Cabinet Office External Privacy Notice

1. Scope

The Cayman Islands Government (“CIG”) Cabinet Office (the “Cabinet Office”), the Cabinet, the National Security Council, and the Council for the Order of the Cayman Islands (the “COCI”) respect your privacy and take care in protecting your personal data. As data controllers, we comply with the Cayman Islands Data Protection Act (2021 Revision) (the “DPA”). This privacy notice (“Privacy Notice”) demonstrates our commitment to ensuring your personal data are handled responsibly.

This Privacy Notice applies to the Cabinet Office, the Cabinet, the National Security Council and the COCI, who are each data controllers with respect to the personal data processed in the exercise of their respective functions, including under the Cayman Islands Constitution Order 2009 (the “Constitution”) and various enactments.

• The Cabinet Office is established under section 48 of the Constitution to support the Governor, Premier, Cabinet and National Security Council. The Cabinet Office as a data controller includes the Policy Coordination Unit, Information Rights Unit, Innovation Unit, Protocol Office, Celebrate Cayman, Cabinet Secretariat, and finance and human resources functions. The Cabinet Office is headed by the Cabinet Secretary, whose public office is also established in section 48 of the Constitution with responsibilities that include providing policy advice, coordinating the development and implementation of policy across the public sector, providing administrative and secretarial support for the Cabinet and the Premier, and arranging the business for and keeping the minutes of the Cabinet and the National Security Council.
• The Cabinet, established under section 44 of the Constitution, is composed of the Governor, Premier, Deputy Premier, six additional Ministers, and two non-voting ex-officio members – the Deputy Governor and the Attorney General. The Cabinet is chaired by the Governor and responsible for formulating and directing the implementation of policy related to every aspect of government, with the exception of the Governor’s special responsibilities. The Cabinet also has powers and functions under various enactments which may require the processing of personal data, including to make decisions about individuals.
• The National Security Council functions as an advisor to the Governor on matters relating to internal security, with the exception of operational and staffing matters. It is established under section 58 of the Constitution and is composed of the Governor, as Chair, the Premier, two other Ministers, the Leader of the Opposition or his or her designate, two persons representative of civil society, the Deputy Governor (ex officio), the Attorney General (ex officio) and the Commissioner of Police (ex officio).
• The Council for the Order of the Cayman Islands is established under section 4 of the National Honours and Awards Act (2021 Revision). The COCI is responsible for considering nominations for the various levels of the Order of the Cayman Islands, a society of honour established under section 3 of the same Act.

In addition to being a data controller with respect to the personal data it processes in respect of its own functions, the Cabinet Office is also a data processor with respect to the personal data it processes on behalf of the Cabinet, the National Security Council, and the COCI, more particularly pursuant to sections 48(4) and 58(11) of the Constitution and pursuant to section 4A of the National Honours and Awards Act (2021 Revision).

In the remainder of this Privacy Notice, and save where the context makes clear that there is a different intention, the “Cabinet Office” is to be read as including the Cabinet, the National Security Council and the COCI.

This Privacy Notice does not apply to the Cabinet Office as a Civil Service Entity when we are processing personal data relating to our employees, who are covered under our Employee Privacy Notice. This Privacy Notice also does not apply to the operations of the Office of the Premier, the Immigration Appeals Tribunal, the Refugee Protection Appeals Tribunal, the National Council for Persons with Disabilities, the Council of Older Persons, the Department of Communications, Radio Cayman, Hazard Management Cayman Islands, or the National Weather Service. While these statutory bodies and CIG departments are supported by, and/or part of, the Cabinet Office’s broader portfolio of responsibilities, each is a separate data controller and maintains its own privacy notice. 

 

2. What Personal Data We Collect

The Cabinet Office collects personal data, including sensitive personal data, directly from you and may also collect your personal data indirectly from third party sources. Personal data collected by the Cabinet Office is limited to what is necessary for our processing activities.

In this Privacy Notice, personal data includes any data relating to an identified or identifiable living individual and includes your name, contact details, job title and responsibilities, educational and/or employment history, medical data, data about your physical or mental health, criminal offence data, opinions about you, any expressions of opinion you may share with us, and any indication of the Cabinet Office’s intentions in relation to you.

Personal data we collect directly from you

The Cabinet Office may collect the following information directly from you:

         a. Personal data you provide through websites maintained by the Cabinet Office, including publicconsultation.gov.ky, celebratecayman.ky and seafarersregistry.ky which may include:

                  i. Personal data provided within comments and questions, including your name and/or email address if you provide these details in our web forms. If you ask questions about our public services and programmesor provide information about your relationship with us, this may also reveal other personal data, e.g. your employment status, health information, or family relationships;

                  ii. Your email address and subscription preferences if you sign up for our newsletters or notifications, and how you utilise our emails, including whether you open them and which links you click; and

                  iii. Your Internet Protocol (“IP”) address, details of which device or version of web browser you used to access our website content, and other information about how you used our website;

         b. Personal data you provide when you visit the Cabinet Office premises at the Government Administration Building in Grand Cayman and other locations; contact us by email, by telephone or through our social media channels; or access our various programmes and services, including our online services;

         c. Personal data you provide when you become a member of a public sector community of practice supported by the Cabinet Office or take on a role that works closely with one of our sections or units, e.g. policy practitioners and senior leaders in the CIG, Personal Assistants to Cabinet Ministers and other local dignitaries, Information Managers appointed under the Freedom of Information Act (2021 Revision), Data Protection Leaders appointed under the CIG Privacy Policy, and Protocol Liaison volunteers;

         d. Personal data that you provide when you inquire about or apply for a job with the Cabinet Office, including one of the departments within the Cabinet Office’s broader portfolio of responsibilities. If you apply for a job with the Cabinet Office via the CIG e-recruitment platform, an additional privacy notice is available here: https://careers.gov.ky/application/custom/English/privacy-statement.html;

         e. Any information you choose to provide when interacting with the Cabinet Office and its various sections and units on social media platforms, including the Facebook page maintained by the Protocol Office, @CaymanIslandsProtocol ; and pages maintained by Celebrate Cayman on Facebook @CelebrateCayman, Instagram @celebratecayman and X (formerly known as Twitter) @celebratecayman; and

         f. Any other personal data where the collection is necessary to achieve our lawful purpose(s).

Personal data collected from other sources

The Cabinet Office may also collect your personal data from other sources, including:

         a. A CIG Ministry, Portfolio or Office that is making a submission to the Cabinet or to the National Security Council that includes your personal data because this submission is necessary for the Cabinet or for the National Security Council to be informed about, or to determine, a specific matter within its remit;

         b. The CIG Department of Facilities Management, if your personal data were collected via CCTV or other monitoring and security mechanisms used at the Government Administration Building in Grand Cayman and your personal data are then lawfully disclosed to the Cabinet Office for a legitimate purpose, e.g. where this disclosure is necessary to investigate a potential breach of the law or a security incident; 

         c. A member of your family or some other person who is closely connected to you, who may provide us with your personal data along with their own personal data, e.g. if you are the dependent of a successful job candidate and you are entitled to receive healthcare benefits under their Employment Agreement;

         d. Your employer, who may provide us with your personal data if they are a supplier or contractor or if they have some other relationship with the Cabinet Office where this would be required, e.g. your resume may be provided to us as part of your employer’s response to a request for proposals for consultancy services;

         e. Your Personal Assistant or other colleague may provide us with your personal data when requesting protocol services on your behalf, including transportation courtesies and local and international travel and airport courtesies for Members of Parliament and other local and international dignitaries;

         f. Your manager or other colleague may provide us with your name, job title, official contact details and other personal data if you are part of a community of practice supported by the Cabinet Office or in a role that works closely with one of our sections or units, e.g. policy practitioners, Personal Assistants to Cabinet Ministers and other local dignitaries, Information Managers appointed under the Freedom of Information Act (2021 Revision) and Data Protection Leaders appointed under the CIG Privacy Policy;

         g. An individual who chooses to nominate you to be admitted to any level of the Order of the Cayman Islands or to receive any other award or other recognition where the Cabinet Office manages the nomination and/or selection process, e.g. National Heroes Day awards; and

         h. Any other personal data where the collection is necessary to achieve our lawful purpose(s).

 

3. How We Use Your Personal Data

The purpose of the Civil Service is to make the lives of those we serve better. We are dedicated to supporting the elected government by delivering caring, modern and customer-centred public services and programmes, which deliver value for money. The Cabinet Office may use your personal data for the following purposes:

         a. Implementing policies, providing services and programmes, and managing your relationship with us;

         b. Carrying out our functions under the Constitution as well as our functions under various enactments, including but not limited to the National Honours and Awards Act (2021 Revision) read with the National Honours and Awards Regulations, 2020 and National Honours and Awards Regulations, 2021, and the Coat of Arms, Flag and National Song Act (2005 Revision);

         c. Where the Cabinet is exercising its powers, carrying out its functions or receiving information pursuant to various enactments, including but not limited to the Customs and Border Control Act (2024 Revision), the Disaster Preparedness and Hazard Management Act (2019 Revision), the Firearms Act (2008 Revision), the Immigration (Transition) Act (2022 Revision), the Legal Practitioners Act (2022 Revision) read with the Legal Practitioners (Students) Regulations (2018 Revision), the Notaries Public Act (2023 Revision), the Official Gazette Act (1997 Revision), and the Public Management and Finance Act (2020 Revision);

         d. Managing appointments to various boards, committees, commissions, councils, tribunals, working groups and other statutory bodies or groups where the Cabinet has the authority to appoint and re-appoint individuals to serve in various capacities and/or to revoke or terminate individual appointments;

         e. Responding to your enquiries;

         f. Verifying your identity;

         g. Measuring how users interact with the Cabinet Office’s website and continually improving our communications channels (including by aggregating personal data collected using cookies);

         h. Communicating and interacting with website visitors;

         i. Communications and public relations activities, including sending you marketing communications;

         j. Managing accounts payable and receivable, preventing fraud, and protecting public funds;

         k. Statistical and other reporting, both internally and externally;

         l. Seeking legal advice, and exercising or defending legal rights;

         m. Complying with our legal obligations, including all legislation that applies across the public sector, e.g. legislation that provides for records and information management, procurement, human resource management, financial management, audit, and similar functions and activities; and

         n. Communicating and interacting with job applicants and related third parties (e.g. references) and carrying out recruitment and selection processes for vacancies within the Cabinet Office portfolio.

 

4. How We Share Your Personal Data

The Cabinet Office may share your personal data as required, including under applicable legislation, with recipients that include joint data controllers, our data processors, and third parties. For the avoidance of doubt, this data sharing may be between public authorities as data controllers, or one public authority may serve as a data processor. This includes data sharing between the persons listed in section 1 of this Privacy Notice.

We will only share your personal data as permitted by the DPA. Your personal data may be shared with the following recipients, including recipients that support our public functions and operations:

         a. With other public authorities: Personal data may be shared with other public authorities – here, “public authorities” means Ministries, Portfolios, Offices, Departments, Statutory Authorities, Statutory Bodies and Government Companies – for the purposes set out in this Privacy Notice.

         b. With data processors external to the CIG: Personal data may be shared with persons providing services to the Cabinet Office as a data processor in compliance with the DPA. When they are acting as data processors, these service providers are only able to use personal data under our instructions. We engage data processors for a variety of processing activities, which may include:

                         i. Webhosting;

                         ii. Information Technology;

                         iii. Records and Information Management, including storage facilities and shredding companies;

                         iv. Communications;

                         v. Events management; and

                         vi. Security operations and fraud prevention.

         In limited circumstances, service providers who act as data processors for the Cabinet Office may also act as a separate data controller in relation to their own purposes for processing your personal data, e.g. to provide customer support, or for analytics or machine learning in order to improve their services. These are unrelated to the purposes for which the Cabinet Office processes your personal data and should be clearly and directly disclosed to you by the service provider through their own separate privacy notice. However, you may contact us to ask about our current service providers and specific instances, if any, that we are aware of where your personal data may be processed for a service provider’s own purposes.

        c. With legal advisors and other persons if required by law or in relation to legal proceedings or rights: Personal data may be disclosed as legally required, for the purpose of or in connection with proceedings under the law, if necessary to obtain legal advice, or if the disclosure is otherwise necessary to establish, exercise or defend legal rights. This may include disclosing your personal data for the following purposes:

                         i. Seeking legal advice;

                         ii. Exercising or defending legal rights;

                         iii. Complying with internal and external audits or investigations by competent authorities; and

                         iv. Complying with information security policies or requirements.

         d. With other third parties: Personal data may be disclosed to other third-party recipients for the purposes set out in this Privacy Notice and in accordance with the DPA.

 

5. Our Legal Bases for Processing Your Personal Data

Depending on applicable laws and other circumstances, the Cabinet Office will rely on specific legal bases, or “conditions of processing”, under the DPA to process your personal data. These may include:

         a. A legal obligation to which the Cabinet Office is subject, including under the:

                         i. Procurement Act (2023 Revision) and Procurement Regulations (2022 Revision),

                         ii. Public Management and Finance Act (2020 Revision) and Financial Regulations (2024 Revision),

                         iii. Public Service Management Act (2018 Revision) and Personnel Regulations (2022 Revision),

                         iv. Data Protection Act (2021 Revision) and Data Protection Regulations, 2018, and

                         v. National Archive and Public Records Act (2015 Revision) and National Archive and Public Records Regulations, 2007;

         b. To exercise public functions, including:

                         i. the Constitutional and other functions of the Cabinet Office, the Cabinet Secretary, the Cabinet and the National Security Council as described in section 1 of this Privacy Notice, 

                         ii. leading and coordinating Freedom of Information and Data Protection across the public sector,

                         iii. showcasing Caymanian culture and heritage through various initiatives,

                         iv. providing protocol services and courtesies to the CIG and to the wider community, and

                         v. coordinating ceremonial and official events, including National Heroes Day, Remembrance Day, the King’s Birthday, Official Funerals and Inaugurations.

         c. To perform or enter into a contract with you, e.g. as a supplier to the Cabinet Office or as the successful candidate following a recruitment process for a vacancy within the portfolio;

         d. To protect your vital interests, e.g. if you experience a medical emergency during a ceremonial or official event coordinated by the Cabinet Office;

         e. Consent, e.g. to send you marketing communications or to administer certain surveys and polls; and

         f. For the purposes of legitimate interests pursued by the Cabinet Office or by a third party to whom the personal data may be disclosed, e.g. when publishing photographs and videos taken at ceremonial and official events on our social media channels, or when disclosing records containing third party personal data in response to a request submitted under the Freedom of Information Act (2021 Revision).

Where we process your sensitive personal data, we will also meet a second legal basis. These may include:

         a. To exercise our public functions;

         b. In relation to legal proceedings, including obtaining legal advice and otherwise establishing, exercising or defending legal rights;

         c. To protect your vital interests; and

         d. If you have taken steps to make the personal data public, e.g. when we are conducting background checks in relation to prospective employees, awardees, volunteers or appointees to official positions.

 

6. Children’s Personal Data

The Cabinet Office collects personal data relating to children under the age of 18 to enable us to deliver public services and programmes and carry out our functions. We may collect children’s personal data for any of the purposes set out in section 3 of this Privacy Notice

 

7. Security and International Transfers

The Cabinet Office has put in place appropriate technical, physical and organisational measures in order to keep your personal data secure. These safeguards to maintain the confidentiality, integrity and availability of your personal data may include:

         a. Developing and maintaining written plans to identify, prevent, detect, respond to, and recover from security threats, events and incidents;

         b. Developing robust authentication procedures for accessing all systems that store personal data;

         c. Administrative and technical controls to restrict access to personal data on a “need to know” basis;

         d. Maintaining systems, software and applications, anti-virus software, firewalls, and other computer security safeguards, and appointing appropriate personnel to be responsible for keeping such safeguards up to date, including through actions such as patching, licence renewals/expiry monitoring, system health checks and account/user access management;

         e. Contractually requiring that our data processors maintain appropriate security measures;

         f. Maintaining appropriate records of access to and processing of personal data;

         g. Ensuring employees are trained on security policies and measures that have been implemented;

         h. Using appropriate measures, such as encryption, pseudonymisation and chain of custody records, to protect personal data, including when stored on laptops, tablets and other storage devices;

         i. Utilising appropriate and secure methods to destroy personal data as legally required; and

         j. Taking other reasonable measures as required at any time by legislation, rules and policies.

The Cabinet may transfer your personal data outside of the Cayman Islands to:

         a. the United Kingdom, where data are stored securely by our IT service providers Microsoft and Delib;

         b. Germany, where data are stored securely by our IT service provider monday.com; and/or

         c.  any country or territory to which you intend to travel with airport courtesies or other protocol services, where it may be received by another data controller who is responsible for providing any relevant services, e.g. transportation, travel courtesies and other protocol services at an airport or other facility.

The above is not a comprehensive list of countries and territories where we may transfer your personal data. However, we will only transfer your personal data to a country or territory that ensures an adequate level of protection for your rights and freedoms in relation to the processing of your personal data, unless there is a relevant exemption or exception under the DPA. Exceptions may include your consent or appropriate safeguards.

 

8. How Long We Keep Your Personal Data

The Cabinet Office may store your personal data for as long as we need it in order to fulfil the purpose(s) for which we collected your personal data, and in line with any applicable laws. This includes the National Archive and Public Records Act (2015 Revision), which governs the creation, maintenance and disposal of all public records. Sometimes, we may anonymise your personal data so that it is no longer associated with you.

 

9. Your Rights

The Cabinet Office will respect and honour your rights in relation to your personal data and implement measures that allow you to exercise your rights under the DPA and other applicable legislation.

In accordance with the DPA, your rights in relation to your own personal data include:

         a. The right to be informed and the right of access: The right to request access to all personal data the Cabinet Office maintains about you as well as supplementary information about why and how we are processing your personal data. This is commonly known as a Data Subject Access Request and certain supplementary information about our processing is contained within this Privacy Notice.

         b. Rights in relation to inaccurate data: The right to request the rectification, blocking, erasure or destruction of any inaccurate personal data the Cabinet Office maintains on you. We will ensure, through all reasonable measures, that your personal data is accurate, complete and, where necessary, up‑to‑date, especially if it is to be used in a decision-making process.

         c. The right to stop or restrict processing: The right to restrict or stop how the Cabinet Office uses your personal data in certain circumstances.

         d. The right to stop direct marketing: The right to cease the use of your personal data by the Cabinet Office for direct marketing purposes.

         e. Rights in relation to automated decision making: The right to obtain information about and object to the use of automated decision making by the Cabinet Office using your personal data. The Cabinet Office does not currently use automated means to make decisions about you. However, if this position changes, we will update this Privacy Notice and we will also notify you in writing as required.

         f. The right to complain: The right to complain to the Ombudsman about any perceived violation of the DPA by the Cabinet Office.

         g. The right to seek compensation: The right to seek compensation through the Courts if you suffer damage due to a contravention of the DPA by the Cabinet Office.

You may contact the Cabinet Office, using the contact details listed below, to access and review your personal data or to exercise any other rights provided to you under the DPA. The Cabinet Office will take into consideration circumstances where, under the DPA or other applicable legislation, your rights may be limited or subject to conditions, exemptions or exceptions.

Upon contacting the Cabinet Office, we may need to verify your identity prior to fulfilling a request and may request additional information as required. In accordance with the DPA, the Cabinet Office may also charge a reasonable fee in relation to your request if it is unfounded or excessive in nature, or the Cabinet Office may reserve the right not to comply with the request at all.

To learn more about your rights, visit www.ombudsman.ky.

 

10. Data Protection Principles

When processing your personal data, the Cabinet Office will comply with the eight Data Protection Principles defined within the DPA:

         a. Fair and lawful processing: Personal data shall be processed fairly. In addition, personal data may be processed only if certain conditions are met, for example, if the data controller is subject to a legal obligation that requires the processing or if the processing is necessary for exercise of public functions.

         b. Purpose limitation: Personal data shall be obtained only for one or more specified, explicit and legitimate purposes, and not processed further in any manner incompatible with that purpose or those purposes.

         c. Data minimisation: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.

         d. Data accuracy: Personal data shall be accurate and, where necessary, kept up-to-date.

         e. Storage limitation: Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.

         f. Respect for the individual’s rights: Personal data shall be processed in accordance with the rights of data subjects under the DPA, including subject access.

         g. Security – confidentiality, integrity and availability: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

         h. International transfers: Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

 

11. How to Contact Us

The Cabinet Office has appointed a Data Protection Leader. If you have any questions about this Privacy Notice or how your personal data is handled, or if you wish to make a complaint, please contact: 

Name: Kim Bullings

Telephone number: +1 345 244 2209

Email Address: foi.cab@gov.ky

Address: Government Administration Building Box 105, 133 Elgin Ave, Grand Cayman  KY1-9000

The Cabinet Office aims to resolve inquiries and complaints in a respectful and timely manner.

 

12. Changes to this Privacy Notice

The Cabinet Office reserves the right to update this Privacy Notice at any time and will publish a new Privacy Notice when we make any substantial updates. From time to time, the Cabinet Office may also notify you about the processing of your personal data in other ways, including by email, through our publications, and on websites.