The Cayman Islands government has published the Data Protection Bill, 2016(the “Bill”) which proposes a framework of rights and duties designed to safeguard individuals’ personal data, balanced against the need of public authorities, businesses and organisations to collect and use personal data for legitimate purposes.
The Bill was developed in line with international best practices while ensuring that it reflects the specific needs of the Cayman Islands. It is based substantially on the Data Protection Act, 1998 of the United Kingdom.
The Bill is centred around eight data protection principles requiring that personal data must:
- be processed fairly and only when specific conditions are met, for instance where consent has been given, where there is a legal obligation, or where it is necessary for performance of a contract to which the data subject is a party. Additional conditions apply in respect of “sensitive” personal data (examples of which include, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, health, sex life and offences);
- be obtained only for one or more specified lawful purposes, and shall not be further processed in any manner incompatible with such purposes;
- be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed;
- be accurate and, where necessary, kept up-to-date;
- not to be kept for longer than is necessary for the purpose;
- be processed in accordance with the rights of individuals as specified under the draft Bill;
- be protected by appropriate technical and organisational measures against unauthorised or unlawful processing, and against accidental loss, destruction or damage; and
- not to be transferred abroad unless the country or territory to which it is transferred ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.