DATA PROTECTION OVERVIEW
The BVI Data Protection Act (DPA) was passed in April 2021 and came into full force on 9 July, 2021.
Drafted around a set of EU-style data protection principles to which data controllers must adhere, personal data must be collected in a fair and transparent manner and only be used and disclosed for purposes properly understood and agreed to by data subjects. Any personal data collected must be adequate, kept up-to-date and should not be retained for longer than is necessary to fulfil the collection purposes.
Importantly, the DPA provides a standard framework for both public and private entities in the management of the personal data they use. Internationally active organisations will find many similarities between the DPA and data protection laws of other jurisdictions where they are active but there are some key differences. The DPA provides a lighter touch approach to data protection regulation than other jurisdictions in the region.
PERSONAL data
The DPA adopts similar definitions to those found in most EU data protection laws.
Personal data: drafted widely, means any information in respect of commercial transactions that relates directly or indirectly to a data subject, who is identified or identifiable from that information, or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject.
Commercial transaction: means any transaction of a commercial nature, whether contractual or not, which includes any matters relating to the supply or exchange of goods or services, agency, investments, financing, banking and insurance.
Data controller: the person who, alone or jointly with others, processes any personal data, or has control over, or authorises the processing of any personal data.
Where an organisation is not established in the BVI but will nevertheless process personal data in the Islands (otherwise than for the purposes of transit) it must nominate a local representative controller and identify them in the privacy notice. The local representative must be established in the BVI and will bear all obligations of a data controller under the DPA.
Data subject: an individual who is the subject of the data, whether living or deceased.
Data processor: any person who processes personal data on behalf of a data controller, excluding employees of the data controller.
Sensitive personal data: includes data regarding the data subject’s physical and mental health, sexual orientation, political opinions, religious or other beliefs and commission or alleged commission of a criminal offence.
Interestingly, the DPA does not classify racial and ethnic origin of a data subject as sensitive personal data. Biometric data – generally information relating to an individual’s physical, physiological or behavioural characteristics, is also not separately protected under the DPA.
Collecting personal data
When collecting personal data, data controllers must provide the data subject with a description of:
- the purposes for which the personal data is to be processed by or on behalf of the data controller;
- the source of that personal data;
- the data subject’s right to request access to and to correction of the personal data;
- how to contact the data controller;
- the class of third parties to whom the data controller may disclose the personal data;
- whether it is obligatory or voluntary for the data subject to supply the personal data;
- where it is obligatory to supply the personal data the consequences of failing to do so.
The DPA is not specific but best practice would suggest that this information be provided within a separate privacy notice, at each point of data capture, so that the data subject can make a clear informed decision as to whether to proceed.
Perhaps uniquely for a framework built on EU principles, the DPA places a reliance on data subject “express consent” before the processing or disclosure of personal data, although other grounds for processing personal data are permitted. Unhelpfully, the DPA does not define “express consent”. Hopefully this will addressed in any accompanying regulations.
What constitutes valid consent?
Consent must be express. Best practice would require some form of affirmative action on the part of the data subject to confirm consent.
Processing personal data
“Processing” in relation to personal data, includes obtaining, recording, holding, organising, adapting or altering data, disclosing the data by transmission, dissemination or otherwise making it available, blocking, erasing or destroying data.
Broadly, personal data can only be processed by a data controller for the purposes notified to the data subject on or before the collection of the data. Data controllers must process personal data in a secure manner. The DPA leans heavily on the requirement for data subject consent as a legal basis for processing. There is also no “legitimate interest” basis for processing under the DPA.
In addition to consent, other legal grounds for processing personal data include:
- for the performance of a contract or to enter into a contract;
- compliance with legal obligations;
- to protect the vital interests of the data subject;
- the administration of justice;
- in accordance with any other laws.
Prior to the processing of sensitive personal data the data controller must satisfy an additional condition, including: obtaining separate explicit consent, only using the data if it is necessary for the performance of an employment contract, protecting a data subject’s vital interests or for any legal proceedings.
Where processing of personal data is carried out by a third-party data processor on behalf of a data controller, the DPA requires that reasonable steps be put in place between the two parties to ensure that the data processor can keep the data secure.
Retention and Destruction of Personal Data
Data controllers and processors must ensure the personal data they hold is accurate and is not kept for longer than necessary to fulfil the original collection purpose. Prescribed data retention periods are not specified in the DPA, but an analysis should be undertaken to determine for how long data should be kept. Similarly, it will be important for both data controllers and data processors to evaluate how personal data can be securely purged once the purposes for holding it have been fulfilled by the organisation.
Accessing Personal data
Data subjects are entitled to request access to their personal data. The data access request must be made in writing to the data controller, who is entitled to charge a reasonable fee for responding. Following receipt of the written request and fee, the data controller is required to respond within 30 days. The data controller can request a further period of time to respond to the request provided that this request is notified to the data subject within the initial 30 day time period.
While there is no requirement under the DPA to disclose the document which holds the personal data, the requested information needs to be provided to the data subject in an “intelligible form”.
Law Enforcement
Consent is not required for the processing of personal data in connection with:
- the prevention, detection or investigation of a crime;
- the apprehension or prosecution of offenders;
- the assessment or collection of any fees or duty;
- disclosures for the purposes of journalism, literature and art.
International transfers of personal data
The BVI has not yet achieved “adequacy” status from the EU.
Transfers outside the BVI are permitted, but personal data shall not be transferred to a country or territory that does not ensure an adequate level of protection for processing personal data or data subject express consent has been given.
The DPA does not refer to a mechanism for ensuring adequate safeguards. We anticipate that accompanying regulations will approve the use of EU standard contractual clauses for such transfers.
How is direct marketing regulated?
Under the DPA, direct marketing means the communication, by whatever means, of any advertising or marketing material which is directed to particular individuals.
Prior express consent is not required, but data subjects have the right to unsubscribe from receiving direct marketing materials at any time and data controllers need to comply with that request within three days.
What rules apply to the monitoring of employees in the workplace?
There are no specific restrictions on employee monitoring under the DPL. Best practice would be for the employer to carry out a privacy impact assessment and evaluate less intrusive approaches to achieving the monitoring objectives. Employers should draft and communicate a written monitoring policy to affected employees explaining the purposes of the monitoring, and the types of personal data being collected.
Can telephone calls be recorded?
Calls can be recorded, but as personal data may be collected during the call, the caller needs to be notified at the start that the conversation may be recorded and should be given the opportunity to review the organisation’s privacy policy before the call proceeds. This can best be achieved by recording a copy of the privacy policy and directing the caller to listen to the policy before the call is connected.
What rules apply to the recording of CCTV footage?
To the extent that CCTV may capture personal data, its use will be regulated by the DPL. The Cayman Islands’ government issued a code of practice on the use of CCTV in July 2011 but it is anticipated this code will be revised to reflect the DPL’s requirements.
To ensure any personal data collected via CCTV is not excessive or goes beyond the original purposes for its collection, consideration should be given to the location of all cameras and their angles of recording. CCTV footage should be kept secure and for no longer than required to fulfil the collection purpose. Prior to providing access to any footage as part of a subject access request, careful consideration should be given as the footage may include third parties who may be personally identifiable from the images.
Particular care should also be taken if CCTV is used as part of any employee monitoring process, which would need to be disclosed to employees in advance.
enforcement
The FSC and the BVI Courts will be tasked with enforcing confidentiality-related matters, pending promulgation of appropriate data protection legislation.
Data controllers are not required to register with or notify the BVI authorities, and presently there is no requirement for the appointment of data protection officers, however it is recommended best practice.
What are the penalties for non-compliance with the dpa?
Refusal or failure to comply with an order issued by the Information Commissioner is an offence.
The data controller is liable on conviction to a fine of up to US$100,000, or imprisonment for up to 5 years, or both.
Where sensitive personal data s processed without a legal ground for doing so, the data controller is liable on conviction to a fine up to US$200,000 or imprisonment for up to 2 years.
Where an offence has been committed by a body corporate, a director, company secretary, or similar officer could be held liable. Corporate bodies face fines of up to US$500,000.
The DPA contains provisions to protect whistleblower employees from being dismissed.
A data subject who suffers damage may institute proceedings in the civil court. It is a defence for both private and public bodies to demonstrate that they took such care as was reasonably required in the circumstances.
Do any specific technical or organisational security measures need to be implemented?
The DPA requires that practical steps are taken to protect personal data from any loss, misuse, modification, unauthorised or accidental access or disclosure, alteration or destruction. Specific technical standards are not prescribed under the DPA.
Who needs to be notified in the event of a data breach?
Surprisingly, there is no requirement under the DPA for a data controller to report a data breach to anybody.
CYBERSECURITY
The Computer Misuse and Cybercrime Act, 2014, prohibits, among other things, the unauthorised access and use of data held on a computer, or any computer service, and the knowing disclosure of passwords, or other means of access to a computer, with a view to cause loss, gain or for any unlawful purposes. Neither this legislation, nor any other legislation in the BVI contains any mechanism or requirement to report data security breaches. However, notification is recommended where there is a risk of harm to the data subject as a result of the breach, not least from a relationship-management perspective.
reviewed for accuracy [MARCH 2023]