The Ombudsman office have advised that recently a member of the public discovered a significant number of abandoned documents at the George Town landfill, some containing sensitive personal information.
The individual brought a sample of the records to the Office of the Ombudsman for further examination.
Their Data Protection Team inspected the documents in detail, but were not able to determine where they originated, or whether they belonged to a public or private sector data controller. The records included publicly available court records, handwritten notebooks (in shorthand) and autopsy reports - some of which contained confidential and sensitive personal information.
The Ombudsman wishes to highlight the importance of proper records management, including authorized and responsible disposal, especially when documents contain personal information. It is both a legal requirement and best practice to ensure that measures are taken to protect personal data throughout its life cycle, and to only retain personal data for as long as necessary. Disposing of confidential records by abandoning them is not acceptable and should be avoided at all costs. Doing so could constitute a data breach under the Data Protection Law and may be punishable with a fine of up to $250,000.
Government entities are subject to strict retention and disposal rules, and should only dispose of records in an authorized and transparent way, e.g. by shredding or otherwise irreversibly destroying the records in accordance with an approved records disposal schedule, after consultation with the Cayman Islands National Archive.
Unlike the public sector, most private sector entities are not subject to strict retention and disposal rules - other than those imposed by the Data Protection Law. Even though they are not required to do so, many entities have adopted retention and disposal schedules to manage the life cycle of their records and information. The Ombudsman commends this approach as best practice.
For more information on the retention of personal data and the technical and organizational measures that should be put in place to protect personal data, see our Data Protection Guidance for Organizations on the Ombudsman website: https://ombudsman.ky/data-protection-organisation/introduction