21 May 2021 | News


FOI hearing decision 85: Petrol stations must be identified in quality control tests 

An applicant under the Freedom of Information Law (FOI Law) requested data from fuel quality tests performed by OfReg that would identify specific retail petrol stations. All stations are periodically tested by OfReg, the Cayman Islands multisector utilities and commodities regulator.   

Currently, those test results are published on the OfReg website, but the names of the stations are not disclosed, instead code numbers are used for each petrol station.  OfReg argued that revealing the actual names and locations of the tested petrol stations would prejudice the businesses’ commercial interests. OfReg also stated the release of the names of individual fuel retailers could constitute an unreasonable disclosure of personal information.   

The Ombudsman, in FOI hearing decision 85, found that OfReg had not demonstrated harm to commercial interests of the petrol stations would be likely to occur if their locations and names were made public in the fuel quality reports. OfReg was given 14 days to disclose the petrol station names to the applicant. 

“OfReg seems to argue that the identity of the retail businesses should be withheld in order to protect the petrol stations in the event that their fuel was found deficient and customers decided to take their business elsewhere,” the Ombudsman, Sandy Hermiston, wrote in her decision. “This position is inconsistent with OfReg’s role of protecting the interests of consumers.”  

The personal information exemption claimed by OfReg was also denied as the names of certain petrol station owners that operated as sole traders, sought under the FOI request, are not considered personal data.  In any case, the names are already in the public domain and would not be unreasonable to disclose, the Ombudsman found.   

Another issue raised by OfReg during the FOI hearing was that there is no standard for fuel quality in the Cayman Islands. The fuel testing programme currently being conducted is done voluntarily without written agreements between OfReg and the petrol retailers as to how these tests should be carried out.  

OfReg officials were concerned that disclosure of the fuel retailers’ and petrol stations’ identity would make them less cooperative with the testing programme. However, the Ombudsman noted the Utility Regulation and Competition Act (2021) gives OfReg broad powers to require production of fuel testing information if the petrol stations were to become recalcitrant.

Finally, OfReg argued that the fuel test results could be misinterpreted and that misinterpretation – if linked to specific retail providers – could potentially result in loss of business and reputational issues for the business.  

“The risk that government information is misinterpreted always exists, but it is not removed by withholding records,” wrote the Ombudsman.  “The best way to counter misinformation about fuel test results is to educate consumers and help them to protect their health, safety and financial interests from an informed position.”  

The full text of decision No. 85 can be found here: https://ombudsman.ky/images/pdf/decisions/FOI_Decisions/Hearing_Decision_85-202000964.pdf



24 March 2021 | News


Private school ordered to destroy recordings of meeting with staff member

The Ombudsman has ordered St. Ignatius Catholic School to destroy all copies of a recording of a meeting with a member of staff, finding that the school made the recording without a legal basis under the Cayman Islands Data Protection Law (2017). The Ombudsman’s order also made several recommendations on how the school could improve data protection measures related to its employees.  

The Ombudsman expressed concern about the meeting, in that consent was not an appropriate legal basis for the recording as argued by the school, the employee was not initially told the recording was taking place and then did not receive a copy of the recording within the statutory 30 days.  

“The Data Protection Law requires that when processing personal data, including the recording of a conversation, the person being recorded must be aware the processing is taking place and the reason for it,” said Sandy Hermiston, Cayman Islands Ombudsman. “It is also crucially important that consent is only used when appropriate, but not where there is a significant imbalance, such as between an employer and an employee.”

Under the law, consent must also be freely and knowingly given, not implied. Ms. Hermiston said school officials did not meet that requirement in this instance and that it appears the employee was never told why the recording was taken.   

“Even asking someone ‘is it OK if I record this?’ does not pass muster with the law, if they are not told the reasons it is happening,” said Deputy Ombudsman Jan Liebaers. “In this instance, seeking consent for the recording after the meeting had already started and then merely asking for the employee’s permission to record – without informing her of the reasons – is not what the Data Protection Law requires.”  

An Executive Summary of the enforcement order can be found here: https://ombudsman.ky/images/pdf/DP_Enforcement_Order_202000820_-_Exec_Summary_Final.pdf

As with all enforcement orders made under the Data Protection Law, the entity against which the order is made has 45 days to seek judicial review of the Ombudsman’s decision.

Anyone with questions about Cayman’s Data Protection Law, which took effect on 30 September 2019, should go to our website www.ombudsman.ky for further information. Data protection complaints and/or notifications can be made to the Ombudsman’s office at 946-6283 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it..

22 March 2021 | News


Ombudsman issues data protection order following ransomware attack

The Cayman Islands Ombudsman has found that a local liquor retail group contravened the Data Protection Law (2017) when it failed to take adequate technical and organizational measures to protect against unauthorized processing of employees’, shareholders’ and pension account members’ personal data.

The Ombudsman also found that Jacques Scott Group Ltd. (JSG) failed to incorporate certain mandatory provisions into its agreement with its IT provider, which constitutes a separate violation. 

JSG reported the ransomware attack last year after employees discovered they were locked out of a number of the company’s critical network systems. The breach involved the personal data of about 150 people but did not include computer passwords or personal financial data. Jacques Scott was proactive in notifying both the Office of the Ombudsman and the affected individuals of the ransomware attack. In addition, along with its IT services provider, the company did take mitigating action following the breach.

It is believed no customer data was accessed and, importantly, there appears to have been no serious or ongoing consequences for those whose data was compromised in the ransomware attack.  

“This situation is a good representation of the serious data protection concerns now facing both private and public sector organizations in Cayman,” said Sandy Hermiston, Cayman Islands Ombudsman. “Mitigation after the fact is simply not enough. All of these entities must proactively take security precautions with their computerized record-keeping systems – the Data Protection Law makes it their responsibility.”

JSG separately sought and received recommendations on IT security from Deloitte and the Ombudsman supported these recommendations, urging their implementation. In addition, the Ombudsman recommended future steps to prevent ransomware attacks including:

-Providing training to employees on cybersecurity prevention and response, in line with any information security policies and procedures the company may develop

-Enabling logs on all critical network devices to ensure information is kept in the event of future cyberattacks and also ensuring multiple backups of information are maintained with that at least one backup kept off-site

-Implementing periodic vulnerability assessments to identify IT security weaknesses

As with all enforcement orders made under the Data Protection Law, the entity against which the order is made has 45 days to seek judicial review of the Ombudsman’s decision. The link to the executive summary of the order can be found here: https://ombudsman.ky/images/pdf/DP_Enforcement_Order_201900212_-_Exec_Summary.pdf

Anyone with questions about Cayman’s Data Protection Law, which took effect on 30 September 2019, should go to our website www.ombudsman.ky for further information. Data protection complaints and/or notifications can be made to the Ombudsman’s office at 946-6283 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it..

09 February 2021 | News


The Ombudsman issues hearing decision 83 - Extract of Cabinet decision ordered released 

A Freedom of Information (FOI) applicant sought various records related to the Smith Barcadere (Smith Cove) Redevelopment Project, including an extract of Cabinet minutes related to the governing body’s decision on whether an exemption to the requirement to seek planning permission should be granted for the project.

The Cabinet Office denied the initial request under section 19 of the FOI Act, stating that the extract was a record of deliberations arising in the course of Cabinet proceedings. The Cabinet Office did not conduct an internal review of the request as required by the FOI Act, which allowed the applicant to appeal the matter directly to the Ombudsman. The contested record in this appeal hearing was the extract, an excerpt of the Cabinet minutes in relation to this project, not the full record of the meeting minutes.  

In reviewing the extract, the Ombudsman found it does not document any Cabinet discussion, does not show how Cabinet reached its decision, does not state any matters being considered in that decision and gives no details of Cabinet members’ discussions. These issues are important in determining whether the section 19 exemption of the FOI Act would apply. The Ombudsman found the wording of the section 19 exemption focuses on consultative or deliberative processes of Cabinet.    

Moreover, the Cabinet decision was already a matter of public record, as it had been reported in the local media. Additionally, the Cayman Islands Development and Planning Act requires any granted exemption from planning permission to be listed in the Cayman Islands Gazette, a public document. The Ombudsman found no evidence that gazettal of this decision occurred. However, if the project were exempted from planning requirements the Act would have required that decision to be made public.   

“The FOI Act is in place to promote government openness and transparency and decisions made under this legislation should give due regard to that fact,” said Sandy Hermiston, Cayman Islands Ombudsman. “Public authorities have an opportunity to argue against disclosure based on an exemption or other reason under the Act.”

The Ombudsman ruled that the extract from the Cabinet minutes containing information on whether Cabinet granted planning exemptions in relation to the Smith Barcadere Redevelopment Project is not exempt under section 19(1)(a) of the FOI Act and that the Cabinet Office must disclose the extract related to this decision. A further finding is that the Cabinet Office violated provisions of section 34 of the FOI Act when it failed to conduct an internal review of its original decision to deny release of the extract record.  

The full text of the decision is available at the link: https://ombudsman.ky/images/pdf/decisions/FOI_Decisions/Hearing_Decision_83.pdf

FOI applicants wishing to appeal a government decision of an FOI request may contact the Office of the Ombudsman via phone at 946-6283 or via email at This email address is being protected from spambots. You need JavaScript enabled to view it.. Our website, www.ombudsman.ky also has much more information about the open records process in the Cayman Islands.

27 January 2021 | News


On Thursday, 28 January the Cayman Islands joins the rest of the world in marking International Data Protection Day.  

Cayman’s Data Protection Law (DPL), which came into effect on 30 September 2019, contains important rights for individuals, including the right to be informed about how personal data is being used. Individuals also have the right to request corrections to inaccurate personal data, to object to direct marketing and to request access to their personal data. 

The DPL also sets rules for the use of personal data by public and private sector organizations based on eight core principles. Those include fairness, adequacy, retention and security of personal data processing, among other requirements.

The Office of the Ombudsman is tasked with oversight and enforcement of the DPL. Individuals have the right to complain to the Ombudsman if they believe their data is not being processed legally or fairly. 

“With the Data Protection Law just more than a year old, we are seeing high levels of interest from businesses and organizations in the new legislation.” said Sandy Hermiston, Cayman Islands Ombudsman. “Raising awareness of data protection issues, as well as investigating complaints and data breaches, have become one of the busiest areas for our office over the past year, particularly with the onset of Covid-19 as more daily business moves online.” 

The DPL requires personal data breaches to be reported to the Ombudsman and the affected data subjects. The most common data breach notifications involve instances where emails containing personal data have been inadvertently sent to unintended recipients. Individuals who have concerns about how their data is being used by organizations can make a complaint to the Ombudsman for investigation under the DPL. 

Please visit the Ombudsman website for more information including FAQs, guidance and other resources to help you understand your data protection rights and obligations: www.ombudsman.ky/data-protection or send your questions to: This email address is being protected from spambots. You need JavaScript enabled to view it.


04 January 2021 | News


Ombudsman seeks public assistance in investigation 

The Office of the Ombudsman is currently conducting an independent investigation into allegations of delayed police response and lack of police action at the scene of Michael Aaron Bush’s fatal stabbing.

The incident occurred in the early hours of Thursday, 24 December 2020 outside a nightclub complex in the Strand Plaza off West Bay Road.

The Ombudsman asks members of the public who were at the scene that morning to provide any information that would assist in the investigation, including any video footage of the police action at the scene.

All information and material received will be kept confidential. If you have any information, please contact Senior Investigator Peter Mcloughlin at This email address is being protected from spambots. You need JavaScript enabled to view it. or call 244-6162.