24 March 2021 | News

PRESS RELEASE

Private school ordered to destroy recordings of meeting with staff member

The Ombudsman has ordered St. Ignatius Catholic School to destroy all copies of a recording of a meeting with a member of staff, finding that the school made the recording without a legal basis under the Cayman Islands Data Protection Law (2017). The Ombudsman’s order also made several recommendations on how the school could improve data protection measures related to its employees.  

The Ombudsman expressed concern about the meeting, in that consent was not an appropriate legal basis for the recording as argued by the school, the employee was not initially told the recording was taking place and then did not receive a copy of the recording within the statutory 30 days.  

“The Data Protection Law requires that when processing personal data, including the recording of a conversation, the person being recorded must be aware the processing is taking place and the reason for it,” said Sandy Hermiston, Cayman Islands Ombudsman. “It is also crucially important that consent is only used when appropriate, but not where there is a significant imbalance, such as between an employer and an employee.”

Under the law, consent must also be freely and knowingly given, not implied. Ms. Hermiston said school officials did not meet that requirement in this instance and that it appears the employee was never told why the recording was taken.   

“Even asking someone ‘is it OK if I record this?’ does not pass muster with the law, if they are not told the reasons it is happening,” said Deputy Ombudsman Jan Liebaers. “In this instance, seeking consent for the recording after the meeting had already started and then merely asking for the employee’s permission to record – without informing her of the reasons – is not what the Data Protection Law requires.”  

An Executive Summary of the enforcement order can be found here: https://ombudsman.ky/images/pdf/DP_Enforcement_Order_202000820_-_Exec_Summary_Final.pdf

As with all enforcement orders made under the Data Protection Law, the entity against which the order is made has 45 days to seek judicial review of the Ombudsman’s decision.

Anyone with questions about Cayman’s Data Protection Law, which took effect on 30 September 2019, should go to our website www.ombudsman.ky for further information. Data protection complaints and/or notifications can be made to the Ombudsman’s office at 946-6283 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it..

22 March 2021 | News

PRESS RELEASE

Ombudsman issues data protection order following ransomware attack

The Cayman Islands Ombudsman has found that a local liquor retail group contravened the Data Protection Law (2017) when it failed to take adequate technical and organizational measures to protect against unauthorized processing of employees’, shareholders’ and pension account members’ personal data.

The Ombudsman also found that Jacques Scott Group Ltd. (JSG) failed to incorporate certain mandatory provisions into its agreement with its IT provider, which constitutes a separate violation. 

JSG reported the ransomware attack last year after employees discovered they were locked out of a number of the company’s critical network systems. The breach involved the personal data of about 150 people but did not include computer passwords or personal financial data. Jacques Scott was proactive in notifying both the Office of the Ombudsman and the affected individuals of the ransomware attack. In addition, along with its IT services provider, the company did take mitigating action following the breach.

It is believed no customer data was accessed and, importantly, there appears to have been no serious or ongoing consequences for those whose data was compromised in the ransomware attack.  

“This situation is a good representation of the serious data protection concerns now facing both private and public sector organizations in Cayman,” said Sandy Hermiston, Cayman Islands Ombudsman. “Mitigation after the fact is simply not enough. All of these entities must proactively take security precautions with their computerized record-keeping systems – the Data Protection Law makes it their responsibility.”

JSG separately sought and received recommendations on IT security from Deloitte and the Ombudsman supported these recommendations, urging their implementation. In addition, the Ombudsman recommended future steps to prevent ransomware attacks including:

-Providing training to employees on cybersecurity prevention and response, in line with any information security policies and procedures the company may develop

-Enabling logs on all critical network devices to ensure information is kept in the event of future cyberattacks and also ensuring multiple backups of information are maintained with that at least one backup kept off-site

-Implementing periodic vulnerability assessments to identify IT security weaknesses

As with all enforcement orders made under the Data Protection Law, the entity against which the order is made has 45 days to seek judicial review of the Ombudsman’s decision. The link to the executive summary of the order can be found here: https://ombudsman.ky/images/pdf/DP_Enforcement_Order_201900212_-_Exec_Summary.pdf

Anyone with questions about Cayman’s Data Protection Law, which took effect on 30 September 2019, should go to our website www.ombudsman.ky for further information. Data protection complaints and/or notifications can be made to the Ombudsman’s office at 946-6283 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it..

09 February 2021 | News

PRESS RELEASE

The Ombudsman issues hearing decision 83 - Extract of Cabinet decision ordered released 

A Freedom of Information (FOI) applicant sought various records related to the Smith Barcadere (Smith Cove) Redevelopment Project, including an extract of Cabinet minutes related to the governing body’s decision on whether an exemption to the requirement to seek planning permission should be granted for the project.

The Cabinet Office denied the initial request under section 19 of the FOI Act, stating that the extract was a record of deliberations arising in the course of Cabinet proceedings. The Cabinet Office did not conduct an internal review of the request as required by the FOI Act, which allowed the applicant to appeal the matter directly to the Ombudsman. The contested record in this appeal hearing was the extract, an excerpt of the Cabinet minutes in relation to this project, not the full record of the meeting minutes.  

In reviewing the extract, the Ombudsman found it does not document any Cabinet discussion, does not show how Cabinet reached its decision, does not state any matters being considered in that decision and gives no details of Cabinet members’ discussions. These issues are important in determining whether the section 19 exemption of the FOI Act would apply. The Ombudsman found the wording of the section 19 exemption focuses on consultative or deliberative processes of Cabinet.    

Moreover, the Cabinet decision was already a matter of public record, as it had been reported in the local media. Additionally, the Cayman Islands Development and Planning Act requires any granted exemption from planning permission to be listed in the Cayman Islands Gazette, a public document. The Ombudsman found no evidence that gazettal of this decision occurred. However, if the project were exempted from planning requirements the Act would have required that decision to be made public.   

“The FOI Act is in place to promote government openness and transparency and decisions made under this legislation should give due regard to that fact,” said Sandy Hermiston, Cayman Islands Ombudsman. “Public authorities have an opportunity to argue against disclosure based on an exemption or other reason under the Act.”

The Ombudsman ruled that the extract from the Cabinet minutes containing information on whether Cabinet granted planning exemptions in relation to the Smith Barcadere Redevelopment Project is not exempt under section 19(1)(a) of the FOI Act and that the Cabinet Office must disclose the extract related to this decision. A further finding is that the Cabinet Office violated provisions of section 34 of the FOI Act when it failed to conduct an internal review of its original decision to deny release of the extract record.  

The full text of the decision is available at the link: https://ombudsman.ky/images/pdf/decisions/FOI_Decisions/Hearing_Decision_83.pdf

FOI applicants wishing to appeal a government decision of an FOI request may contact the Office of the Ombudsman via phone at 946-6283 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it.. Our website, www.ombudsman.ky also has much more information about the open records process in the Cayman Islands.

27 January 2021 | News

PRESS RELEASE

On Thursday, 28 January the Cayman Islands joins the rest of the world in marking International Data Protection Day.  

Cayman’s Data Protection Law (DPL), which came into effect on 30 September 2019, contains important rights for individuals, including the right to be informed about how personal data is being used. Individuals also have the right to request corrections to inaccurate personal data, to object to direct marketing and to request access to their personal data. 

The DPL also sets rules for the use of personal data by public and private sector organizations based on eight core principles. Those include fairness, adequacy, retention and security of personal data processing, among other requirements.

The Office of the Ombudsman is tasked with oversight and enforcement of the DPL. Individuals have the right to complain to the Ombudsman if they believe their data is not being processed legally or fairly. 

“With the Data Protection Law just more than a year old, we are seeing high levels of interest from businesses and organizations in the new legislation.” said Sandy Hermiston, Cayman Islands Ombudsman. “Raising awareness of data protection issues, as well as investigating complaints and data breaches, have become one of the busiest areas for our office over the past year, particularly with the onset of Covid-19 as more daily business moves online.” 

The DPL requires personal data breaches to be reported to the Ombudsman and the affected data subjects. The most common data breach notifications involve instances where emails containing personal data have been inadvertently sent to unintended recipients. Individuals who have concerns about how their data is being used by organizations can make a complaint to the Ombudsman for investigation under the DPL. 

Please visit the Ombudsman website for more information including FAQs, guidance and other resources to help you understand your data protection rights and obligations: www.ombudsman.ky/data-protection or send your questions to: This email address is being protected from spambots. You need JavaScript enabled to view it.

 

04 January 2021 | News

PRESS RELEASE

Ombudsman seeks public assistance in investigation 

The Office of the Ombudsman is currently conducting an independent investigation into allegations of delayed police response and lack of police action at the scene of Michael Aaron Bush’s fatal stabbing.

The incident occurred in the early hours of Thursday, 24 December 2020 outside a nightclub complex in the Strand Plaza off West Bay Road.

The Ombudsman asks members of the public who were at the scene that morning to provide any information that would assist in the investigation, including any video footage of the police action at the scene.

All information and material received will be kept confidential. If you have any information, please contact Senior Investigator Peter Mcloughlin at This email address is being protected from spambots. You need JavaScript enabled to view it. or call 244-6162. 

14 October 2020 | News

PRESS RELEASE

Ombudsman negotiates resolution to Cuban financial assistance dispute

The Office of the Ombudsman received a complaint from three Cuban asylum grantees in early August, two of whom lost their jobs in the tourism sector due to the COVID-19 pandemic, who had been denied certain government benefits given to tourism sector workers at the time.

The three were among a group of a few dozen asylum grantees and asylum-seekers who gathered outside the downtown Government Administration Building on August 4-5 attempting to receive financial assistance. The complainants claimed they were denied the assistance because they were not Caymanian. Some of the attendees at the gathering were children who had not eaten properly in days, according to the complainants.

Given the urgency of the situation, an Ombudsman investigator who is fluent in Spanish undertook to mediate the situation between the Cubans and the Customs and Border Control (CBC) department, acting as the go-between and communicating with both sides to effect a swift resolution. As part of those discussions, which included the chief officer for the Ministry of Community Affairs, CBC managers agreed to take over the payment of benefits to asylum grantees and asylum-seekers going forward, as the agency’s officers are more familiar with the legal requirements regarding such individuals.

A CBC “help desk” will be established at the Government Administration Building to assist with asylum-related matters that may arise in the future.

“Although some of the discussions were intense, this ended up being a great example of the dispute resolution services the Ombudsman’s office, aided by a responsive government agency, can provide,” said Sandy Hermiston, Cayman Islands Ombudsman. “Not every problem requires an in-depth investigation, especially when there are matters which must be resolved urgently and government agencies are willing to work towards early resolution.” 

It is also important to note that once a person has been granted asylum, they are afforded similar rights and protections as those given to Cayman Islands citizens, including the ability to apply for and receive assistance with living expenses from government.

Anyone with questions about our office’s work or who wishes to file a maladministration complaint against the government may contact the Office of the Ombudsman via phone at 946-6283 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it.. Our website, www.ombudsman.ky also has much more information about how to do so. All matters discussed are kept strictly confidential.