.

Processing of Personal Data

Data protection act covers every imaginable use of personal data, starting from its collection to its storage to its use in day to day business, and even its destruction. The technical term used for all these different uses is the “processing” of personal data.


The goal of data protection act is to protect the privacy of the individuals concerned while striking a fair balance with the legitimate interests of those entities that need to use the personal data. You’re happy for your doctor to use your health information to treat you, but you probably wouldn’t be too happy to find an article penned by your doctor telling everyone about your medical condition in the local newspaper.

Right to Privacy

Data protection act is closely related to the fundamental right to privacy, which is enshrined in the right to private and family life of the Cayman Islands’ Bill of Rights, Freedoms and Responsibilities (BoRFR), and in Article 12 of the Universal Declaration of Human Rights. The right to privacy includes the right of individuals to determine who holds information about them and how that information is used, which leads us back to the goals of data protection.

Why do we need Data Protection?

Data protection protects the privacy of everyone in the Cayman Islands and it encourages organizations to treat our personal information responsibly.

Did you know?

Data protection protects you from misuse of your personal data by organizations.

Did you know?

You have a right to access your personal data held by any organization, business, or public authority.

What are the principles of Data Protection?

The Data Protection Act, 2017 is centred around eight data protection principles that set out a framework within which personal data is processed. These eight principles are a good starting point to assess the processing that is being done is being undertaken.

Data Protection Principles

The Data Protection Act, 2017 is centred around eight data protection principles that set out a framework within which personal data is processed. These eight principles are a good starting point to assess the processing that is being done is being undertaken.

Fair and Lawful Use

Personal data must be processed in a fair and lawful manner.

Fair processing means that you should be informed by the organization using your information (the data controller) who they are and what purpose they will be using the information for. This information should generally be provided to you at the moment it is being collected from you, so for example when you sign up to a service the data controller is providing.

Lawful processing means that there must be a legal ground that permits the organization to use your information, for example your consent or because there is a contract with you and using it is necessary to perform that contract with you.

Purpose Limitation

Personal data may only be processed for the purpose it was collected for.

Purpose limitation means that an entity may not collect your information for one purpose and use it for another, incompatible purpose.


If you go to a doctor, you trust that your information will only be used to treat you and to bill you or your insurance company. The doctor may not sell your diagnosis and contact information to a pharmaceutical company, so they can market a new medicine to you. That would be an incompatible use of your data.

Data Minimization

Personal data should only be collected if it is necessary for the purpose 

Data minimization means that an entity should only collect information that is necessary for the purpose and not more.


In practice

When you’re providing your information, ask yourself whether the information is needed. If you don’t think so, ask what the intended purpose is. If you still think you shouldn’t be required to provide the information but the organization demands it, consider making a complaint to the Ombudsman. 


If you shop at a supermarket, they should not require you to provide your phone number. An email provider you sign up with does not need to know your date of birth. Similarly, a credit card application should not require you to give the contact details of your closest living relative.

Data Accuracy

Personal data must always be accurate.

Data accuracy means that the information about you should be correct. This is especially important because personal information is often used to decide something about you.


An insurance company might base its rates on the years of your driving experience and your age. If the records say that you have 12 years of driving experience when, in fact, you have 22 years, you have a right to have the record corrected.

Storage limitation

Personal data may not be kept for longer than necessary 

Storage limitation means that once personal data is no longer needed, it should be destroyed.


If you no longer wish to use a digital service you signed up for, be it an email provider, a social network, or an online video calling application, you can ask to have your account and all associated personal data deleted, in so far as there are no obligations on the service provider to keep some of the information, for example for accounting purposes.

Respect for the individual’s rights

Personal data shall only be processed in accordance with the rights of the individual in mind 

Individual rights means that any processing done must take the rights of individuals into account. It is a reminder towards businesses, public authorities and organizations that they have obligations towards the individuals whose personal data they process.

In practice

Take the time to learn about the data protection principles and to get to know your rights. Be comfortable using them. Contact the Ombudsman if you think we can help you in any way.

Security – integrity and confidentiality

Personal data must always be kept safe 

Integrity and confidentiality means that personal data must be kept secure using both technical and organizational means and that only individuals and entities who need to use it actually have access to it. Keeping it secure means not just from malicious attacks, but also from inadvertent harm.

International transfers

Personal data may not be transferred outside the Cayman Islands unless it is adequately protected 

International transfers means that personal data may not leave the Cayman Islands unless the destination offers a level of protection that is on a broad level the same as here or adequate safeguards are in place to protect the information. This prevents data from being transferred abroad with the goal of skirting the strong Cayman data protection acts.


Our guidance for individuals explains the fundamental data protection principles and the powerful data protection rights.

View guidance

Frequently asked questions

If you have a question, the answer may already be here for you.

What can the Ombudsman help me with?

The DPA grants you a number of powerful rights. The DPA also lays down data protection principles that govern how an organization may use your personal information. We can help you if an organization refuses to respect your rights or where it is using your personal information contrary to the principles.

In the vast majority of cases, you should first contact the organization that is using your personal information to try to resolve your issue. For example, the organization should be the first point of contact when the issue relates to:

  • How your information is being used and handled.
  • Access to your information.
  • Security of your information.
  • Accuracy of your information.
  • Storage duration of your information.
  • Automated decisions based on your information.
  • Direct marketing use of your information.
  • Stopping the use of your information.

Please contact us for informal advice if you are unsure whether you should first try to resolve the issue with the organization or whether it would be more appropriate to contact the Ombudsman first.

How do I submit a complaint to the Ombudsman?

We recommend that you first try to resolve your issue directly with the organization that is using your information, before coming to us. This is particularly the case when you are exercising one of your data protection rights towards the organization.

If you are dissatisfied with the organization’s final response or if they fail to reply to you within a reasonable period of time, or – where provided in the DPA – within 30 days, please contact us using the complaint form.

Can I complain about a violation that occurred before the DPA came into force?

Yes, if the violation is still ongoing, for example where an organization is holding information on you beyond what is needed (see the principle of data minimization).

You cannot complain if the violation is no longer ongoing, for example if the organization has already stopped sending you unwanted direct marketing.

I am receiving unwanted direct marketing. What can I do?

You have a right to stop direct marketing. You should contact the organization responsible for the direct marketing and notify them that you no longer wish to receive direct marketing.

Please contact us if an organization has refused to stop sending you direct marketing.

I've submitted a data protection request to an organization, but they haven't replied to me. What should I do?

Organizations have 30 days to reply to a request, such as a request to access your personal information.

Please contact us if the organization has missed its deadline to reply to your request.