FOI Hearing Decision 100: DOT sponsorship records must be released
An applicant under the Freedom of Information Act (FOIA) sought records related to partnership and sponsorship agreements made between the Department of Tourism (DOT) and various overseas entities for the purposes of promoting the Cayman Islands in foreign markets.
The request covered the years 2020-2022. The DOT granted the applicant some records, including various sponsorship or partnership agreements which were released with partial redactions. The DOT withheld the business cases for these agreements stating that they contained trade secrets, and that their disclosure would harm the commercial value of the information and the commercial interests of the parties, therefore exempting them from release under section 21 of the FOIA.
The Ombudsman, Ms. Sharon Roulstone, found that the records which were withheld did not contain any trade secrets, nor did the disclosure of various business cases or agreements prejudice any commercial values or interests. Therefore, the records were required to be disclosed in full, with exceptions for personal contact details and signatures of the private entities who were party to the agreements.
Ms. Roulstone also commented that there had been some procedural difficulties and lengthy delays in DOT’s response to the FOI request.
“I cannot find any good reason for the slow and selective response the DOT gave to the applicant’s request,” the Ombudsman wrote in the hearing decision. “The final explanations for withholding some of the records were not given until more than a year after the request was made. This is not an acceptable way of answering requests under FOIA or of cooperating with my office.”
The DOT has 45 days from the date of the decision to either release the remaining records or seek a judicial review of the Ombudsman’s order to release the responsive documents. The full text of the decision may be found here: https://www.ombudsman.ky/images/pdf/decisions/FOI_Decisions/Hearing%20100%20Decision%20202200303.pdf
The Ombudsman also noted that this hearing decision marks the 100th hearing decision issued by her office, as well as by the former Information Commissioner’s Office, since Cayman’s Freedom of Information Act took effect in January 2009.
“The milestone of 100 hearing decisions since the FOIA was first enacted represents considerable time and effort by our Information Rights team. It is reassuring that Cayman’s FOI process is still strong after all these years and that the Cayman public has kept an interest in their right to know,” Ms. Roulstone said.
Any member of the public wishing to submit an appeal of a government decision on a FOIA request may phone the Ombudsman at 946-6283 or email
FOI Hearing Decision 98 – Public records should be preserved once a FOI request is made
A Freedom of Information (FOI) applicant sought access to a video recording of a court proceeding, which the applicant argued was an administrative record of the court rather than a judicial record. The FOI Act (the Act) does not apply to judicial records.
In reviewing the FOI appeal, the Ombudsman found the video recordings of the court proceedings, done on the Zoom platform, were judicial records and, therefore, not subject to the Act under section 3(5)(a)(i). The Ombudsman found that the recordings were an integral part of the court proceedings, and while records may be created, copied, transcribed, analysed and used by court administrative staff, that process does not change the judicial nature of the recordings.
During the FOI appeal it was determined that no record existed for the Ombudsman to review in relation to the FOI request, because the Zoom platform had already deleted the last recording and the judicial administration office no longer had access to it. The Ombudsman found there were significant delays in communicating the fact of this deletion to the FOI applicant.
“The important point here is not that no record exists today, as the judicial administration indicated, but that the responsive record did exist at the time the (FOI) request was made, and it appears to have been deleted after the applicant made his request under (the Act),” Ombudsman Sharon Roulstone wrote in her appeal decision.
“As soon as the judicial administration became aware of the FOI request, it should have taken immediate steps to prevent the destruction of the responsive recording” Ms. Roulstone explained. “This is so, whether or not the judicial administration thought that the recording represented a judicial function and that the FOI Act would not apply to it. It is the Ombudsman who has the power to decide if a record falls under the jurisdiction of (the Act), and until that question is settled, a public authority is duty-bound to preserve the responsive record.”
The Ombudsman made the following recommendations to the judicial administration office as a result of the FOI appeal hearing decision:
- The judicial administration should seek the assistance of the Cayman Islands National Archive in order to ensure its compliance with the legal requirements for the management, retention and disposal of the records in its custody and control under the National Archives and Public Records Act (NAPRA).
- The judicial administration should develop and implement internal procedures for instigating a legal hold in respect of records requested under the FOI Act and in other appropriate circumstances.
The Ombudsman’s office will monitor the implementation of these recommendations.
You can read the full text of the decision here: https://ombudsman.ky/images/pdf/decisions/FOI_Decisions/Hearing%2098%20Decision%2020230622.pdf
Ombudsman issues enforcement order under Data Protection Act
The Ombudsman has issued an enforcement order under the Data Protection Act (DPA) based on the following facts:
In September 2021 employees of CIBC First Caribbean Bank (Cayman) (the Data Controller) were informed that a new policy was being implemented, requiring them to provide proof of Covid-19 vaccination or weekly negative PCR test results. Employees who failed to comply were required to go on unpaid leave.
Two employees complained to the Office of the Ombudsman, alleging violations of the DPA. The Ombudsman investigated the allegations and noted that employees were properly informed of the purpose for the data gathering, that this purpose was legitimate and that the data was not kept for longer than required.
However, the Ombudsman also noted the following violations under the DPA:
- The Data Controller did not have a valid legal basis (data processing condition) for the processing, as required under the first data protection principle;
- The processing of the data relating to the data subjects’ vaccination status and PCR testing was excessive as it was not necessary to meet the Data Controller’s obligations under the Labour Act, which was the legal basis relied on.
- A reminder email to employees who had not yet provided their data, sent without use of BCC, risked inferences to be made about the individuals’ health and/or medical status, and therefore violated the seventh data protection principle which requires appropriate technical or organizational measures to protect against the unauthorized or unlawful processing of personal data.
The data processing that led to the complaints is no longer in practice and, therefore, the Ombudsman determined that no corrective action was required. The Ombudsman however required the Data Controller to demonstrate how it is meeting the requirements of the eighth data protection principle which regulates the international transfer of personal data, as this was insufficiently explained during the investigation.
The full text of the order can be found here: https://www.ombudsman.ky/images/pdf/decisions/dp_decisions/DP%20Enforcement%20Order%20CIBC%20FCIB%20202100552-553.pdf
Ombudsman FOI Act hearing decision 96
Personal data disclosed under Data Protection Act, not FOI
The Ombudsman has ordered the release of certain personal information to an applicant for a government job in the Mosquito Research and Control Unit of the Ministry of Health.
Ombudsman Sharon Roulstone stated in her hearing decision on the matter that while the request for a full record under the Freedom of Information (FOI) Act was denied, certain information contained in the record was determined to be the personal data of the FOI Act applicant and was required to be disclosed under the Data Protection Act (DPA).
The government job-seeker requested a number of records in relation to his application for the position, for which he was ultimately unsuccessful. The government Ministry replying to the FOI request eventually disclosed some records to the applicant, but denied access to parts of a record stating their release would prejudice the effective conduct of public affairs and harm the public interest in relation to the disclosure of a confidential discussion of opinions during a job recruitment process.
“Although the appeal under the FOI Act was ultimately unsuccessful, the law recognizes that applicants still have the right to access their own personal data,” Ms. Roulstone noted. “This includes the opinions and views of others about him, but not information that is focused on the recruitment process, rather than the applicant.”
Also, unlike the usual approach under the FOI Act, the information disclosed under the DPA as personal data is only disclosed to the applicant. Successful appeals for information under the FOI Act are normally released to the general public. Government was given 10 days to release the additional records to the applicant, which has now been done.
Separately, the Ombudsman also noted significant delays in this hearing on the part of the Ministry of Health and Wellness, which took more than a year to release a heavily redacted report to the applicant and caused significant delays in responding to the Office of the Ombudsman. As a result, the appeal under the FOI Act, in total, took almost two years to resolve.
You can read the full text of the decision here: https://ombudsman.ky/images/pdf/decisions/FOI_Decisions/Hearing%2096-202100364.pdf
Ombudsman staff receives additional investigation training
First-of-its-kind partnership with UK firm
The Office of the Ombudsman staff members, including Ombudsman Sharon Roulstone, spent two weeks between late February and early March in a specially designed advanced investigation training course taught by a 30-year veteran UK police detective.
The training course, delivered by TCM Group’s Chris Howarth, focused on interviewing and investigation techniques which the office is now using in its five disciplines including maladministration, police and whistleblowing complaints, as well as in data protection complaints and FOI appeals.
“The Office of the Ombudsman is an alternate system of justice with extensive powers to guard against governmental abuses of power, unfair decisions, data breaches, procedural unfairness and other matters impacting private persons. Our complaint handling contributes to public confidence in that system, so it was important that our staff have the appropriate investigative skillsets to do their jobs to the highest standard. This training helped provide that,” Ms. Roulstone said. “Each of our five service areas have unique legislation and requirements, yet how we approach each enquiry/investigation should not vary in order to ensure fairness in the process.”
The Advanced Investigation Skills Training course certified Ombudsman staff members in the use of the PEACE interview model, which is currently used by most UK and Canadian investigative services, including some Ombuds offices in those jurisdictions.
“Our staff members individually already bring a variety of skillsets to their respective jobs. The certification of our entire team as investigators, however, brings more integrity to the important decisions we make and assures those seeking justice through our office that our processes are fair and to a high standard,” Ms. Roulstone said.
Mr. Howarth said TCM had instructed similar courses in many jurisdictions around the world, but the Cayman Islands training was the first time such a course had been put together for the unique regulatory role the Office of the Ombudsman occupies.
“It was a real pleasure to be involved in both the design and delivery of this programme,” Mr. Howarth said. “The training focused on evidence-based practices using ethical, values-based decision-making models. I was impressed with the level of engagement and professionalism of the Investigators within the Ombudsman’s office throughout the course.”
Data Protection breach investigation leads to charges
The Office of the Ombudsman completed an investigation into a personal data breach involving a former employee of a local telecommunications company. The ex-employee is alleged to have unlawfully shared customers’ personal information with a police officer, which the officer is then alleged to have used for personal purposes.
The personal data breach was reported on 20 November 2020 under section 16 of the Data Protection Act. A subsequent investigation by the Office of the Ombudsman and the Royal Cayman Islands Police Service (RCIPS) led to criminal charges before the court, including charges against the telecommunications company’s ex-employee and the police officer under section 54 of the Act.
As part of the investigation to determine if the data controller adhered to the seventh principle of the Act, the Ombudsman’s office reviewed various sources of information, including the telecommunication provider’s data protection policies and procedures, the ex-employee’s data protection training records, a confidentiality agreement between the ex-employee and the employer, details on the data controller’s system audit logs, and the ex-employees personal phone records. The office also obtained several witness statements from relevant parties. The investigation determined that the data controller had adequate organisational and technical measures in place to secure the data in spite of the personal data breach.
Given the nature of the breach, the Ombudsman’s office requested the assistance of the RCIPS to conduct a criminal investigation. Following the submission of a legal file to the Office of the Director of Public Prosecutions, a legal ruling recommended the telecommunications company’s former employee and the police officer be charged.
“It is important for all public and private sector employees to be aware that access to, and the processing of, an individual’s personal data must be done fairly and lawfully and only for the purposes for which that data was provided,” said Sharon Roulstone, Ombudsman. “As this case demonstrates, there are potentially serious consequences if personal data is not managed in accordance with the Data Protection Act.”