Skip navigation

We intent to provide a wide range of resources to help you to understand Data Protection and to comment on the draft Bill. So far, this section includes some background on the creation of the Data Protection Working Group("DPWG"), a summary of the Data Protection Framework created by the European Union, an introduction to the Briefs that we will be making available over the coming months, and a number of links to other useful web sites.

Background

In 2009, the Governor-in-Cabinet established a Data Protection Working Group, with representatives from both the public and private sectors, to make recommendations for the introduction of data protection legislation in the Cayman Islands.

After considerable research, it was decided to base the draft Cayman Islands’ bill on the Data Protection (Jersey) Law 2005 (the “Jersey Law”), however the DPWG has also addressed many international criticisms of the United Kingdom’s Data Protection Act upon which the Jersey Law is based. These criticisms are primarily that the UK (and by extension, Jersey) legislation has not fully implemented certain provisions of European Union Directive 95/46/EC. The DPWG has also reviewed the current dialogue within the European Commission and elsewhere regarding modernising the approach to personal data and privacy and, where appropriate, has attempted to anticipate likely changes to the Directive under which the Cayman Islands will seek approval of its data protection regime. Finally, the DPWG has sought to improve upon the Jersey Law by clarifying and simplifying much of the wording and by restructuring sections or whole parts of that Law.

Therefore, although the draft Bill is still based largely on the Jersey Law, there have been many changes, including:

  1. clarification and improvement of definitions with careful attention to the effect on the scope of the law;
  2. substantial restructuring of Parts V and VI to ensure effective oversight and enforcement;
  3. strengthening individual control over personal data and simplifying ways to enforce that control;
  4. addition of an exemption to protect the financial services industry as an important financial interest of the Cayman Islands, which we hope to expand on during public consultation;
  5. introduction of monetary penalties for serious and deliberate or negligent breaches of the law; and
  6. introduction of mandatory notification and mitigating actions where a security breach leads to loss or damage of or unauthorised access to personal data.

Members of the DPWG have worked diligently to make certain the draft Data Protection Bill advances the data protection principles and ensures meaningful and effective legal protection of personal data and individual rights without being overly-bureaucratic or burdensome on Government or the private sector. It now seeks feedback from all sectors of the community.

Principles of Data Protection

The following data protection principles are contained in Schedule 1 to the draft Data Protection Bill. They arise from the EC framework and are similar to the principles for the protection of personal data that were first espoused in the OECD

Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data (1980) and upheld in the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981) prior to Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data being issued by the EC.

  1. First Principle: Personal data shall be processed fairly. In addition, personal data may be processed only if certain conditions are met, for example the data subject has consented to the processing, or it is required under a law or to protect the individual’s vital interests.
  2. Second Principle: Personal data shall be obtained only for one or more specified, explicit and legitimate purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Third Principle: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.
  4. Fourth Principle: Personal data shall be accurate and, where necessary, kept up to date.
  5. Fifth Principle: Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
  6. Sixth Principle: Personal data shall be processed in accordance with the rights of data subjects under the Data Protection Law, for example subject access.
  7. Seventh Principle: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Eighth Principle: Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

These principles ensure that evolving technology and innovative practices cannot circumvent the requirements of the legislation. Each data controller is accountable for complying with these principles for all personal data that are held by that data controller.

EU Framework

The right to privacy was first recognised as a fundamental human right in Article 12 of the 1948 Universal Declaration of Human rights. This right is also acknowledged in the 1950 European Convention on Human Rights and Fundamental Freedoms and the 1966 United Nations International Covenant on Civil and Political Rights.

Each of these broad-based international agreements clearly states that no one should be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, or to attacks upon his or her honour and reputation. In general, privacy speaks to the integrity of an individual, encompassing social needs and not only privacy of the person, but also privacy of personal behaviour, personal communications, and personal data.

Data protection is a mechanism to ensure the right to privacy and protect human dignity. It encompasses both social and political values and centres on the right of an individual to expect privacy in the collection and sharing of data, particularly where information being processed is associated with unique individuals. But data protection is not only about privacy and individual rights; legislation is important to regulate information. As technology continues to advance and people develop new uses for personal information data protection facilitates business and governmental activities in this innovative and increasingly globalised world.

Europe has led efforts to protect individual privacy through strict rules about the use of personal information and empowerment of individuals when it comes to controlling their own personal information. The Council of Europe addressed the issue of personal information the very year it was established in 1949. This drive developed in part from the horrific experiences of World War II and the Cold War with totalitarian governments who abused personal information and used it to carry out atrocities. Europeans treat privacy as a significant and fundamental human right and the legal regime for data protection is unique because of its expansive nature, featuring active oversight and enforcement of laws that cover public and private sectors and all types of data use.

The notion of data protection became more widespread in the 1970s when technological advancements created new ways to electronically collect and use personal data with little regard for the rights of individuals. Efforts eventually led to the Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal data that was adopted in 1980. The Convention set out basic privacy principles and closely resembled the Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data that were developed by the Organisation for Economic Co-operation and Development around that same time.

Following the Convention, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (often referred to as "the Data Protection Directive”) was proposed by the European Commission in 1995. It created a standard framework which allowed each country to develop legislation to provide the accepted minimum level of data protection.

This standard framework was also important in promoting trade within the European Union common market, as it aligned regulations across each member state and ensured that personal data could flow freely across borders without further safeguards being necessary.

The European Commission is empowered by the European Council and Parliament to determine, on the basis of the Data Protection Directive, whether a country outside of its membership ensures an adequate level of data protection. As personal data cannot be transferred between countries if the receiving country has inferior safeguards, this approval would allow personal data to flow between the Cayman Islands and European Union member states, European Economic Area member countries and other approved third countries without further safeguards being necessary.

For more information see the European Commission website.

Briefs

Throughout the public consultation period the Data Protection Working Group and Information Technology Sub-Committee will publish briefs on specific issues arising from the draft Data Protection Bill 2012.

These briefs will highlight certain practical implications that should be considered and draw attention to the ways in which the Bill could impact individuals and businesses. They will not be authoritative interpretations of the draft Bill and will not comprehensively address all potential issues or advise on how to comply with the provisions should the Bill be passed into Law in its current form.

Brief #1: Information Security & the Data Protection Bill by Steve Smith, IT Risk Manager, Walkers

Useful Links

You may find the following links useful:

European Union Sites

Other Small States

Other International

Last Updated 2015-05-08