21 July 2021 | News

PRESS RELEASE - Ombudsman: Police use of force protected suspect’s life, preserved evidence

A complainant alleged that he was grabbed by the throat, thrown onto a bed in his home and handcuffed by Royal Cayman Islands Police Service (RCIPS) officers who were in the process of executing a search warrant. The complainant asserted this conduct represented an unreasonable use of force by RCIPS officers.  

Ombudsman investigators established that the officers had obtained a lawful warrant for the search. During the search, a police officer saw the complainant picking up a small plate holding an amount of white substance the officer believed was cocaine. RCIPS officers intervened to prevent the complainant from swallowing the substance. The complainant resisted the officers and continued to try to swallow the substance.

Following the struggle, the complainant was taken to hospital and it was determined he had suffered no serious injuries from the incident.  

Section 153 of the Police Act allows an officer to use as much force as is reasonably necessary to effect an arrest. In doing so, an officer must have regard to the nature and gravity of the threat, as well as the potential for adverse consequences resulting from the use of force. In this case, it took a considerable amount of effort from RCIPS officers to restrain the complainant to prevent him from swallowing the substance and the Ombudsman found it was reasonable for the officers to believe the complainant would have done so, if not impeded.   

The Ombudsman accepted the officers’ statements that they were concerned about the complainant’s health and safety and that they believed he was attempting to swallow something that appeared to be cocaine. The Ombudsman found that, if the officers had not restrained the complainant, he would likely have ingested the substance which was subsequently identified to be cocaine. The Ombudsman found that the force used was necessary and reasonable in these circumstances.

 

For more information about our police complaints handling process and how to make a complaint to the Office of the Ombudsman, please see our website at www.ombudsman.ky, call us at 946-6283 or email us at This email address is being protected from spambots. You need JavaScript enabled to view it..

14 July 2021 | News

Annual report for 2020 released 

 

The Office of the Ombudsman’s annual report for 2020 was made public in Parliament today, 14 July 2021.   

During 2020, our office fielded a total of 332 enquiries from members of the public, opened 231 cases for either investigation or informal resolution and resolved 210 cases. By way of comparison, we opened 30 more cases overall during 2020 than in 2019, despite the pandemic and government lockdown during the second quarter.  

A copy of the full report can be found at the following link: https://ombudsman.ky/images/pdf/Office_of_the_Ombudsman_2020_Annual_Report.pdf  

A few areas from the report are highlighted below:  

Data Protection: The largest area of case increases involved Cayman’s Data Protection Act. There were 87 data breaches reported in 2020 and the number of data protection complaints doubled during 2020, compared to 2019. The Ombudsman issued her first enforcement order under the Act, which required the Registrar of Companies to immediately cease gathering and processing personal data of non-registrable persons because there was no legal basis for its blanket approach. The Ombudsman also issued a number of information orders directing both public and private sector entities to provide documents as part of data protection investigations, because the entities were not responding to requests in a timely manner.   

Freedom of Information:  The Ombudsman issued several important decisions regarding government records in 2020. In addition to many FOI appeals that were resolved informally, the Ombudsman issued eight (8) written decisions in 2020.  We also noted a trend since 2017 where a greater number of FOI hearing decisions are being issued by the Ombudsman. Deputy Ombudsman Jan Liebaers recently noted “since September 2017, when the Office of the Ombudsman officially opened, through to December 2020, the Ombudsman issued 26 hearing decisions”. In contrast during the almost nine years between January 2009 and August 2017, there were 54 hearing decisions issued by the Information Commissioner’s Office.   

Maladministration: While the number of maladministration complaints remained about the same from year-to-year, there was a significant increase in the number of informal resolutions of maladministration complaints during 2020 – these are complaints by the public against poor or inefficient government service. Our office managed to resolve 18 complaints informally in 2020, compared to just seven (7) in 2019.   In addition, the office launched four “own motion” investigations which will be published later this year, one of which is a joint investigation under the Data Protection Act. 

“We’ve found that public officials are cooperating to resolve more complaints, meaning that time-consuming investigations are needed less to address people’s problems,” said Ombudsman Sandy Hermiston. “However, we are still seeing too many complaints about government delay and failure to respond to customers.”   

Our office continues to work with government entities to improve and strengthen internal complaints procedures, as well as to ensure the civil service has appropriate public policies in place to underpin lawful and fair administrative actions in day-to-day operation.  

Police Complaints: Complaints concerning police conduct made by members of the public rose from 33 recorded in 2019 to 52 last year. Amid this increase, our office saw positive strides by the Royal Cayman Islands Police Service in incorporating public complaints against officers’ conduct into its daily work. However, we have identified a continuing need for RCIPS officers to treat people with respect.  

“Too many of our police-related complaints concern simple rudeness or unprofessional conduct, even in cases where the officer has done everything procedurally “by the book”, said Ombudsman Sandy Hermiston. “Police officers can still enforce our laws while acting in a professional and cordial manner and we will hold them to that standard.”    

Whistleblower Protection: The number of reports in this area remained small during 2020. There were six (6) whistleblower reports during 2020, compared with just two (2) in 2019. Our investigators have reported that people seem reluctant to make a protected disclosure when they learn that the Whistleblower Protection Act does not prevent them from being fired from their jobs. The legislation instead provides a remedy only after an employer takes detrimental action against the employee. We intend to make recommendations to our Parliamentary committee regarding this subject.   

The Office of the Ombudsman deals with public sector maladministration complaints, police misconduct complaints, whistleblower complaints, data protection queries and complaints and freedom of information appeals. For more information in any of these areas, please go to our website at www.ombudsman.ky or call us on 946-6283. Queries and complaints can also be sent to our email address at This email address is being protected from spambots. You need JavaScript enabled to view it.    

13 July 2021 | News

PRESS RELEASE 

Ombudsman issues data protection enforcement order against Department of Agriculture 

The Ombudsman has ordered the Department of Agriculture (DoA) to stop collecting personal data from customers purchasing retail goods and to delete any personal data collected without a legal basis. The DoA must also provide a privacy notice when collecting personal data.  

A member of the public submitted a complaint stating that the DoA was unnecessarily collecting personal data from individuals purchasing retail goods such as plants and trees. The information collected included the person’s name, street address, postal address, email address and telephone contact.  

The Ombudsman found the DoA had no privacy notification process to inform its customers who was processing the information or the specific purposes for which that information was being processed. She also found the DoA had no legal basis for processing the personal data of its customers and that collecting the data listed above for a simple retail purchase was unnecessary and excessive. The full text of the order can be found here: https://ombudsman.ky/images/pdf/decisions/dp_decisions/DP_Enforcement_Order_DoA_202000892.pdf   

The DoA was given 30 days to action the required changes. As with all enforcement orders made under the Data Protection Act, the entity against which the order is made has 45 days to comply or seek judicial review of the Ombudsman’s decision.  

In every transaction, whether in the public or private sector, a data controller should collect only the minimum personal data needed for a specified purpose. Customers have a right to know who is processing their information, for what purpose, and all processing must be conducted fairly and legally.  

Anyone with questions about Cayman’s Data Protection Act, should go to our website www.ombudsman.ky for further information. Data protection complaints can be made to the Ombudsman’s office at 946-6283 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it..  

21 May 2021 | News

PRESS RELEASE

FOI hearing decision 85: Petrol stations must be identified in quality control tests 

An applicant under the Freedom of Information Law (FOI Law) requested data from fuel quality tests performed by OfReg that would identify specific retail petrol stations. All stations are periodically tested by OfReg, the Cayman Islands multisector utilities and commodities regulator.   

Currently, those test results are published on the OfReg website, but the names of the stations are not disclosed, instead code numbers are used for each petrol station.  OfReg argued that revealing the actual names and locations of the tested petrol stations would prejudice the businesses’ commercial interests. OfReg also stated the release of the names of individual fuel retailers could constitute an unreasonable disclosure of personal information.   

The Ombudsman, in FOI hearing decision 85, found that OfReg had not demonstrated harm to commercial interests of the petrol stations would be likely to occur if their locations and names were made public in the fuel quality reports. OfReg was given 14 days to disclose the petrol station names to the applicant. 

“OfReg seems to argue that the identity of the retail businesses should be withheld in order to protect the petrol stations in the event that their fuel was found deficient and customers decided to take their business elsewhere,” the Ombudsman, Sandy Hermiston, wrote in her decision. “This position is inconsistent with OfReg’s role of protecting the interests of consumers.”  

The personal information exemption claimed by OfReg was also denied as the names of certain petrol station owners that operated as sole traders, sought under the FOI request, are not considered personal data.  In any case, the names are already in the public domain and would not be unreasonable to disclose, the Ombudsman found.   

Another issue raised by OfReg during the FOI hearing was that there is no standard for fuel quality in the Cayman Islands. The fuel testing programme currently being conducted is done voluntarily without written agreements between OfReg and the petrol retailers as to how these tests should be carried out.  

OfReg officials were concerned that disclosure of the fuel retailers’ and petrol stations’ identity would make them less cooperative with the testing programme. However, the Ombudsman noted the Utility Regulation and Competition Act (2021) gives OfReg broad powers to require production of fuel testing information if the petrol stations were to become recalcitrant.

Finally, OfReg argued that the fuel test results could be misinterpreted and that misinterpretation – if linked to specific retail providers – could potentially result in loss of business and reputational issues for the business.  

“The risk that government information is misinterpreted always exists, but it is not removed by withholding records,” wrote the Ombudsman.  “The best way to counter misinformation about fuel test results is to educate consumers and help them to protect their health, safety and financial interests from an informed position.”  

The full text of decision No. 85 can be found here: https://ombudsman.ky/images/pdf/decisions/FOI_Decisions/Hearing_Decision_85-202000964.pdf

 

 

24 March 2021 | News

PRESS RELEASE

Private school ordered to destroy recordings of meeting with staff member

The Ombudsman has ordered St. Ignatius Catholic School to destroy all copies of a recording of a meeting with a member of staff, finding that the school made the recording without a legal basis under the Cayman Islands Data Protection Law (2017). The Ombudsman’s order also made several recommendations on how the school could improve data protection measures related to its employees.  

The Ombudsman expressed concern about the meeting, in that consent was not an appropriate legal basis for the recording as argued by the school, the employee was not initially told the recording was taking place and then did not receive a copy of the recording within the statutory 30 days.  

“The Data Protection Law requires that when processing personal data, including the recording of a conversation, the person being recorded must be aware the processing is taking place and the reason for it,” said Sandy Hermiston, Cayman Islands Ombudsman. “It is also crucially important that consent is only used when appropriate, but not where there is a significant imbalance, such as between an employer and an employee.”

Under the law, consent must also be freely and knowingly given, not implied. Ms. Hermiston said school officials did not meet that requirement in this instance and that it appears the employee was never told why the recording was taken.   

“Even asking someone ‘is it OK if I record this?’ does not pass muster with the law, if they are not told the reasons it is happening,” said Deputy Ombudsman Jan Liebaers. “In this instance, seeking consent for the recording after the meeting had already started and then merely asking for the employee’s permission to record – without informing her of the reasons – is not what the Data Protection Law requires.”  

An Executive Summary of the enforcement order can be found here: https://ombudsman.ky/images/pdf/DP_Enforcement_Order_202000820_-_Exec_Summary_Final.pdf

As with all enforcement orders made under the Data Protection Law, the entity against which the order is made has 45 days to seek judicial review of the Ombudsman’s decision.

Anyone with questions about Cayman’s Data Protection Law, which took effect on 30 September 2019, should go to our website www.ombudsman.ky for further information. Data protection complaints and/or notifications can be made to the Ombudsman’s office at 946-6283 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it..

22 March 2021 | News

PRESS RELEASE

Ombudsman issues data protection order following ransomware attack

The Cayman Islands Ombudsman has found that a local liquor retail group contravened the Data Protection Law (2017) when it failed to take adequate technical and organizational measures to protect against unauthorized processing of employees’, shareholders’ and pension account members’ personal data.

The Ombudsman also found that Jacques Scott Group Ltd. (JSG) failed to incorporate certain mandatory provisions into its agreement with its IT provider, which constitutes a separate violation. 

JSG reported the ransomware attack last year after employees discovered they were locked out of a number of the company’s critical network systems. The breach involved the personal data of about 150 people but did not include computer passwords or personal financial data. Jacques Scott was proactive in notifying both the Office of the Ombudsman and the affected individuals of the ransomware attack. In addition, along with its IT services provider, the company did take mitigating action following the breach.

It is believed no customer data was accessed and, importantly, there appears to have been no serious or ongoing consequences for those whose data was compromised in the ransomware attack.  

“This situation is a good representation of the serious data protection concerns now facing both private and public sector organizations in Cayman,” said Sandy Hermiston, Cayman Islands Ombudsman. “Mitigation after the fact is simply not enough. All of these entities must proactively take security precautions with their computerized record-keeping systems – the Data Protection Law makes it their responsibility.”

JSG separately sought and received recommendations on IT security from Deloitte and the Ombudsman supported these recommendations, urging their implementation. In addition, the Ombudsman recommended future steps to prevent ransomware attacks including:

-Providing training to employees on cybersecurity prevention and response, in line with any information security policies and procedures the company may develop

-Enabling logs on all critical network devices to ensure information is kept in the event of future cyberattacks and also ensuring multiple backups of information are maintained with that at least one backup kept off-site

-Implementing periodic vulnerability assessments to identify IT security weaknesses

As with all enforcement orders made under the Data Protection Law, the entity against which the order is made has 45 days to seek judicial review of the Ombudsman’s decision. The link to the executive summary of the order can be found here: https://ombudsman.ky/images/pdf/DP_Enforcement_Order_201900212_-_Exec_Summary.pdf

Anyone with questions about Cayman’s Data Protection Law, which took effect on 30 September 2019, should go to our website www.ombudsman.ky for further information. Data protection complaints and/or notifications can be made to the Ombudsman’s office at 946-6283 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it..