PRESS RELEASE |
Ombudsman Issues Data Protection Guidance to Employers on Covid Vaccination Requirements
The Office of the Ombudsman has issued general guidance on data protection issues Cayman employers must consider before recording employees’ COVID-19 vaccination status. The guidance is issued in light of the recently approved vaccination requirements regarding work permit applications and renewals in the Cayman Islands.
The guidance will also be useful for companies that are considering requesting vaccination information from Caymanian and non-Caymanian permanent resident employees, beyond what is required by the recent amendments to the Immigration (Transition) Act.
“Although the government is now requiring vaccination information to be submitted prior to the grant or renewal of a work permit, the collection of an employee’s vaccination status by a government agency or a private sector employer must comply with the requirements of the DPA,” Ombudsman Sandy Hermiston said.
The Ombudsman advises businesses to produce a written policy stating how employees’ vaccination checks will be done, and for what purpose. Companies cannot use this information for “incompatible purposes” – meaning purposes other than those for which it was collected. Any processing of personal data must be justified under the DPA, particularly if its use may have negative consequences for employees.
“If you cannot specify your use for this information and are recording it ‘just in case’, or if you can achieve your goal without collecting this data, it is unlikely that you will be able to justify it under the Act,” Ms. Hermiston added.
The DPA requires employers to have a legal basis to collect and process personal data, including information on their employees’ vaccination status. An individual’s vaccination status is classified as ‘sensitive personal data’, given that it is medical data. This means that additional measures must be taken to protect the use of this data.
Businesses and organizations must ensure that they only collect the minimum amount of personal data necessary, hold it only for as long as is needed for the initial purpose, and ensure that it is held securely, with access granted only to those who need to see it. This applies to government-mandated data collection as well as any additional private sector employment requirements.
A copy of the Guidance can be found here: https://ombudsman.ky/images/pdf/pol_guide/DP_Guidance_-_Employee_Vaccination_Status_Oct_2021.pdf
Anyone with questions about Cayman’s Data Protection Act should go to our website www.ombudsman.ky for further information. Data protection complaints can be made to the Ombudsman’s office at 946-6283 or via email at