The Cayman Islands Data Protection Law

2017 Office of the Ombudsman

General introduction to Data Protection

Course Outline

I. What is data protection?

II. What is personal data?

III. What is processing of personal data?

IV. What is a personal data breach?

V. How can I apply data protection to my daily work?

VI. Test questions

Privacy and data protection – two sides of a coin

Privacy is freedom from any unwanted intrusion An intrusion can relate to different aspects of your privacy: - Private communications (e.g. someone eavesdropping)

- Private activities (e.g. someone observing you secretly)

- Private property (e.g. someone entering your home)

- Private information (e.g. someone revealing information

without your permission)

Privacy and data protection – two sides of a coin

Data protection protects your

information from misuse by organizations, businesses and government – it gives you control over your information. The Cayman Islands Data Protection Law, 2017 (DPL), does this by introducing principles and rules that govern the handling of personal information. We will learn more about these principles and rules later on. However, before we can walk the walk, we first need to learn to talk the talk. It’s common sense – we promise!

Information is essential to the functioning

of our society. Organizations, businesses and government all need to use information to provide us with their services. However, the (mis-)use of information can intrude upon our privacy. This is where data protection steps in.

What is personal data?

Personal data works both like a single mosaic stone and like the whole mosaic.

Personal data is all data that relates to a living individual who can be either:

- directly identified (the whole mosaic or portrait), or

- indirectly identified (each mosaic stone, which represents a single piece of data).

Talk the talk – What is personal data?

You can think of your personal data as any information about yourself.

That also includes opinions and intentions about yourself.

The Law gives extra protection to certain categories of sensitive personal data,

including data relating to:

• Race or ethnicity • Political opinions • Religious or similar beliefs • Trade union membership • Genetic data • Physical or mental health or condition

• Medical data • Sex life • Commission or alleged commission of

an offense or their proceedings, their disposal, and any court sentence

The Power of the Mosaic

Source: https://motherboard.vice.com/en_us/article/mg9vvn/how-our-likes-helped-trump-win

[O]n the basis of an average of 68 Facebook "likes" by a user, it was possible to predict their skin color (with 95 percent accuracy), their sexual orientation (88 percent accuracy), and their affiliation to the Democratic or Republican party (85 percent). But it didn't stop there. Intelligence, religious affiliation, as well as alcohol, cigarette and drug use, could all be determined. From the data it was even possible to deduce whether someone's parents were divorced.

You can think of your personal data as any information about yourself. That also

includes opinions and intentions about yourself.

Personal data can reveal a lot about you, even indirect personal data like your Facebook likes:

https://www.wired.com/story/download-facebook-data-how-to-read/

Talking the talk – What is processing?

The DPL applies to the processing of personal data.

Processing is:

• Anything done with the personal data

• Obtaining, recording, holding, organizing, adapting, altering, retrieving, consulting, using,

disclosing, aligning, combining, blocking, anonymizing, erasing, destroying … anything

You can ask yourself the following questions

1. Is this use of the personal data fair? Do I feel comfortable with what I’m doing?

2. Am I using the personal data for the original purpose it was collected for?

3. Am I collecting only the personal data I need, e.g. in the forms I use?

4. Is the personal data I hold accurate?

5. Am I keeping the personal data only as long as necessary?

6. Am I keeping the personal data secure and confidential?

How can I apply data protection to my daily work?

What is a personal data breach?

A personal data breach is …

Any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to personal data.

The Guardian https://www.theguardian.com/world/2018/nov/30/marriott-hotels-data-of-500m-guests-may-have-been-exposed

What should I do if I discover a personal data breach?

Time is of the essence!

1. Immediately notify your manager of the breach. 2. Your organization should have a data breach notification procedure.

Follow it! 3. If your organization does not have one, contact the Office of the

Ombudsman.

Remember! Unless the breach is unlikely to prejudice the rights and freedoms of the data subjects affected, your organization will have to:

1. Notify the Ombudsman and the data subjects of the breach 2. Within 5 days of when you should have reasonably become aware of the breach.

Please visit our website for more information: ombudsman.ky