We intent to provide a wide range of resources to help you to understand Data Protection and to comment on the draft Bill. So far, this section includes some background on the creation of the Data Protection Working Group("DPWG"), a summary of the Data Protection Framework created by the European Union, an introduction to the Briefs that we will be making available over the coming months, and a number of links to other useful web sites.
In 2009, the Governor-in-Cabinet established a Data Protection Working Group, with representatives from both the public and private sectors, to make recommendations for the introduction of data protection legislation in the Cayman Islands.
After considerable research, it was decided to base the draft Cayman Islands’ bill on the Data Protection (Jersey) Law 2005 (the “Jersey Law”), however the DPWG has also addressed many international criticisms of the United Kingdom’s Data Protection Act upon which the Jersey Law is based. These criticisms are primarily that the UK (and by extension, Jersey) legislation has not fully implemented certain provisions of European Union Directive 95/46/EC. The DPWG has also reviewed the current dialogue within the European Commission and elsewhere regarding modernising the approach to personal data and privacy and, where appropriate, has attempted to anticipate likely changes to the Directive under which the Cayman Islands will seek approval of its data protection regime. Finally, the DPWG has sought to improve upon the Jersey Law by clarifying and simplifying much of the wording and by restructuring sections or whole parts of that Law.
Therefore, although the draft Bill is still based largely on the Jersey Law, there have been many changes, including:
Members of the DPWG have worked diligently to make certain the draft Data Protection Bill advances the data protection principles and ensures meaningful and effective legal protection of personal data and individual rights without being overly-bureaucratic or burdensome on Government or the private sector. It now seeks feedback from all sectors of the community.
The following data protection principles are contained in Schedule 1 to the draft Data Protection Bill. They arise from the EC framework and are similar to the principles for the protection of personal data that were first espoused in the OECD
Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data (1980) and upheld in the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981) prior to Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data being issued by the EC.
These principles ensure that evolving technology and innovative practices cannot circumvent the requirements of the legislation. Each data controller is accountable for complying with these principles for all personal data that are held by that data controller.
The right to privacy was first recognised as a fundamental human right in Article 12 of the 1948 Universal Declaration of Human rights. This right is also acknowledged in the 1950 European Convention on Human Rights and Fundamental Freedoms and the 1966 United Nations International Covenant on Civil and Political Rights.
Each of these broad-based international agreements clearly states that no one should be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, or to attacks upon his or her honour and reputation. In general, privacy speaks to the integrity of an individual, encompassing social needs and not only privacy of the person, but also privacy of personal behaviour, personal communications, and personal data.
Data protection is a mechanism to ensure the right to privacy and protect human dignity. It encompasses both social and political values and centres on the right of an individual to expect privacy in the collection and sharing of data, particularly where information being processed is associated with unique individuals. But data protection is not only about privacy and individual rights; legislation is important to regulate information. As technology continues to advance and people develop new uses for personal information data protection facilitates business and governmental activities in this innovative and increasingly globalised world.
Europe has led efforts to protect individual privacy through strict rules about the use of personal information and empowerment of individuals when it comes to controlling their own personal information. The Council of Europe addressed the issue of personal information the very year it was established in 1949. This drive developed in part from the horrific experiences of World War II and the Cold War with totalitarian governments who abused personal information and used it to carry out atrocities. Europeans treat privacy as a significant and fundamental human right and the legal regime for data protection is unique because of its expansive nature, featuring active oversight and enforcement of laws that cover public and private sectors and all types of data use.
The notion of data protection became more widespread in the 1970s when technological advancements created new ways to electronically collect and use personal data with little regard for the rights of individuals. Efforts eventually led to the Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal data that was adopted in 1980. The Convention set out basic privacy principles and closely resembled the Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data that were developed by the Organisation for Economic Co-operation and Development around that same time.
Following the Convention, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (often referred to as "the Data Protection Directive”) was proposed by the European Commission in 1995. It created a standard framework which allowed each country to develop legislation to provide the accepted minimum level of data protection.
This standard framework was also important in promoting trade within the European Union common market, as it aligned regulations across each member state and ensured that personal data could flow freely across borders without further safeguards being necessary.
The European Commission is empowered by the European Council and Parliament to determine, on the basis of the Data Protection Directive, whether a country outside of its membership ensures an adequate level of data protection. As personal data cannot be transferred between countries if the receiving country has inferior safeguards, this approval would allow personal data to flow between the Cayman Islands and European Union member states, European Economic Area member countries and other approved third countries without further safeguards being necessary.
For more information see the European Commission website.
Throughout the public consultation period the Data Protection Working Group and Information Technology Sub-Committee will publish briefs on specific issues arising from the draft Data Protection Bill 2012.
These briefs will highlight certain practical implications that should be considered and draw attention to the ways in which the Bill could impact individuals and businesses. They will not be authoritative interpretations of the draft Bill and will not comprehensively address all potential issues or advise on how to comply with the provisions should the Bill be passed into Law in its current form.
Brief #1: Information Security & the Data Protection Bill by Steve Smith, IT Risk Manager, Walkers
You may find the following links useful:
Last Updated 2015-05-08