The Office of the Ombudsman completed an investigation into a personal data breach involving a former employee of a local telecommunications company. The ex-employee is alleged to have unlawfully shared customers’ personal information with a police officer, which the officer is then alleged to have used for personal purposes.
The personal data breach was reported on 20 November 2020 under section 16 of the Data Protection Act. A subsequent investigation by the Office of the Ombudsman and the Royal Cayman Islands Police Service (RCIPS) led to criminal charges before the court, including charges against the telecommunications company’s ex-employee and the police officer under section 54 of the Act.
As part of the investigation to determine if the data controller adhered to the seventh principle of the Act, the Ombudsman’s office reviewed various sources of information, including the telecommunication provider’s data protection policies and procedures, the ex-employee’s data protection training records, a confidentiality agreement between the ex-employee and the employer, details on the data controller’s system audit logs, and the ex-employees personal phone records. The office also obtained several witness statements from relevant parties. The investigation determined that the data controller had adequate organisational and technical measures in place to secure the data in spite of the personal data breach.
Given the nature of the breach, the Ombudsman’s office requested the assistance of the RCIPS to conduct a criminal investigation. Following the submission of a legal file to the Office of the Director of Public Prosecutions, a legal ruling recommended the telecommunications company’s former employee and the police officer be charged.
“It is important for all public and private sector employees to be aware that access to, and the processing of, an individual’s personal data must be done fairly and lawfully and only for the purposes for which that data was provided,” said Sharon Roulstone, Ombudsman. “As this case demonstrates, there are potentially serious consequences if personal data is not managed in accordance with the Data Protection Act.”