The invasiveness of these measures varies from jurisdiction to jurisdiction. While governments may be able to rely on national security or public interest exemptions under local data protection laws to collect and share personal data during times of crisis, individuals are increasingly concerned about how their personal data may be used, with whom it may be shared and the impact on their rights. The spectre of stigmatisation has already been evident. There is also a longer-term concern around how some of these increased collection measures will be “rolled back” once the crisis ends or if they will be reduced at all.

Data Protection Rights and Obligations

Under Cayman’s Data Protection Law (DPL), personal data must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the individual. Personal data holdings should not be excessive in relation to the purposes for which they are collected and should be securely purged once those purposes have been fulfilled. If personal data is processed for any new purposes, this processing can only be undertaken if there is a legitimate purpose for doing so which has been notified to the affected individual.

The DPL gives individuals the right to access personal data held about them and to request that any inaccurate data is corrected or deleted. Businesses are obliged to cease processing personal data once the purposes for which that data has been collected have been exhausted. Data retention periods are not prescriptive but each data controller must determine for how long data should be kept and ascertain how it might be securely deleted once the purposes for holding it have been satisfied, in this case, once the crisis ends.

Where personal data is shared between parties, contractual or other provisions should be put in place between the data controller and the third party processor to ensure that any personal data is processed only for authorised purposes, that all data is stored and transmitted securely and that incident response plans are in place in the event of a data breach. Use of subcontractors by the service provider should be prohibited without the prior approval of the data controller, particularly where international transfers of data are involved.

Post-Lockdown Considerations

As lockdown restrictions are eased and workplaces and other locations begin to reopen, employers and organisations will need to put appropriate measures in place to keep people safe. Those measures are likely to further impact the use of personal data. Some of the most frequently asked scenarios are considered below.

Can I use temperature checks or thermal cameras to monitor staff and members of the public for symptoms?

The DPL does not prevent you from taking steps to keep your employees and the public safe but it does require you to be responsible with people’s personal data and ensure it is handled with care. As you will be processing information that relates to an identified or identifiable individual, you need to comply with the DPL. Personal data that relates to health is classed as ‘sensitive personal data’ so it must be even more carefully protected.

When considering the use of more intrusive technologies, especially for capturing health information, you need to give thought to the purpose and context of its use and be able to make the case for using it. Any monitoring of employees needs to be necessary and proportionate, and in keeping with their reasonable expectations. You should also think about whether you can achieve the same results through other less privacy intrusive means. If so, then the monitoring may not be considered proportionate.

Protecting legitimate business interests and providing a safe working environment for employees are likely to be appropriate legal grounds for carrying out testing as long as you are not collecting or sharing irrelevant or unnecessary data.

How often should I check for symptoms?

This will depend on the social distancing and other measures that your organisation needs to put in place. Any testing of your staff, and subsequent processing of their health information, should be reasonable and proportionate to the circumstances including their role.

As an employer, and a data controller for your employees’ health information, you will need to decide the appropriate timescale between tests. For front line staff who interact with the public, more regular testing may be appropriate.

You also have a responsibility to ensure that you hold accurate personal data. The health status of an individual may change over time, so if you record the test results, you should ensure those records are accurate by including the date and time of the result. Any decisions to send staff home or otherwise impact their employment should be based on factually accurate information.

Can I keep lists of employees who have symptoms or have been tested as positive?

Yes. If you need to collect specific health data about employees, you need to ensure the use of the data is actually necessary and relevant for your stated purpose. You should also ensure that the data processing is secure, and consider any duty of confidentiality owed to employees.

As an employer, you must also ensure that such lists do not result in any unfair or harmful treatment of employees. For example, this could be due to inaccurate information being recorded, or a failure to acknowledge an individual’s health status changing over time.

These lists should only be retained for a short period and should not be used for any other purposes.

How do I ensure I don’t collect too much data?

For sensitive personal data, such as health data, it is particularly important to only collect and retain the minimum amount of information you need to fulfil your purpose.

In order to not collect too much data, you must ensure that it is:

  • enough to properly fulfil your stated purpose;
  • relevant and has a sensible link to that stated purpose; and
  • limited to what is necessary – you should not hold more data than you need to fulfil that purpose.

Can I use recorded CCTV footage to assist with contact tracing?

The analysis of CCTV footage could assist with contact tracing. You should assess whether this is necessary in the specific circumstances and consider speaking to the individuals who would be affected and to provide advice on appropriate measures such as self-isolation. Analysis of CCTV footage could reveal sensitive aspects of an individual’s behaviours and relationships. Employees have legitimate expectations that they can keep their personal lives private. This approach for employees should therefore be considered in the context of your existing employee monitoring policy.

Privacy should not be a casualty

As a result of the coronavirus, most people accept and appreciate the need for extraordinary measures to protect the vulnerable. The measures being developed in response to the virus must take privacy issues into account, have one eye on the long term use of the data being collected, and ensure privacy is not another casualty of the crisis.

Appleby will launch its Offshore Data Protection Guide on July 8th, providing a detailed overview of the data protection and cyber security regimes in eight of the world’s largest offshore jurisdictions. As the first dedicated offshore data protection publication, this guide will provide quick linked answers to some of the most business critical issues. For more information on the guide, or to be added to the distribution list, contact us.

Locations

Cayman Islands

Services

Corporate

Sectors

Privacy & Data Protection, Banking & Financial Services

Type

Insight

Share
X.com LinkedIn Email Save as PDF
More Publications
Appleby-Website-Dispute-Resolution-Practice
21 Nov 2024

Privy Council clarifies Cayman Islands law on shareholder standing to bring personal claims against a company alleging that shares were allotted for an improper purpose

In a recent decision, overturning the Cayman Islands Court of Appeal, the Privy Council has provided...

David Lee
Crystal Au-Yeung
David Lewis-Hall
Damon Booth
David Lee, Crystal Au-Yeung, David Lewis-Hall, Damon Booth
Appleby-Website-Arbitration-and-Dispute-Resolution
14 Nov 2024

Legal 500: A Comparative Guide to International Arbitration

A Legal 500 Guide to Arbitration provides a country specific Q&A overview of international arbitrati...

Appleby-Website-Dispute-Resolution-Practice
7 Nov 2024

Charting New Territory: How England’s Digital Assets Framework Can Guide Cayman Islands Law

The Law Commission of England and Wales’ Supplemental Report entitled “Digital Assets as Persona...

Alan Bercow
Charlotte Walker
Shari Walton-Rankin
Alan Bercow, Charlotte Walker, Shari Walton-Rankin
Appleby-Website-Fraud-and-Asset-Tracing
9 Oct 2024

Court of Appeal clarifies the merits threshold for the grant of freezing injunctions

What is a “good arguable case”? Alan Bercow looks at the Court of Appeal decision in Isabel dos ...

Alan Bercow
Alan Bercow
The Global Website header
7 Oct 2024

The Global – your offshore corporate law questions answered: October 2024

The Global is a quarterly collection of corporate expert insights and analysis across Appleby's glob...

Duncan Card
Christophe Kalinauckas
Matt Mulry
Duncan Card, Christophe Kalinauckas, Matt Mulry
Appleby-Website-Dispute-Resolution-Practice
3 Oct 2024

D’Aloia v Persons Unknown: Words of Warning for Cryptoexchanges and Implications for Victims of Crypto Fraud

In a recent judgment in D’Aloia v Persons Unknown, the High Court of England and Wales provided v...

Alan Bercow
Charlotte Walker
Jae Shin
Alan Bercow, Charlotte Walker, Jae Shin
Appleby-Website-Regulatory-Practice
2 Oct 2024

What Are the Duties of the Anti-Money Laundering Officers of a Cayman Fund?

All Cayman Islands funds are required to designate a natural person at managerial level as their Ant...

Matt Mulry
Matt Mulry
Appleby-Website-Regulatory-Practice
1 Oct 2024

Preparing for a Cayman Islands Monetary Authority Inspection

One of the most common ways in which CIMA assesses compliance with its regulatory framework is throu...

Simon Raftopoulos
Miriam Smyth
Menelik Miller
Maree Martin
Simon Raftopoulos, Miriam Smyth, Menelik Miller, Maree Martin
Appleby-Website-Dispute-Resolution-Practice
30 Sep 2024

Navigating access to the Court File: Abraaj-related ruling confirms Cayman’s commitment to the open justice principle, but gives rise to uncertainty on the scope of documents that may be accessed

Whilst the recent decision of Segal J in the Grand Court in relation to access to the Court file is...

David Lee
Shari Walton-Rankin
David Lewis-Hall
David Lee, Shari Walton-Rankin, David Lewis-Hall
Appleby-Website-Fraud-and-Asset-Tracing
26 Sep 2024

Knowledge is key: Accessory Liability for a Strict Liability Offence Clarified

Why the UK Supreme Court’s clarification in Lifestyle Equities of accessory liability of directors...

John McCarroll SC
Charlotte Walker
Zuhair Farouki
John McCarroll SC, Charlotte Walker, Zuhair Farouki