The new Data Protection Law, gazetted in June, will regulate the future processing of all personal data in the Cayman Islands. Employers should take steps now to ensure that they understand their obligations under the new law; that they have in place policies and procedures to ensure the proper protection of employee personal data under their control and to give themselves flexibility to monitor an employee’s use of email, the internet and other devices where necessary.
Employers in Cayman need to get it right – reputations and criminal liability will soon be at stake.
The new law
Drafted around a set of internationally recognized privacy principles, the Data Protection Law 2017 (DPL) provides a framework of rights and duties designed to give individuals greater control over their personal data. Personal data is defined widely to include any data which enables an individual to be identified. Personal data relating to employees must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the employee in advance. Employee data holdings should not be excessive in relation to the purposes for which they are collected and should be securely purged once those purposes have been fulfilled.
An important aspect of employee data is that it almost invariably includes “sensitive personal data” such as information about an individual’s health and ethnic background. Sensitive personal data is subject to enhanced privacy protection under the DPL and therefore requires careful handling.
Protection of employee data by the employer is required throughout the employment relationship. Employers often start collecting personal data before the formal employment relationship commences, through data provided by job applicants in application forms and resumes. The collection of data then continues during the course of the individual’s employment through performance reviews and an employer’s payroll, pension and health insurance obligations. Even after the employment relationship ends, employers will often need to retain data holdings for former employees to comply with pension or other legal requirements.
The DPL gives employees the right to access personal data held about them and to request that any inaccurate data is corrected or deleted. Employers will need to have policies and procedures in place to manage these requests. The new law also obliges employers to cease processing personal data once the purposes for which that data has been collected have been exhausted. Prescribed data retention periods are not set out in the DPL but an analysis will need to be undertaken to determine how long employee data should be kept for.
Similarly, it will be important to evaluate how personal data can be securely deleted once the purposes for holding it have been fulfilled.
Data protection policies
The purpose of an employee data protection policy is to set out the conditions under which the employer will process personal data and ensure that everyone in the business is aware of their individual responsibilities and the employer’s expectations regarding privacy. If an individual suffers damage caused by an employer’s breach of its obligations under the DPL, he or she could potentially bring claims for breach of contract, constructive dismissal and any distress suffered. The individual could also report the matter to the Information Commissioner, the regulatory body responsible for enforcing the new law.
Ideally, the policy should identify a compliance manager who is responsible for reviewing, implementing and monitoring compliance with the policy. The policy should also briefly set out the measures taken by the employer to ensure that there are appropriate security measures in place to safeguard employee data and address how this will be protected if the employer intends to transfer employee data outside the Cayman Islands.
The Information Commissioner has extensive investigative powers which include the power to enter onto premises and to require the furnishing of information and the production of documents. Following an investigation, if the Commissioner finds that a data user has contravened a requirement of the DPL he may serve an enforcement notice on the data controller directing it to take the steps necessary to remedy the contravention. Refusal to comply or failure to comply with an order is an offence. Employers may be liable on conviction to a fine of $100,000 or imprisonment for a term of 5 years, or both. The Commissioner may also issue a monetary penalty order requiring the data controller to pay a monetary penalty of an amount up to $250,000 and has the power to “name and shame” data controllers for breaches of the DPL.
There is no general prohibition against an employer undertaking surveillance of employees in the Cayman Islands. An employer has a right to direct its employees’ work activities and for that reason the employer has a right to reasonably monitor such activities. However, any collection, use and storage of personal data must comply with the DPL.
A forward-thinking employer can put itself in a strong position to check and investigate facts for legitimate business reasons, including investigating grievances and poor performance or misconduct, by having a clear and easily accessible employee monitoring or technology use policy. In particular, the policy should explain that the use of the employer’s IT systems, including email, internet, telephones and mobile devices, may be monitored from time to time and employees should have no expectation of privacy when using those devices. Employers should also include a contractual right to monitor within the employment contract.
Before deciding whether to undertake employee monitoring, employers are recommended to consider:
a) an assessment of the risks that employee monitoring seeks to manage and the benefits to be derived from applying it to those risks, having regard to the purposes that relate to the business functions or activities of the employer;
b) alternatives to employee monitoring and a consideration of the range of options open to the employer that may be equally cost effective and practical in their application, yet less privacy intrusive; and
c) the accountability of the employer. It is the responsibility of the employer to implement privacy compliant data management practices in the handling of personal data obtained from employee monitoring.
CCTV surveillance and accessing employee emails will be permissible, provided the employer has carried out an assessment that such monitoring is necessary and that monitoring is conducted openly and in accordance with the monitoring policy. Employers should share the evaluation process they undertake with their employees. Such a gesture indicates the transparency of the process and informs employees of the rationale behind the monitoring. When considering whether collection was carried out by unfair means, the Information Commissioner is likely to look for evidence that an evaluation has been undertaken.
An employer that wishes to conduct covert monitoring of its employees must have a legitimate purpose which would be prejudiced by giving notification to the employees of the purpose of that monitoring. A good example would be the prevention or detection of crime or serious misconduct.
Recommended best practice would be for the employer to consider the range of options available to them before conducting covert monitoring and assess the potential impact such monitoring would have on the privacy rights of its employees. Where covert monitoring is carried out, the employer should keep detailed records of the discussions that led to that decision, in case those actions need to be explained and justified to the Information Commissioner at a later date.
For many employers, payroll processing and other back-office functions are now mostly digitized and are often delegated to external service providers. In an age where highly sensitive information can be exchanged at the touch of a button, data protection issues must be considered before any transfers of employee data are made to third parties. These transfers also leave employers vulnerable to cyber-attacks as criminals can easily identify and exploit weak links in the flow of information between an organization and its external providers. There is no substitute for proper due diligence on the systems, policies and procedures of those providers to ensure that personal data is handled appropriately and securely. Regular physical audits and independent testing of a service provider’s controls would also be advisable.
Contractual provisions should be put in place between the employer, as the data controller, and the third-party service provider, as data processor, to ensure that any employee personal data is processed only for authorized purposes, that all data is stored and transmitted securely and that disaster recovery practices are in place in the event of a data breach. Essentially, the contract should require the data processor to level-up its policies and procedures for handling personal data to ensure compliance with the DPL. Use of subcontractors by the service provider should be prohibited without the prior approval of the employer. Employee data that may have been anonymised or aggregated by the employer before being transferred will still require careful handling. The rise of social media and the increase in online public data sources means cyber criminals are now easily able to “re-identify” individuals by combining that information with the anonymised or aggregated datasets.
The attraction of flexible working has led to a growth in the popularity of “bring-your-own-device” (BYOD) policies. While some organizations are issuing smartphones and tablets for employees, other employees may be using their personal devices for business purposes without approval. Where BYOD is offered, a careful balance needs to be struck between employee satisfaction and protecting personal data. Organizations should put in place a clear BYOD strategy that sets out minimum do’s and don’ts for using a device. There should be a clear segregation of enterprise data which should at all times be under the control of the employer. Data should be encrypted and the employer should have the ability to remotely access, monitor and wipe the data and prevent data access from third party apps.
Data breaches that impact employee records present a particular threat due to the sensitive nature of the information held about employees. When employee data is targeted, it can have a significant, longer-term impact than simply a stolen credit card number, which can be easily rectified with the card issuer.
Loss of usernames and passwords is also a concern because this type of data can be used to overcome authentication-based workarounds to access other confidential information held by the employer. When employee data is breached, organizations need to work quickly to protect their employees and account for any lost company information. In the event of a data breach, the DPL requires the employer to notify both the Information Commissioner and the affected employee and provide details of the breach within five days.
Protecting personal data is now business critical for employers in Cayman. Even if monetary losses are not sustained as a result of personal data being mishandled, the reputational damage to an organisation following a breach of the new law could be devastating.
Kathryn Rowe is a Senior Associate specializing in contentious and non-contentious employment work. Peter Colegate is a Senior Associate specializing in data privacy, technology regulation and FinTech. Kathryn and Peter are both based in Appleby’s Cayman Islands office.