Privacy Notice

Scope

The Cayman Islands Government Health Practice Commission, (“HPC”), the Medical and Dental Council, the Nursing and Midwifery Council, the Pharmacy Council, and the Council for Professions Allied with Medicine respect your privacy and take care in protecting your personal data. As data controllers, we comply with the Cayman Islands Data Protection Act (2021 Revision) (the “DPA”). This privacy notice (“Privacy Notice”) demonstrates our commitment to ensuring your personal data is handled responsibly.

The privacy information in respect to each data controller mentioned above has been consolidated into one Privacy Notice so that it may be more accessible and administratively convenient for the public. 

Each council is an individual data controller for personal data processed to fulfil its functions, including to register and license practitioners. For the purposes of this Privacy Notice, the Medical and Dental Council, the Nursing and Midwifery Council, the Pharmacy Council, and the Council for Professions Allied with Medicine (collectively the “Councils”) will be referred to in the collective form, as the functions, requirements, and processing activities are closely aligned in law and in practice and they are also referred to as such in the Health Practice Act (2021 Revision).

HPC is the data controller for personal data processed to facilitate certification and inspection of health care facilities in the Cayman Islands, this includes when HPC reviews records of registered practitioners working at a health care facility they are inspecting. 

Pursuant to section 22 of the Health Practice Act (2021 Revision), the HPC also serves as a data processor for the Councils by providing administrative support, including by processing applications, handing inquiries, and maintaining records. 

This Privacy Notice does not apply to the Health Insurance Commission, their privacy notice can be found HIC Privacy Notice. This Privacy Notice also does not apply to the Health Appeals Tribunal which hears appeals from decisions of HPC and the Councils. 

What Personal Data We Collect

HPC and the Councils collects personal data, including sensitive personal data, directly from you and may also collect your personal data indirectly from third party sources. Personal data collected by the HPC and by the Councils is limited to what is necessary for our processing activities. In this Privacy Notice, personal data includes any data relating to an identified or identifiable living individual and includes: work and educational history, professional qualifications, competency tests, character assessments, references, mental and physical health information, criminal history, information regarding complaints, and any other information required for the registration, licensing, monitoring and investigation of health practitioners.

Personal data we collect directly from you

HPC and the Councils may collect the following information directly from you:
 
a.    Personal data you provide through HPC and the Councils websites, such as:
        i.    Personal data provided within comments and questions, including your name and/or email address if you provide these details in our web form. If you ask questions about our public services and programmes or provide information about your relationship with us, this may also reveal other personal data, e.g. your employment status, immigration status, or professional background;
        ii.    Your email address and subscription preferences if you sign up for our newsletters or notifications, and how you utilise our emails, including whether you open them and which links you click; and
        iii.    Your Internet Protocol (“IP”) address, details of which device or version of web browser you used to access our website content, and other information about how you used our website;

b.    Personal data you provide when you visit our offices and other locations; contact us by email, by telephone; or access our programmes and services, including our online services (e.g. license renewals);

c.    Personal data that you provide when you inquire about a job with the HPC; if you apply for a job with the HPC via the CIG e-recruitment platform, an additional privacy notice is available here: https://careers.gov.ky/application/custom/English/privacy-statement.html;

d.    Personal data related to your participation as a member of one of the Councils;

e.    Any other personal data where the collection is necessary to achieve our lawful purpose(s).

Personal data collected from other sources

The Councils may collect the following personal data from other sources:

a.    Any information necessary for the application or renewal of practitioner license where the health care facility is submitting the application and associated fees on your behalf;

b.    Any information received from anyone via a complaint or obtained during an investigation of a complaint;

c.    Any information submitted or obtained as part of an investigation into allegations that a registered practitioner is unfit to practice, or similar; 

d.    Background checks and verification of professional education, qualifications, or similar;

e.    Personal data collected via CCTV at the HPC premises, if lawfully disclosed to the Councils by the CIG Facilities Management Department as the initial Data Controller that collected the footage at the premises; and

f.    Any other personal data where the collection is necessary to achieve our lawful purpose(s). 

The HPC may collect the following personal data from other sources:

a.    Personnel records and other information from health care facilities during certification or investigation of a health care facility;

b.    Registered practitioner licence and other historical records relating to the registration and licensing of a registered practitioner may be obtained from the Councils to verify records provided by health care facilities;

c.    Personal data collected via CCTV at the HPC premises, if lawfully disclosed to the HPC by the CIG Facilities Management Department as the initial Data Controller that collected the footage at the premises; and

d.    Any other personal data where the collection is necessary to achieve our lawful purpose(s). 

 

How We Use Your Personal Data

The purpose of the Civil Service is to make the lives of those we serve better. We are dedicated to supporting the elected government by delivering caring, modern and customer-centred public services and programmes, which deliver value for money. The HPC and the Councils may use your personal data for the following purposes: 

a.    Implementing policies, providing services and programmes, and managing your relationship with us;

b.    Processing applications for registration and licensing of health practitioners;

c.    Responding to your inquiries;

d.    Verifying your identity or information you have provided us;

e.    Investigating complaints or allegations against a health practitioner;

f.    Make available for inspection and publish the register of licenced practitioners;

g.    Determine and approve adequate malpractice insurance, liability insurance, other relevant insurance or indemnity cover;

h.    Measuring how users interact with our websites and continually improving our communications channels (including by aggregating personal data collected using cookies); 

i.    Communicating and interacting with website visitors; 

j.    Communications and public relations activities;

k.    Managing accounts payable and receivable, preventing fraud, and protecting public funds;

l.    Statistical and other reporting, both internally and externally;

m.    Seeking legal advice, and exercising or defending legal rights; and

n.    Complying with our legal obligations, including all legislation that applies across the public sector, e.g. legislation that provides for records and information management, procurement, human resource management, financial management, audit, and similar functions and activities.

How We Share Your Personal Data

The HPC and the Councils may share your personal data as required, including under applicable legislation, with recipients that include joint data controllers, our data processors, and third parties. We will only share your personal data as permitted by the DPA. 

Your personal data may be shared with the following recipients that support our public functions and operations:

a.    With other public authorities: Personal data may be shared with other public authorities – here, “public authorities” means Ministries, Portfolios, Offices, Departments, Statutory Authorities, Statutory Bodies and Government Companies – for the purposes set out in this Privacy Notice.

b.    With data processors external to the CIG: Personal data may be shared with persons providing services to the Council as a data processor in compliance with the DPA. When they are acting as data processors, these service providers are only able to use personal data under our instructions. We engage data processors for a variety of processing activities, which may include:

         i.    Information Technology;

         ii.    Records and Information Management, including storage facilities;
         iii.    Communications; and

         iv.    Security operations and fraud prevention.

In limited circumstances, service providers who act as data processors for the HPC and the Councils may also act as a separate data controller in relation to their own purposes for processing your personal data, e.g. to provide customer support, or for analytics or machine learning in order to improve their services. These are unrelated to the purposes for which the HPC and the Councils process your personal data and should be clearly and directly disclosed to you by the service provider through their own separate privacy notice. However, you may contact us to ask about our current service providers and specific instances, if any, that we are aware of where your personal data may be processed for a service provider’s own purposes.

c.    With legal advisors and other persons if required by law or in relation to legal proceedings or rights:
Personal data may be disclosed as legally required, for the purpose of or in connection with proceedings under the law, if necessary to obtain legal advice, or if the disclosure is otherwise necessary to establish, exercise or defend legal rights. This may include disclosing your personal data for the following purposes:

        i.    Seeking legal advice;

        ii.    Exercising or defending legal rights;

        iii.    Complying with internal and external audits or investigations by competent authorities;

        iv.    Complying with information security policies or requirements; and

        v.    The Councils will send any parties to a proceeding copies of statutory declarations or any other document sent to the Councils in relation to the proceedings by the person who made the allegations against the registered practitioner or by the registered practitioner, if requested, per Schedule 3, paragraph 14(3), Health Practice Act (2021 Revision).

d.    With other third parties: Personal data may be disclosed to other third-party recipients for the purposes set out in this Privacy Notice and in accordance with the DPA.

Our Legal Bases for Processing Your Personal Data

Depending on applicable laws and other circumstances, the HPC and the Councils will rely on specific legal bases, or “conditions of processing”, under the DPA to process your personal data. These may include: 

a.    A legal obligation to which HPC and/or the Councils is subject, e.g. to publish  the names and registered addresses of registered practitioners, section 29(2), Health Practice Act (2021 Revision), to notify a health practitioner if they are removed from the register and provide reasons, regulation 8(2), Health Practice Regulations (2021 Revision), and to comply with various obligations under the Procurement Act (2023 Revision) and Procurement Regulations (2022 Revision), the Public Management and Finance Act (2020 Revision) and Financial Regulations (2022 Revision), the Public Service Management Act (2018 Revision) and Personnel Regulations (2022 Revision), the Data Protection Act (2021 Revision) and Data Protection Regulations, 2018, and the National Archive and Public Records Act (2015 Revision);

b.    To exercise public functions, including the functions of HPC to inspect and license health care facilities, and the Councils register and license health practitioners;

c.    To perform or enter into a contract with you;

d.    To protect your vital interests;

e.    Consent, e.g. to send you marketing communications or to administer surveys and polls; and

f.    For the purposes of legitimate interests pursued by the Council or by a third party or parties to whom the personal data may be disclosed, e.g. when disclosing records containing third party personal data in response to a request submitted under the Freedom of Information Act (2021 Revision).

Where we process your sensitive personal data, we will also meet a second legal basis. These may include:

a.    To exercise our public functions;  

b.    To protect your vital interests;

c.    In relation to legal proceedings, including obtaining legal advice and otherwise establishing, exercising or defending legal rights; and

d.    If you have taken steps to make the personal data public 

Children's Personal Data

The HPC, unless explicitly stated or implied otherwise, our website and our various public services and programmes are not intended for, or intentionally targeted at, children. We do not knowingly collect or maintain personal data about children under the age of 16. 

The Councils, in limited situations, collect personal data relating to children under the age of 18 to enable us to deliver public services and programmes and carry out our functions. We may collect children’s personal data for any of the purposes set out in section 3 of this Privacy Notice.

Security and International Transfers

The HPC and the Councils have put in place appropriate technical, physical and organisational measures in order to keep your personal data secure. These safeguards to maintain the confidentiality, integrity and availability of your personal data.

We will only transfer your personal data to a country or territory that ensures an adequate level of protection for your rights and freedoms in relation to the processing of your personal data, unless there is a relevant exemption or exception under the DPA. Exceptions may include your consent or appropriate safeguards.

Personal data collected and processed by the HPC that is recorded and maintained within our case management system is hosted on cloud infrastructure geographically located in Canada, the United Kingdom, and Germany, managed by the Department of eGovernment in its role as data processor, and its sub-processor, Liferay Inc. In limited circumstances, personal data may also be processed by Liferay Inc. and its authorised sub-processors for the purposes of disaster recovery, maintenance, and support.
We have implemented appropriate safeguards to protect your personal data, including robust technical and organizational measures (such as encryption in transit and at rest) and contractual protections with our service providers. Where data may be accessed from outside these jurisdictions, such transfers are subject to recognized safeguards, including Standard Contractual Clauses and participation in the EU-US Data Privacy Framework / UK-US Data Bridge where applicable. We continue to assess residual risks associated with our international data transfers in line with best practices and regulatory guidance.

How Long We Keep Your Personal Data

The HPC and the Councils may store your personal data for as long as we need it in order to fulfil the purpose(s) for which we collected your personal data, and in line with any applicable laws. This includes the National Archive and Public Records Act (2015 Revision), which governs the creation, maintenance and disposal of all public records. Sometimes, we may anonymise your personal data so that it is no longer associated with you.

Cookies, in combination with pixels, local storage objects, and similar devices (collectively, "Cookies" unless otherwise noted), are used to distinguish between visitors to a website.

When you visit, our website  small files known as Cookies may be stored on your computer, phone, tablet or any other device through your web browser. Information is stored in these text files. 

Enabling Cookies may allow for a more tailored browsing experience and is required for certain website functionality. In the majority of cases, a Cookie does not provide us with any of your personal data. Please see the website’s Cookie Notice for more information about the use of Cookies

 

Your Rights

The HPC and the Councils will respect and honour your rights in relation to your personal data and implement measures that allow you to exercise your rights under the DPA and other applicable legislation. 
In accordance with the DPA, your rights in relation to your own personal data include: 

a.    The right to be informed and the right of access: The right to request access to all personal data the HPC and the Councils maintains about you as well as supplementary information about why and how we are processing your personal data. This is commonly known as a Data Subject Access Request and certain supplementary information about our processing is contained within this Privacy Notice.
 
b.    Rights in relation to inaccurate data: The right to request the rectification, blocking, erasure or destruction of any inaccurate personal data the HPC and the Councils maintains on you. We will ensure, through all reasonable measures, that your personal data is accurate, complete and, where necessary, up‑to‑date, especially if it is to be used in a decision-making process.

c.    The right to stop or restrict Processing: The right to restrict or stop how the HPC or the Councils use your personal data in certain circumstances. 

d.    The right to stop direct marketing: The right to cease the use of your personal data by the Council for direct marketing purposes. The HPC and the Councils does not currently carry out any direct marketing activities. However, we will update this Privacy Notice and we will also notify you in writing as required if this position changes.

e.    Rights in relation to automated decision making: The right to obtain information about and object to the use of automated decision making by the Council using your personal data. The HPC and the Councils do not currently use automated means to make decisions about you. However, we will update this Privacy Notice and we will also notify you in writing as required if this position changes.

f.    The right to complain: The right to complain to the Ombudsman about any perceived violation of the DPA by the HPC or the Councils.

g.    The right to seek compensation: The right to seek compensation in the Court if you suffer damage due to a contravention of the DPA by the HPC or the Councils. 

You may contact the HPC or the Councils, using the contact details listed below, to access and review your personal data or to exercise any other rights provided to you under the DPA. The HPC and the Councils will take into consideration circumstances where, under the DPA or other applicable legislation, your rights may be limited or subject to conditions, exemptions or exceptions.

Upon contacting the HPC or the Councils, we may need to verify your identity prior to fulfilling a request and may request additional information as required. In accordance with the DPA, the HPC and the Councils may also charge a reasonable fee in relation to your request if it is unfounded or excessive in nature, or the HPC or the Councils may reserve the right not to comply with the request at all. 

To learn more about your rights, visit www.ombudsman.ky

Data Protection Principles

When processing your personal data, the HPC and the Councils will comply with the eight Data Protection Principles defined within the DPA: 

a.    Fair and lawful processing: Personal data shall be processed fairly. In addition, personal data may be processed only if certain conditions are met, for example the data controller is subject to a legal obligation that requires the processing or the processing is necessary for exercise of public functions.

b.    Purpose limitation: Personal data shall be obtained only for one or more specified, explicit and legitimate purposes, and not processed further in any manner incompatible with that purpose or those purposes.

c.    Data minimisation: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed
.
d.    Data accuracy: Personal data shall be accurate and, where necessary, kept up-to-date.

e.    Storage limitation: Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.

f.    Respect for the individual’s rights: Personal data shall be processed in accordance with the rights of data subjects under the DPA, including subject access.

g.    Security – confidentiality, integrity and availability: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

h.    International transfers: Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. 

How to Contact Us

The DHRS has appointed a Data Protection Leader. If you have any questions about this Privacy Notice or how your personal data is handled, or if you wish to make a complaint, please contact:

Name: Leasa Charlton, Data Protection Leader
Telephone number: (345) 949-2813
Email Address: hpc@gov.ky
Address: 133 Elgin Avenue, George Town, Grand Cayman

The HPC and the Councils aims to resolve inquiries and complaints in a respectful and timely manner.

Changes to this Privacy Notice

The DHRS reserves the right to update this Privacy Notice at any time and will publish a new Privacy Notice when we make any substantial updates. From time to time, the HPC and the Councils may also notify you about the processing of your personal data in other ways, including by email or through our publications. 

This Privacy Notice was last updated on 25/09/2025.