Select Privacy Notice

Identification Register and Identification Card Privacy Notice

The office of the Registrar of the Cayman Islands Identification Register and the Cayman Islands Identification Card ("the Registrar") respects your privacy and takes care in protecting your personal data. As a data controller, we comply with the Cayman Islands Data Protection Act (2021 Revision) (the "DPA"). This privacy notice ("Privacy Notice") demonstrates our commitment to ensuring your personal data is handled responsibly and applies to the Registrar, the Cayman Islands Identification Register (“the Register”), and the Cayman Islands Identification Card (“the Card”).

This Privacy Notice does not apply to the Registrar when we are processing personal data relating to our employees. This Privacy Notice also does not apply to personal data processed by other public authorities or private entities that may have access to the Identification Register in accordance with the Identification Register Act, 2022 ("the Register Act"). Such entities are responsible for maintaining their own privacy notices in compliance with the DPA.

This Privacy Notice also extends to cover personal data processed through middleware, including mobile apps for Android and iOS, as well as software for Mac OS and Windows, used to perform functions in relation to the Cayman Islands Identification Card where the Registrar is the data controller.

Throughout this Privacy Notice, references will be also made to the Cayman Islands Identification Card Act (“the Card Act”), with the Register Act and the Card Act being jointly referred to as “the Acts”.

What Personal Data We Collect

The Registrar collects personal data directly from you and may also collect your personal data indirectly from third-party sources. Personal data collected by the Registrar is limited to what is necessary for our processing activities. When you apply to be issued an ID Card, we may also create:

  1. A unique identification code that will be assigned to you.
  2. A Personal Identification Number (PIN) to authorise your access to online services, which you will be able to reset at any time.
  3. A Personal Unblocking Number (PUK), which will be used if you need to unblock your card and reset the PIN, e.g. after the wrong PIN has been entered multiple times.

In this Privacy Notice, personal data includes any data relating to an identified or identifiable living individual and includes your identification code, PIN and PUK; identity facts such as full name, date of birth, nationality, sex, immigration status; and related facts such as place of birth, identification code of parents, physical characteristics, signature, photograph, contact information, residential and mailing addresses and emergency contact information.

We will only collect the minimum amount of personal data required to achieve our purposes. Your personal data may be collected through forms that require you or a third party to input specific personal data. We may also collect documents that contain your personal data, e.g. birth certificates, marriage certificates, court orders, utility bills and identification documents. We will only require you to submit specific documents that may contain additional information that is not required for our purposes if this is necessary, including to verify that the personal data you are providing is accurate.

Personal data we collect directly from you.

The Registrar may collect the following information directly from you:

  1. Identifiers: This includes details like your identification code, full name, usernames, other unique identifiers, and email addresses that you provide through the Registrar's website(s), such as within comments, questions, and online forms, paper forms, and other means of communication.
  2. Identity facts such as full name, date of birth, nationality, sex, immigration status, and identification code; and related facts such as place of birth, identification code of parents, physical characteristics, signature, photograph, and residential addresses.
  3. Visual Identifiers: Photos or images that you provide to us, whether mandated by our services or uploaded voluntarily to our systems.
  4. Technical Data: Details such as your IP address, the device, location information, date and time, and the browser version you utilise to access our services. This category also accounts for information like email headers, caller ID data, usage patterns, and more. For further insights into some related data collection practices, like cookies, you can refer to our Cookie Notice.
  5. Contact Information: Beyond the email addresses highlighted above, this category encompasses telephone numbers and any other contact details you may provide.
  6. Support and Interaction Details: Data provided within comments, questions, and web forms on the Registrar's website(s) which may include the identifiers and contact information listed above. Depending on the nature, other personal details such as employment status might also be revealed, whether through emails, online form submissions, online chat conversations, or audio and video calls. Additionally, this category captures records of your interactions with our customer support channels, including noting which support portal articles you've accessed or were referred to for assistance, as well as personal data you provide when you:
    1. Visit the Registrar's offices and related government locations.
    2. Otherwise contact the registrar by email, telephone, chat, video call or through our social media channels.
    3. Interact with the Registrar on any of our social media platforms, including Facebook, LinkedIn, and Instagram.
  7. Certificate Details: Information about the certificates stored within your Identification Card, including issuer details, validity period, and key usage purposes (such as non-repudiation or authentication), which are accessed through the middleware as part of the Public Key Infrastructure (PKI) services.
  8. Bluetooth and NFC Data: Information collected using Bluetooth and NFC technologies in our mobile applications.
  9. Interactions with Other eGovernment Services: When interacting with the Register and the Card services, you may also interface with other eGovernment services, such as eServices Sign In, that are managed under a separate privacy notice. For more information, please refer to the Department of eGovernment Privacy Notice.
  10. Any other personal data where the collection is necessary to achieve our lawful purpose(s).

Personal data collected from other sources.

The Registrar may collect the following personal data from other sources:

  1. Personal data from public authorities and other sources as specified in the Register Act, including when individuals access services offered by the Registrar. This includes personal data such as immigration status, birth information, and information on other registrable events.
  2. Personal data provided by registered persons. In some cases, one registered person may provide personal data relating to other individuals, e.g., when providing emergency contact information or information about family members.
  3. Personal data disclosed by a parent/guardian, delegate or an authorised representative acting on behalf of an individual applying for or holding a Cayman Islands Identification Card.
  4. Any other personal data where the collection is necessary to achieve our lawful purpose(s).

How We Use Your Personal Data

The Registrar is a public agency dedicated to supporting the Cayman Islands Government by delivering efficient, secure, and customer-centred identification services, which enable the provision of modern public services and programmes. The Registrar may use your personal data for the following purposes:

  1. Establishing and maintaining the Register and the Card in accordance with the Acts.
  2. Processing requests for a person’s entry to the Register, update of a person’s information in the Register, other requests in relation to a person’s entry in the Register, as well as for issuing, renewing, replacing, suspending, or cancelling Cayman Islands Identification Cards.
  3. Maintaining the database(s) for the Register and the Card.
  4. Supporting the functionalities of middleware software, including the desktop software for Mac OS and Windows, to enable secure authentication.
  5. Conducting Identity Proofing and Verification (IPV) for enrolment, including online enrolment and remote IPV processes.
  6. Enabling the authentication and verification of identity by authorised entities for the purposes specified in the Acts, such as establishing eligibility for government services, enforcing immigration controls, and ensuring national security.
  7. Providing identification services to support the efficient and effective delivery of government services and benefits.
  8. Facilitating compliance with legal obligations under the Acts and other applicable legislation.
  9. Supporting public administration, policy development, and statistical analysis related to the Register and the Card.
  10. Responding to your enquiries and managing your relationship with the Registrar.
  11. Verifying your identity when accessing the Registrar's services or interacting with the Registrar.
  12. Providing access to the information held in the Register and on the card to the registered person, and other authorised individuals or entities, in accordance with the provisions of the Acts.
  13. Verifying facts about a person to support the functions and operations of the Registrar.
  14. Contacting a person who has been included as an emergency contact or delegate.
  15. Facilitating delivery of the Card, notices, or other information.
  16. Measuring how users interact with the Registrar's website(s) and continually improving our communications channels (including by aggregating personal data collected using cookies).
  17. Communicating and interacting with website visitors and individuals who contact the Registrar.
  18. Seeking legal advice and exercising or defending legal rights in matters related to the Register and the Card.
  19. Complying with our legal obligations under the Acts and other applicable legislation, including requirements related to records and information management, financial management, and audit; And
Compiling statistical reports for internal use and other reporting, both internally and externally.

How We Share Your Personal Data

The Registrar may share your personal data as required, including under applicable legislation, with recipients that include joint data controllers, our data processors, and third parties. We will only share your personal data as permitted by the DPA and the Acts, which includes the sharing of personal data as instructed by you.

Your personal data may be shared with the following recipients that support the Registrar’s functions and operations:

  1. With other public authorities: Personal data may be shared with other public authorities – here, "public authorities" means Ministries, Portfolios, Offices, Departments, Statutory Authorities, Statutory Bodies and Government Companies – for the purposes specified in the Register Act and set out in this Privacy Notice, such as enabling the authentication and verification of identity, verifying facts about a person, providing government services, and facilitating compliance with legal obligations related to identification.
  2. With data processors external to the CIG: Personal data may be shared with persons providing services to the Registrar as a data processor in compliance with the DPA. When they are acting as data processors, these service providers are only able to use personal data under our instructions. We engage data processors for a variety of processing activities, which may include:
    1. Information Technology: Services related to the IT infrastructure and applications supporting the Registrar's operations.
    2. Customer Support: Services to handle enquiries and support requests.
    3. Security Operations and Fraud Prevention: Services to monitor and protect against security threats and fraudulent activities.
    4. Public Key Infrastructure (PKI) Services: Services related to the management and operation of digital certificates and encryption.
    5. Records and Information Management: Services for the storage, management, and archiving of records and information.
    6. Communications: Services to manage communication efforts.
    7. Middleware Operation and Maintenance: Services to support the middleware used for the Card services.
    8. Identity Proofing and Verification (IPV): Services for online enrolment, remote IPV, and other identity verification processes.
    9. Enrolment and Issuance/Delivery of Cards: Services to assist with the enrolment process and the issuance or delivery of Identification Cards.

In limited circumstances, service providers who act as data processors for the Registrar may also act as a separate data controller in relation to their own purposes for processing your personal data, e.g., to provide customer support, or for analytics or machine learning to improve their services. These are unrelated to the purposes for which the Registrar processes your personal data and should be clearly and directly disclosed to you by the service provider through their own separate privacy notice. However, you may contact us to ask about our current service providers and specific instances, if any, that we are aware of where your personal data may be processed for a service provider's own purposes.

  1. With legal advisors and other persons if required by law or in relation to legal proceedings or rights: Personal data may be disclosed as legally required under the Acts or other applicable legislation, for the purpose of or in connection with proceedings under the law, if necessary to obtain legal advice, or if the disclosure is otherwise necessary to establish, exercise or defend legal rights. This may include disclosing your personal data for the following purposes:
    1. Seeking legal advice.
    2. Exercising or defending legal rights.
    3. Complying with internal and external audits or investigations by competent authorities.
    4. Complying with information security policies or requirements.
  2. With other third parties: Personal data may be disclosed to other third-party recipients for the purposes set out in this Privacy Notice and in accordance with the DPA and the Acts, such as for the prevention, detection, or investigation of crimes, in the interest of national security, or where there is a disaster or public health emergency.

Our Legal Bases for Processing Your Personal Data

Depending on applicable laws and other circumstances, the Registrar will rely on specific legal bases, or "conditions of processing", under the DPA to process your personal data. These may include:

    1. A legal obligation to which the Registrar is subject, e.g., to establish and maintain the Register, to enable the authentication and verification of identity by authorised entities, and to facilitate compliance with legal obligations under the Acts, and to comply with various obligations under the Procurement Act (2023 Revision) and Procurement Regulations (2022 Revision), the Public Management and Finance Act (2020 Revision) and Financial Regulations (2022 Revision), the Public Service Management Act (2018 Revision) and Personnel Regulations (2022 Revision), the Data Protection Act (2021 Revision) and Data Protection Regulations, 2018, and the National Archive and Public Records Act (2015 Revision).
    2. To exercise public functions, including the functions of the Registrar to establish and maintain the Register, to enable the authentication and verification of identity by authorised entities, to provide identification services to support the efficient and effective delivery of government services and benefits, and to support public administration, policy development, and statistical analysis related to the Register.
    3. To perform or enter a contract with you, e.g., as a supplier of goods or services to the Registrar.
    4. To protect your vital interests, e.g., if you are a missing person, to facilitate a search for you.
For the purposes of legitimate interests pursued by the Registrar or by a third party or parties to whom the personal data may be disclosed, e.g., when disclosing records containing third party personal data in response to a request submitted under the Freedom of Information Act (2021 Revision).

Children's Personal Data

The Registrar collects personal data relating to children under the age of 18 to enable us to carry out our functions under the Acts, including enrolment in the Register and issuing Identification Cards to eligible persons. We may collect children's personal data for any of the purposes set out in section 3 of this Privacy Notice.

Security and International Transfers

The Registrar has put in place appropriate technical, physical, and organisational measures in order to keep your personal data secure. These safeguards to maintain the confidentiality, integrity and availability of your personal data include:

  • Secure Access and Confidentiality Protocols: Developing systems, procedures, and protocols to facilitate appropriate access to data while also ensuring the protection, security and confidentiality of information in the Register.
  • Information Use and Sharing Policies: Developing policies, procedures and protocols for the use and sharing of information contained in the Register; and
  • Auditing and Change Logging: Maintaining complete and accurate records of applications and changes or updates made to the Register.
  • Encryption: Personal data is encrypted both at rest and in transit. This helps protect the data from unauthorised access, even if the data is intercepted or the storage systems are compromised.
  • Middleware Security: Ensuring the middleware software used for Identification Card services is secure, including regular updates, encryption of data at rest and in transit where appropriate, and strict access controls. This also covers the secure use of Bluetooth and NFC technologies in our mobile applications to protect personal data during wireless communications.
  • Access Controls: Strict access controls are implemented where appropriate to ensure that only authorised personnel can access personal data, including:
    • Role-Based Access Control: The granting of access to personal data based on the individual's job responsibilities and is limited to the minimum necessary to perform their duties.
    • Multi-Factor Authentication: The requirement to provide multiple forms of identification (e.g., password and security token) to access sensitive systems and data.
    • Regular Access Reviews: Regularly reviewed and updated user access rights to ensure they remain appropriate and to promptly remove access for individuals who no longer require it.
  • Security Monitoring: The Registrar continuously monitors its systems and networks for potential security threats and incidents. This includes:
    • Intrusion Detection and Prevention Systems: These systems monitor network traffic for suspicious activities and assist in identifying and blocking potential threats.
    • Vulnerability Scanning and Penetration Testing: Regular scans and tests are conducted to identify and address potential vulnerabilities in the Registrar's systems and applications.
  • Physical Security: The Registrar ensures the physical security of its data centres and offices to prevent unauthorised physical access to personal data.
  • Staff Training and Awareness: The Registrar provides regular training to its staff on data protection and information security best practices.
  • Third-Party Risk Management: The Registrar ensures that any third parties processing personal data on its behalf have appropriate security measures in place. We manage these third-party risks though:
    • Due Diligence: The Registrar conducts thorough due diligence on potential third-party service providers to assess their security posture and compliance with relevant laws and regulations.
    • Contractual Obligations: Where applicable and deemed necessary by law, contracts with third-party service providers include specific security and data protection requirements, such as minimum-security standards, incident reporting obligations, and rights to audit.
  • Other Technological and Organisational Measures: Adopting and implementing other appropriate technological and manual security measures to safeguard the reliability and confidentiality of the data under the Registrar’s control, and protect it against use not permitted under the Acts, as well as accidental or intentional destruction, loss or damage.

We may transfer your personal data outside of the Cayman Islands to:

    1. Ireland and other EU nations for secure hosting purposes.
    2. Other countries, for providing customer support for specific Registrar functions.
    3. Other countries, for Public Key Infrastructure (KPI) services.

Data transfers will only occur if the country, or territory guarantees an appropriate protection degree for your rights and freedoms related to your personal data processing, unless the DPA provides a relevant exception or exemption. Such exceptions might encompass your consent or suitable safeguards, like standard contractual clauses.

How Long We Keep Your Personal Data

The Registrar may store your personal data for as long as we need it to fulfil the purpose(s) for which we collected your personal data, and in line with any applicable laws. This includes the Acts as well as the National Archive and Public Records Act (2015 Revision), which governs the creation, maintenance, and disposal of all public records. In some cases, we may anonymise your personal data so that it is no longer associated with you.

Cookies

Cookies, in combination with pixels, local storage objects, and similar devices (collectively, "Cookies" unless otherwise noted), are used to distinguish between visitors to a website.

When you visit our website(s), small files known as Cookies may be stored on your computer, phone, tablet or any other device through your web browser. Information is stored in these text files.

Enabling Cookies may allow for a more tailored browsing experience and is required for certain website functionality. In most cases, a Cookie does not provide us with any of your personal data.

For more information about how we use Cookies, please consult the Cayman Island’s Government’s eGovernment Cookie Notice.

Your Rights

The Registrar will respect and honour your rights in relation to your personal data and implement measures that allow you to exercise your rights under the DPA, the Acts, and other applicable legislation. In accordance with the DPA, your rights in relation to your own personal data include:

  1. The right to be informed and the right of access: The right to request access to all personal data the Registrar maintains about you as well as supplementary information about why and how we are processing your personal data. This is commonly known as a Data Subject Access Request and certain supplementary information about our processing is contained within this Privacy Notice.
  2. Rights in relation to inaccurate data: The right to request the rectification, blocking, erasure, or destruction of any inaccurate personal data the Registrar maintains on you. We will ensure, through all reasonable measures, that your personal data is accurate, complete and, where necessary, uptodate, especially if it is to be used in a decision-making process.
  3. The right to stop or restrict Processing: The right to restrict or stop how the Registrar uses your personal data in certain circumstances.
  4. The right to stop direct marketing: The right to cease the use of your personal data by the Registrar for direct marketing purposes. The Registrar does not currently carry out any direct marketing activities. However, we will update this Privacy Notice as required if this position changes.
  5. Rights in relation to automated decision making: The right to obtain information about and object to the use of automated decision making by the Registrar using your personal data.
  6. The right to complain: The right to complain to the Ombudsman about any perceived violation of the DPA by the Registrar.
  7. The right to seek compensation: The right to seek compensation in the Court if you suffer damage due to a contravention of the DPA by the Registrar.

You may contact the Registrar, using the contact details listed below, to access and review your personal data or to exercise any other rights provided to you under the DPA or the Acts. This includes the right under the Register Act to obtain a record of access to your identification information. The Registrar will take into consideration circumstances where, under the DPA or other applicable legislation, including the Acts, your rights may be limited or subject to conditions, exemptions or exceptions.

Upon contacting the Registrar, we may need to verify your identity prior to fulfilling a request and may request additional information as required. In accordance with the DPA, the Registrar may also charge a reasonable fee in relation to your request if it is unfounded or excessive in nature, or the Registrar may reserve the right not to comply with the request at all.

To learn more about your rights, visit www.ombudsman.ky.

Data Protection Principles

When processing your personal data, the Registrar will comply with the eight Data Protection Principles defined within the DPA:

  1. Fair and lawful processing: Personal data shall be processed fairly. In addition, personal data may be processed only if certain conditions are met, for example the data controller is subject to a legal obligation that requires the processing, or the processing is necessary for exercise of public functions.
  2. Purpose limitation: Personal data shall be obtained only for one or more specified, explicit, and legitimate purposes, and not processed further in any manner incompatible with that purpose or those purposes.
  3. Data minimisation: Personal data shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are collected or processed.
  4. Data accuracy: Personal data shall be accurate and, where necessary, kept up to date.
  5. Storage limitation: Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
  6. Respect for the individual’s rights: Personal data shall be processed in accordance with the rights of data subjects under the DPA, including subject access.
  7. Security – confidentiality, integrity, and availability: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. International transfers: Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

How to Contact Us

The Registrar has appointed a Data Protection Leader. If you have any questions about this Privacy Notice, or if you wish to make a complaint, please contact:

Name: Ian Tibbetts, Director of eGovernment and Registrar of the Register and the Card

Telephone Number: +1 (345) 244-3614

Email Address: privacy@egov.ky

Address: 89 Nexus Way, Suite 8210 | Grand Cayman KY1-9000 | Cayman Islands

The Registrar aims to resolve enquiries and complaints in a respectful and timely manner.

Changes to this Privacy Notice

The Registrar reserves the right to update this Privacy Notice at any time and will publish a new Privacy Notice when we make any substantial updates. From time to time, the Registrar may also notify you about the processing of your personal data in other ways, including by email or through our publications.

To keep you informed of changes, we maintain a version history of this Privacy Notice. The table below outlines the history of revisions and reviews, providing details about the version number, type of action (reviewed or updated), date, and any relevant remarks.

This Privacy Notice was reviewed on 13th October 2023, and updated on 13th October 2023