Information abuse could land controllers in jail

| 20/09/2012

gty_medical_records_jef_120913_mn.jpg(CNS): The working group that is drafting a local data protection law has recommended that those convicted of abusing it could face a jailterm of as much as five years as well as financial penalties of as much as $250,000. Deputy Information Commissioner Jan Liebaers, who discussed the implementation of the new law with CNS recently, explained that there had been considerable discussion amongst the group about the need for a significant deterrent. He said information controllers could be fined $100,000 for refusing or failing to comply with an order from the information commissioner but could face as much as a quarter of a million dollar penalty for a deliberate contravention of the law.

Staring with fines of $5,000 and maximum terms of five years, Liebaers said the group was seeking meaningful enforcement for the legislation once it was passed. He added that the comparable maximum monetary penalty in the United Kingdom is £500,000, intended as a deterrent for serious wrongdoers.

In Cayman, the group has proposed a top penalty of up to $250,000 for a serious deliberate contravention of the law by a data controller that is “likely to cause substantial damage or substantial distress”, and where the data controller was likely to know or ought to have known that this would be the case.

Liebaers emphasized, however, that the introduction of the law is not just about policing personal information and enforcement. He hoped that would have only a small role in the way the new law would work as the goal was to manage personal data responsibly and appropriately and to prevent abuse in the first instance.

The Information Commissioner’s Office will be responsible for the law and, once passed, existing sections of the FOI law that deal with the protection of personal information will be transferred.

Speaking at a press briefing this week regarding Right to Know Day, Commissioner Jennifer Dilbert assured the public that the implementation of a Data Protection Law would not undermine the public’s right to information from government. She said this law was about protecting sensitive personal data held by all entities in both the public and private arenas and not public information held by government.

Category: FOI

About the Author ()

Comments (7)

Trackback URL | Comments RSS Feed

  1. Noelle Max says:

    Data protection should have been introduced at the same time as the FOI laws as the FOI laws are much too lenient and broad in their perspective. At this time the FOI commission and others have openned the flood gates and public entities will have to manage against public sentiment, manage maliciousrequests and waste time filtering such. its really a shame that noone thought to balance this better. I would like for government to produce the amount of money that it has wasted thus far on FOI research, responses and correspondence etc. civil service will never be cut back in numbers as it takes personnel to meet the deadlines of FOI much of which is idle curiosity.

     

  2. Anonymous says:

    Elections office posts personal details on their website. There are a number of young college educated Caymanians who refuse to register to vote for fear of having their personal details on a website. This appears to be misuse of data!

    • Anonymous says:

      The Elections Law (2009 Revision) requires the register of electors to be made available publicly (under various conditions and formats). Sub-section 18 (4) of the law states that

      "(4) Copies of the Register of Electors shall be offered for sale in printed or electronic form at prices set by the Supervisor from time to time."   I guess the Supervisor has  effectviely set the price to zero if they are allowing access on their website (which is offline this morning!).  Eitherway you can go to a post office and see a hard copy of the list.

      The Data Protection Bill in section 34 provides that "Personal data are exempt from the non-disclosure provisions if the disclosure is required under any enactment, by any rule of law or by the order of a court".

      So technically it won't be a misuse of data to disclose the register of electors (as long as it is consistent with the law).   But it is is an interesting situation – obviously the register is useful information for both good and bad purposes…..and this is a good example of tension between the goal of data protection and privacy and the public good of knowing who is on the

       

       

      • Anonymous says:

        The UK has addressed this problem in relation to public access – by limiting access to info RE electoral register.. CI Govt will need to do the same!

      • Lou Roll says:

        The sale of the electoral register to third parties without given those who register a right to opt out of publication is a breach of the rightsof privacy under Art 8 of the ECHR and a fetter on the right to participate in the political process under Art 1/1 of the ECHR.  This has already been litigated and determined in England.  Cayman must correct this or face the risk of quite sizeable damages – the ECHR puts a minimum of $1500 to $2000 compensation on a breach associated with voting rights.  Of course the Cayman Human Rights Committee SHOULD be looking at this, but they are puppets of the government that appointed them and have been a complete disgrace to date.

        • Anonymous says:

          Yes but has anyone yet been successful with an ECHR case in Cayman…….it’s very hypothetical from what
          I understand. There has been lots of talk of various immigration cases goin to the ECHR but nothing seems to happen due to the need to go through the local courts first and the costs involved….

  3. John Evans says:

    I am watching this with a great deal of interest because when the UK's DataProtection Act 1984 kicked in I was working for a public authority who, because the original DPA only applied to electronic data, responded to the then new legislation by cancelling plans to computerise thousands of paper files. It was only a temporary, if horrendously expensive, respite for them because a few years later all personal records, in any format, came under the terms of DPA. Today even informal, handwritten notes made during a meeting, interview or phone conversation can potentially be regarded as personal information protected under DPA and accessible by anyone named in them. 

    Just before our Freedom of Information Act (FOIA) kicked in that same authority also destroyed huge quantities of archive material by simply introducing a 'seven-year' destruction rule. Rumours that more recent documentation got mixed up with the tons of material shredded in this exercise were denied but a lot of newer material did conveniently go missing.

    And the point of these observations? 

    Most public authorities and private companies hate any moves to make their activities more open, transparent and, most important, publicly accountable. Look at the way the current Auditor General is being treated if you don't believe me.

    The problem with getting effective legislation like FOI and data protection introduced into law is that it tends to be the kind of thing people don't really appreciate until they have it. It's a case of, "You don't know what you are missing until it arrives."

    Don't let this slip by you because, as I have seen in the UK, once enacted it will force major changes in the way people are treated by both public authorities and private entities.