Ombudsman issues enforcement order under Data Protection Act
The Ombudsman has issued an enforcement order under the Data Protection Act (DPA) based on the following facts:
In September 2021 employees of CIBC First Caribbean Bank (Cayman) (the Data Controller) were informed that a new policy was being implemented, requiring them to provide proof of Covid-19 vaccination or weekly negative PCR test results. Employees who failed to comply were required to go on unpaid leave.
Two employees complained to the Office of the Ombudsman, alleging violations of the DPA. The Ombudsman investigated the allegations and noted that employees were properly informed of the purpose for the data gathering, that this purpose was legitimate and that the data was not kept for longer than required.
However, the Ombudsman also noted the following violations under the DPA:
- The Data Controller did not have a valid legal basis (data processing condition) for the processing, as required under the first data protection principle;
- The processing of the data relating to the data subjects’ vaccination status and PCR testing was excessive as it was not necessary to meet the Data Controller’s obligations under the Labour Act, which was the legal basis relied on.
- A reminder email to employees who had not yet provided their data, sent without use of BCC, risked inferences to be made about the individuals’ health and/or medical status, and therefore violated the seventh data protection principle which requires appropriate technical or organizational measures to protect against the unauthorized or unlawful processing of personal data.
The data processing that led to the complaints is no longer in practice and, therefore, the Ombudsman determined that no corrective action was required. The Ombudsman however required the Data Controller to demonstrate how it is meeting the requirements of the eighth data protection principle which regulates the international transfer of personal data, as this was insufficiently explained during the investigation.
The full text of the order can be found here: https://www.ombudsman.ky/images/pdf/decisions/dp_decisions/DP%20Enforcement%20Order%20CIBC%20FCIB%20202100552-553.pdf
Ombudsman FOI Act hearing decision 96
Personal data disclosed under Data Protection Act, not FOI
The Ombudsman has ordered the release of certain personal information to an applicant for a government job in the Mosquito Research and Control Unit of the Ministry of Health.
Ombudsman Sharon Roulstone stated in her hearing decision on the matter that while the request for a full record under the Freedom of Information (FOI) Act was denied, certain information contained in the record was determined to be the personal data of the FOI Act applicant and was required to be disclosed under the Data Protection Act (DPA).
The government job-seeker requested a number of records in relation to his application for the position, for which he was ultimately unsuccessful. The government Ministry replying to the FOI request eventually disclosed some records to the applicant, but denied access to parts of a record stating their release would prejudice the effective conduct of public affairs and harm the public interest in relation to the disclosure of a confidential discussion of opinions during a job recruitment process.
“Although the appeal under the FOI Act was ultimately unsuccessful, the law recognizes that applicants still have the right to access their own personal data,” Ms. Roulstone noted. “This includes the opinions and views of others about him, but not information that is focused on the recruitment process, rather than the applicant.”
Also, unlike the usual approach under the FOI Act, the information disclosed under the DPA as personal data is only disclosed to the applicant. Successful appeals for information under the FOI Act are normally released to the general public. Government was given 10 days to release the additional records to the applicant, which has now been done.
Separately, the Ombudsman also noted significant delays in this hearing on the part of the Ministry of Health and Wellness, which took more than a year to release a heavily redacted report to the applicant and caused significant delays in responding to the Office of the Ombudsman. As a result, the appeal under the FOI Act, in total, took almost two years to resolve.
You can read the full text of the decision here: https://ombudsman.ky/images/pdf/decisions/FOI_Decisions/Hearing%2096-202100364.pdf
Ombudsman staff receives additional investigation training
First-of-its-kind partnership with UK firm
The Office of the Ombudsman staff members, including Ombudsman Sharon Roulstone, spent two weeks between late February and early March in a specially designed advanced investigation training course taught by a 30-year veteran UK police detective.
The training course, delivered by TCM Group’s Chris Howarth, focused on interviewing and investigation techniques which the office is now using in its five disciplines including maladministration, police and whistleblowing complaints, as well as in data protection complaints and FOI appeals.
“The Office of the Ombudsman is an alternate system of justice with extensive powers to guard against governmental abuses of power, unfair decisions, data breaches, procedural unfairness and other matters impacting private persons. Our complaint handling contributes to public confidence in that system, so it was important that our staff have the appropriate investigative skillsets to do their jobs to the highest standard. This training helped provide that,” Ms. Roulstone said. “Each of our five service areas have unique legislation and requirements, yet how we approach each enquiry/investigation should not vary in order to ensure fairness in the process.”
The Advanced Investigation Skills Training course certified Ombudsman staff members in the use of the PEACE interview model, which is currently used by most UK and Canadian investigative services, including some Ombuds offices in those jurisdictions.
“Our staff members individually already bring a variety of skillsets to their respective jobs. The certification of our entire team as investigators, however, brings more integrity to the important decisions we make and assures those seeking justice through our office that our processes are fair and to a high standard,” Ms. Roulstone said.
Mr. Howarth said TCM had instructed similar courses in many jurisdictions around the world, but the Cayman Islands training was the first time such a course had been put together for the unique regulatory role the Office of the Ombudsman occupies.
“It was a real pleasure to be involved in both the design and delivery of this programme,” Mr. Howarth said. “The training focused on evidence-based practices using ethical, values-based decision-making models. I was impressed with the level of engagement and professionalism of the Investigators within the Ombudsman’s office throughout the course.”
Data Protection breach investigation leads to charges
The Office of the Ombudsman completed an investigation into a personal data breach involving a former employee of a local telecommunications company. The ex-employee is alleged to have unlawfully shared customers’ personal information with a police officer, which the officer is then alleged to have used for personal purposes.
The personal data breach was reported on 20 November 2020 under section 16 of the Data Protection Act. A subsequent investigation by the Office of the Ombudsman and the Royal Cayman Islands Police Service (RCIPS) led to criminal charges before the court, including charges against the telecommunications company’s ex-employee and the police officer under section 54 of the Act.
As part of the investigation to determine if the data controller adhered to the seventh principle of the Act, the Ombudsman’s office reviewed various sources of information, including the telecommunication provider’s data protection policies and procedures, the ex-employee’s data protection training records, a confidentiality agreement between the ex-employee and the employer, details on the data controller’s system audit logs, and the ex-employees personal phone records. The office also obtained several witness statements from relevant parties. The investigation determined that the data controller had adequate organisational and technical measures in place to secure the data in spite of the personal data breach.
Given the nature of the breach, the Ombudsman’s office requested the assistance of the RCIPS to conduct a criminal investigation. Following the submission of a legal file to the Office of the Director of Public Prosecutions, a legal ruling recommended the telecommunications company’s former employee and the police officer be charged.
“It is important for all public and private sector employees to be aware that access to, and the processing of, an individual’s personal data must be done fairly and lawfully and only for the purposes for which that data was provided,” said Sharon Roulstone, Ombudsman. “As this case demonstrates, there are potentially serious consequences if personal data is not managed in accordance with the Data Protection Act.”
Own-Motion Investigation into police dog incident
On 9 July 2022, the Royal Cayman Islands Police Service (RCIPS) notified our office of the death of Police Dog Baron.
We immediately opened an own-motion investigation (OMI) under section 3(2)(c) of the Police
(Complaints by the Public) Act and requested the assistance of the Department of Agriculture
Animal Welfare and Control Unit (DOA) to carry out an independent investigation into the
circumstances with our oversight.
As part of our review, the OMB conducted an early inspection of the kennels along with the DOA and identified several areas needing immediate attention. These included:
• The need for a permanent roof outside the kennels, which are located outside in the back of
the police station property
• The creation of a welfare and observation log for each RCIPS dog handler
• The need to clean debris from unused kennels for use as a quarantine area in the event
another animal became unwell
• the removal of chemical and cleaning supplies from the kennel area
• The need to provide an enrichment area for the police dogs to exercise
• The need for air conditioning maintenance at the kennels to be conducted on a regular basis
• The need to clear debris outside the kennels to prevent rodents from entering the area and
potentially biting the dogs
Based on these findings, early recommendations were made to the RCIPS, and periodic inspections of the kennels were conducted. All the above recommendations were promptly actioned by RCIPS.
At the conclusion of the joint investigation into the death of K9 Baron, a file was submitted to the Director of Public Prosecutions (ODPP) on 13 September 2022.
We will not be substantively commenting on our own findings until the completion of any action taken by the ODPP and/or the Cayman Islands court system with respect to this matter as a result of the legal ruling recommendation on 6 January 2023
Ombudsman annual report for 2021 – Demand for services continues to rise
PRESS RELEASE
The Office of the Ombudsman continues to receive an increased number of inquiries and formal complaints/appeals in nearly all areas overseen by the office, as detailed in the 2021 Annual Report made public in Parliament today, 7 December 2022.
Established in September 2017, the Ombudsman’s office entered its fourth full year of operations last year as Cayman’s one-stop-shop for complaints against inefficient or poor government administration, complaints against the conduct of police officers, whistleblower complaints against both public and private sector entities, data protection complaints and reports of data breaches, as well as Freedom of Information (FOI) appeals.
The past year has been one of transition for our office, as the end of 2021 and early 2022 saw the departure of a number of experienced and professional staff members, including former Ombudsman Sandy Hermiston in early 2022. More recently, we saw the hiring of our first Caymanian Ombudsman, local attorney Sharon Roulstone, who took over the post in April 2022.
“Despite the current short staffing situation, our office has many victories to celebrate,” Ms. Roulstone said. “We’ve adopted a modern approach to customer complaints with the creation of an informal resolution process, a flexible way of resolving complaints without the need for time-consuming formal investigations. We have resolved a backlog of more than 140 historical complaints against police conduct. We have established an efficient process for the handling of data protection complaints and reports of data breaches and we continue to successfully resolve FOI appeals.”
Ms. Roulstone noted that there is much more work to do, particularly in reforming legislation around whistleblower protection and police complaints. Some sections of the maladministration complaints and the data protection legislation will need review in the coming year as well.
“Our office has been around long enough for us to have a good understanding of what’s working and what isn’t,” Ms. Roulstone said. “We have already taken plans for reform of certain areas to lawmakers, and we will hopefully be adding to those in the near future.”
An overview of each section of the Office of the Ombudsman for the calendar year 2021 is provided below.
FOI
After seeing an initial dip early in the year, 2021 ended as our office’s busiest-ever in terms of FOI appeals. A total of 17 appeals were carried forward from 2020 and a record-breaking 31 new appeals were received. Out of all those cases (48), a total of 33 were resolved, most via our standard informal resolution process.
Topics requested via FOI continue to cover a myriad of government entities, including statistics on prosecutions undertaken by the Department of Environment, statistics on trade and business licenses, CINICO health insurance claims and requests for the minutes of Health Practice Commission meetings.
During the year, the Ombudsman issued six binding hearing decisions for FOI appeals. Three of these appeals were dismissed, two were fully upheld and one partially upheld, meaning information was ordered to be released. The formal decisions also dealt with a wide variety of subjects ranging from the redevelopment of Smith Barcadere, the contract of a Law School employee, retail fuel test results, marriage checks by WORC, a report of the review committee on permanent residence, and fee, duty and tax waivers for large developments.
Data protection
Our work in personal privacy protection and data-related complaints continued to increase during 2021. Our office received 30 complaints and 101 data breach notifications, as well as 138 inquiries about data protection. The Ombudsman issued 5 formal enforcement orders in the course of the year, and we resolved 17 complaints and 96 data breaches. These numbers are all significantly higher than in the previous year.
In response to the ongoing Covid-19 pandemic, we published additional guidance on vaccination and the Covid-19 status of employees and patrons of fitness establishments, as well as further guidance on our methodology for monetary penalty orders.
Maladministration
The last year also saw a significant increase in maladministration complaints. Our office recorded 122 new inquiries in 2021, compared to 109 during 2020. The impact of Covid restrictions was the area which generated the most complaints, across a number of government agencies.
We received a total of 65 formal complaints, in addition to 11 that were carried forward from 2020, across all sectors of government. Of these, 53 complaints were resolved with 21 being informally resolved without the need for a formal investigation. The year ended with 23 open cases that will carry forward to 2022 and 28 complaints that were rejected for lack of jurisdiction. As in previous years, we were able to resolve most complaints informally, thanks to the cooperation of many across the public sector.
There continues to be a need for the development of, and public access to, policies and procedures for almost all government departments. This is one of our most common complaints and we continue to encourage the development and accessibility of these important tools to the public. Without these written, publicly available policies, there is a risk of inconsistency in decision-making leading to a perception of bias.
Police complaints
In relation to complaints against police conduct, our office received 60 new inquiries in 2021, a slight increase over the 52 from 2020. The number of formal complaints received decreased to 28 over the previous year’s 57 and we carried over 15 existing complaints from 2020. A total of 4 cases were closed by way of formal investigation while 11 were informally resolved. Of the remainder, 3 were rejected for lack of jurisdiction or were time-barred, and 8 were abandoned or withdrawn by the complainant. We have 16 open cases that will carry forward into 2022.
During 2021, our office received its first complaint relating to death or serious harm forwarded to the Office of the Director of Public Prosecutions (ODPP). It was a test of the Police (Complaints by the Public) Act, which has not provided procedural guidance, nor revealed its intention for reporting incidents of death or serious harm to the ODPP. We continue to build on the relationship established with the ODPP as a result of this complaint.
In addition, our office also provided four customer service training classes to approximately 40 RCIPS officers. Our training targets the areas of weakness identified by public complaints or general community concerns and will continue in 2022.
Whistleblowing
Whistleblower protection continues to be the most underused service we provide to the public, but it remains essential to good governance in both the public and private sectors. We are continuing to work on amendments to the Whistleblower Protection Act, which we hope to present to Parliament in 2022.
The number of inquiries (4) from potential whistleblowers was relatively low during 2021. We investigated two complaints with one being resolved. There is a need for greater public awareness of this important tool which will be a focus of our office once the necessary changes are made to the enabling legislation.