Privacy Notices

The OCP collects personal data, including sensitive personal data, directly from you and may also collect your personal data indirectly from third party sources. Personal data collected by the OCP is limited to what is necessary for our processing activities. In this Privacy Notice, personal data includes any data relating to an identified or identifiable living individual and includes: personal details such as name and address, sound and visual images, financial details, intelligence material, digital data, feedback complaint incident data and accident details.

The OCP collects the following information directly from you:

• Personal data for the purposes of prevention, investigation, detection or prosecution of criminal offences.
• Personal data you provide through the OCP’s website, such as:
  • Personal data provided within comments and questions, including your name and/or email address if you provide these details in our web form. If you ask questions about our public services and programmes or provide information about your relationship with us, this may also reveal other personal data which you include in the free text field.
  • Your email address and subscription preferences if you sign up for our newsletters or notifications, and how you utilise our emails, including whether you open them and which links you click; and
  • Your Internet Protocol (“IP”) address, details of which device or version of web browser you used to access our website content, and other information about how you used our website (see our Cookie Notice for more information);
• Personal data you provide when you visit the OCP offices and other locations, contact us by email or telephone, or access our programmes and services;
• Personal data that you provide when you inquire about or apply for a job with the OCP;
• Personal data collected via CCTV at the OCP premises, including images via cameras located at police stations and offices throughout the estate and
• Any information you choose to provide when interacting with the OCP on social media platforms, including Instagram (rcips_cayman), Facebook (@RCIPS) and Twitter (@Policing_Cayman).

The OCP collects the following personal data from other sources:

• This may include from other police forces and intelligence agencies where there is a legal basis to do so for the prevention and detection of crime.

The purpose of the Civil Service is to make the lives of those we serve better. We are dedicated to supporting the elected government by delivering caring, modern and customer-centred public services and programmes, which deliver value for money. The OCP may use your personal data for the following purposes:

• Implementing policies, providing services and programmes, and managing your relationship with us;
• Responding to your inquiries;
• Verifying your identity;
• Measuring how users interact with the OCP’s website and continually improving our communications channels (including by aggregating personal data collected using cookies);
• Communicating and interacting with website visitors;
• Communications and public relations activities;
• Managing accounts payable and receivable, preventing fraud, and protecting public funds;
• Statistical and other reporting, both internally and externally;
• Seeking legal advice, and exercising or defending legal rights;
• Complying with our legal obligations, including all legislation that applies across the public sector; and
• Communicating and interacting with job applicants and related third parties (e.g. references) and carrying out recruitment and selection processes;

The OCP may share your personal data as required, including under applicable legislation, with recipients that include joint data controllers, our data processors, and third parties. We will only share your personal data as permitted by the Cayman Islands DPA.

Your personal data may be shared with the following recipients that support our public functions and operations:

• With other public authorities: Personal data may be shared with other public authorities – here, “public authorities” means Ministries, Portfolios, Offices, Departments, Statutory Authorities, Statutory Bodies and Government Companies – for the purposes set out in this Privacy Notice.
• With data processors external to the CIG: Personal data may be shared with persons providing services to the OCP as a data processor in compliance with the Cayman Islands DPA. These service providers are only able to use personal data under our instructions and may include:
  • Webhosting;
  • Information Technology;
  • Records and Information Management, including storage facilities;
  • Communications;
  • Marketing and campaigns;
  • Events management; and
  • Security operations and fraud prevention.
• With legal advisors and other persons if required by law or in relation to legal proceedings or rights: Personal data may be disclosed as legally required, for the purpose of or in connection with proceedings under the law, if necessary to obtain legal advice, or if the disclosure is otherwise necessary to establish, exercise or defend legal rights. This may include disclosing your personal data for the following purposes:
  • Seeking legal advice;
  • Exercising or defending legal rights;
  • Complying with internal and external audits or investigations by competent authorities;
  • Complying with information security policies or requirements; and

Depending on applicable laws and other circumstances, the OCP will rely on specific legal bases, or “conditions of processing”, under the Cayman Islands DPA to process your personal data. These may include:

• A legal obligation to which the OCP is subject, which is primarily the Police Act (2021 Revision) and Cayman Islands Coastguard Act (2021), and to comply with various obligations under the Procurement Act, 2016 and Procurement Regulations (2022 Revision), the Public Management and Finance Act (2020 Revision) and Financial Regulations (2022 Revision), the Public Service Management Act (2018 Revision) and Personnel Regulations (2022 Revision), and the National Archive and Public Records Act (2015 Revision);
• To exercise public functions, including the functions of the OCP to prevent and detect crime;
• To protect your vital interests, e.g. when responding to a serious incident;
• Consent, e.g. to send you marketing communications or to administer surveys and polls; and
• For the purposes of legitimate interestss pursued by the OCP or by a third party or parties to whom the personal data may be disclosed, e.g. when disclosing records containing third party personal data in response to a request submitted under the Freedom of Information Act (2021 Revision).

Where we process your sensitive personal data, we will also meet a second legal basis. These may include:

• To exercise our public functions;
• In relation to legal proceedings, including obtaining legal advice and otherwise establishing, exercising or defending legal rights; and
• Vital interests when responding to a serious incident.

The OCP collects personal data relating to children under the age of 18 to enable us to deliver public services and programmes and carry out our functions. We may collect children’s personal data for any of the purposes set out in section three of this Privacy Notice.

The OCP has put in place appropriate technical, physical and organisational measures in order to keep your personal data secure. These safeguards to maintain the confidentiality, integrity and availability of your personal data may include security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

The OCP will not transfer personal data to countries or territories that do not ensure an adequate level of protection for personal data. We may transfer your personal data outside of the Cayman Islands with the relevant standards based on I.T services and other contractual arrangements.

We will only transfer your personal data to a country or territory that ensures an adequate level of protection for your rights and freedoms in relation to the processing of your personal data, unless there is a relevant exemption or exception under the Cayman Islands DPA. Exceptions may include your consent or appropriate safeguards and; in circumstances where international co-operation arrangements between intelligence agencies are required to combat crime, terrorism or drug trafficking the eighth principle concerning international transfers does not apply.

The OCP may store your personal data for as long as we need it in order to fulfil the purpose(s) for which we collected your personal data, and in line with any applicable laws. This includes the National Archive and Public Records Act (2015 Revision), which governs the creation, maintenance and disposal of all public records. Sometimes, we may anonymise your personal data so that it is no longer associated with you.

Cookies, in combination with pixels, local storage objects, and similar devices (collectively, "Cookies" unless otherwise noted), are used to distinguish between visitors to a website.

When you visit our website, small files known as Cookies may be stored on your computer, phone, tablet or any other device through your web browser. Information is stored in these text files.

Enabling Cookies may allow for a more tailored browsing experience and is required for certain website functionality. In the majority of cases, a Cookie does not provide us with any of your personal data.

Please see the website’s Cookie Notice for more information about the use of Cookies.

The OCP will respect and honour your rights in relation to your personal data and implement measures that allow you to exercise your rights under the DPA and other applicable legislation.

In accordance with the DPA, your rights in relation to your own personal data include:

• The right to be informed and the right of access: The right to request access to all personal data the OCP maintains about you as well as supplementary information about why and how we are processing your personal data. This is commonly known as a Subject Access Request and certain supplementary information about our processing is contained within this Privacy Notice.
• Rights in relation to inaccurate data: The right to request the rectification, blocking, erasure or destruction of any inaccurate personal data the OCP maintains on you. We will ensure, through all reasonable measures, that your personal data is accurate, complete and, where necessary,up to date,especially if it is to be used in a decision-making process.
• The right to stop or restrict Processing: The right to restrict or stop how the OCP uses your personal data in certain circumstances.
• The right to stop direct marketing: The right to cease the use of your personal data by the OCP for direct marketing purposes.1 The OCP does not currently carry out any direct marketing activities. However, we will update this Privacy Notice and we will also notify you as required if this position changes.
• Rights in relation to automated decision making: The right to obtain information about and object to the use of automated decision making by the OCP using your personal data. The OCP does not currently useautomated means to make decisions about you. However, we will update this Privacy Notice and we will also notify you in writing as required if this position changes.
• The right to complain: The right to complain to the Ombudsman about any perceived violation of the DPA by the OCP.
• The right to seek compensation: The right to seek compensation in the Court if you suffer damage due to a contravention of the DPA by the OCP.

You may contact the OCP, using the contact details listed below, to access and review your personal data or to exercise any other rights provided to you under the DPA. The OCP will take into consideration circumstances where, under the DPA or other applicable legislation, your rights may be limited or subject to conditions, exemptions or exceptions.

Upon contacting the OCP, we may need to verify your identity prior to fulfilling a request and may request additional information as required. In accordance with the DPA, the OCP may also charge a reasonable fee in relation to your request if it is unfounded or excessive in nature, or the OCP may reserve the right not to comply with the request at all.

To learn more about your rights, visit www.ombudsman.ky.

When processing your personal data, the OCP will comply with the eight Data Protection Principles defined within the Cayman Islands DPA:

• Fair and lawful processing: Personal data shall be processed fairly. In addition, personal data may be processed only if certain conditions are met, for example the data controller is subject to a legal obligation that requires the processing or the processing is necessary for exercise of public functions.
• Purpose limitation: Personal data shall be obtained only for one or more specified, explicit and legitimate purposes, and not processed further in any manner incompatible with that purpose or those purposes.
• Data minimisation: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.
• Data accuracy: Personal data shall be accurate and, where necessary, kept up-to-date.
• Storage limitation: Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
• Respect for the individual’s rights: Personal data shall be processed in accordance with the rights of data subjects under the DPA, including subject access.
• Security – confidentiality, integrity and availability: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
• International transfers: Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The OCP has appointed a Data Protection Leader. If you have any questions about this Privacy Notice or how your personal data is handled, or if you wish to make a complaint, please contact:

Name: Darren Rigg, Data Protection/Freedom of Information Manager

Telephone number: (345) 649 2938

Email Address: darren.rigg@rcips.ky

Address: RCIPS Headquarters

4 th Floor, RBC Building

24 Shedden Road, George Town

PO Box 909, Grand Cayman, KY1-1103

The OCP aims to resolve inquiries and complaints in a respectful and timely manner.

The OCP reserves the right to update this Privacy Notice at any time and will publish a new Privacy Notice when we make any substantial updates. From time to time, the OCP may also notify you about the processing of your personal data in other ways, including by email or through our publications.

This Privacy Notice was last updated on 20th January 2023.

The OCP collected personal data about you through the application and recruitment process, either directly from you or from third parties such as a referee.

The OCP will also collect and record additional personal data about you in the course of your work-related activities as you deliver on Government priorities – for example, from your manager, through feedback provided by your colleagues across the CIG, and the people we serve. We may also collect your personal data in the course of our administrative functions, for example staff administration, procurement, property management, advertising and media.

In some cases, your personal data will be collected indirectly through various monitoring systems and devices. If these types of personal data are collected for security purposes, they are not generally accessed on a routine basis.

Personal data recorded or collected by the OCP is limited to what is necessary for our processing activities. In this Employee Privacy Notice, “personal data” means any data relating to you as a living individual where you are identified or identifiable. “Personal data” includes “sensitive personal data” as defined in the DPA.

The OCP may record or collect the following information about you as an employee:

• name, date of birth, photograph(s), address and contact details;
• personal data contained within your government-issued identification document(s);
• citizenship/nationality and immigration status in the Cayman Islands;
• details of your emergency contact(s) and dependent(s) and their relationship to you;
• job/role description, working conditions, salary/wages and benefits;
• time and attendance records, which may include information relating to physical and mental health conditions, injury or disability, your family relationships and other relevant information, if required;
• details of any official travel you may undertake during your employment;
• work objectives and job performance, including complaints and disciplinary action;
• training, qualifications, and learning and development activities;
• any personal data that would be relevant to a workplace investigation, including investigations arising from complaints, grievances, and alleged or potential breaches of the Public Servant’s Code of Conduct;
• criminal convictions and information about your commission, or alleged commission, of a criminal offence and any proceedings related to that office, if appropriate due to the nature of your job;
• Personal data collected via CCTV at the OCP premises, including images via camera located at office accommodation across the OCP estate; and
• any information you choose to provide when interacting with the OCP during your time as an employee, including on social media platforms and in surveys and other feedback mechanisms.

The purpose of the Civil Service is to make the lives of those we serve better. We are dedicated to supporting the elected government by delivering caring, modern and customer-centred public services and programmes, which deliver value for money.

The OCP operates a personnel policy that complies with the principle of being a good employer. We aspire to be an employer who cares and to adhere to the highest ethical, moral and professional standards at all times. As your employer, the OCP may use your personal data for the following purposes:

• To perform our obligations under the Employment Agreement entered into with you, and to perform key employment management activities (e.g. pay your salary, facilitate benefits management services, allocate and manage duties and responsibilities, business continuity planning and dealing with incidents). Your personal data will or may be processed as a condition for your continued employment with the OCP and may include medical exams, drug tests or fitness tests during the employment period;
• To ascertain your fitness for work and to manage absences, including absence related to sickness;
• To gather evidence and take other steps relating to any complaints, grievances, disciplinary matters and other investigations as well as any associated hearings or other types of resolution processes;
• To comply with our legal obligations, including to make and maintain full and accurate public records, and uphold the Public Service Values which govern the management and operation of the Civil Service;
• Succession planning and effective management of current and future vacancies and workforce needs;
• To manage risk, prevent fraud and corruption, and protect public funds and the integrity of the Civil Service, including facilitating or cooperating with internal and external reviews, audits and investigations;
• To implement information security controls and investigate security events and incidents;
• To seek legal advice and exercise or defend legal rights;
• To respond to your inquiries and requests;
• Reporting and statistical purposes, including analysing data and using it to make informed decisions;
• Consultation and employee engagement, including administering surveys or seeking your feedback in other ways, communicating with you, and planning and hosting employee social activities and events;
• External communications and public relations, including celebrating our successes on social media and other channels, which may reference employees and/or include your photograph and other information; and
• If it is necessary to disclose your personal data to a third party for legitimate interests pursued by the OCP or by the third party to whom your personal data would be disclosed, including under the Freedom of Information Act (2021 Revision). If we receive a Freedom of Information (FOI) request for records that include your personal data, we will always consult with you in writing if we are considering disclosing any personal data other than your name, official contact details, and the general terms upon and subject to which you occupy your post in the public service – which do not constitute “personal information” as defined under the Freedom of Information (General) Regulations (2021 Revision).

The OCP may share your personal data as required, including under applicable legislation, with recipients that include our Data Processors and third parties. We will only share your personal data as permitted by the DPA and in accordance with the CIG Privacy Policy.

Your personal data may be shared with the following types of recipients:

• With other public authorities:Personal data may be shared with other public authorities – here, “public authorities” means Ministries, Portfolios, Offices, Departments, Statutory Authorities, Statutory Bodies and Government Companies – as required or permitted by law and for one or more of the purposes set out in this Employee Privacy Notice. This includes but is not limited to the Portfolio of the Civil Service, Treasury Department, Computer Services Department, eGovernment Unit, Cybersecurity Unit, Office of the Auditor General, Internal Audit Service, Office of the Ombudsman, Portfolio of Legal Affairs, Public Service Pensions Board, Civil Service College and Cayman Islands National Insurance Company (CINICO). This data sharing within the Civil Service includes disclosing your personal data to a separate Civil Service Entity if you begin working in a new or different role, whether on a temporary basis (i.e. through a secondment or redeployment) or on a permanent basis (i.e. through a transfer or after applying for and obtaining a new role) to facilitate your work in that role and to facilitate standard HR functions.
• With Data Processors external to the CIG:Personal data may be shared with persons providing services to the OCP as a Data Processor in compliance with the DPA. These service providers are only able to use personal data under our instructions and may be related to:
  • Webhosting;
  • Information Technology;
  • Records and Information Management, including storage facilities;
  • Communications;
  • Marketing and campaigns;
  • Events management; and
  • Security operations and fraud prevention.
• With legal advisors and other persons if required by law or in relation to legal proceedings or rights:Personal data may be disclosed as legally required, for the purpose of or in connection with proceedings under the law, if necessary to obtain legal advice, or if the disclosure is otherwise necessary to establish, xercise or defend legal rights. This may include disclosing your personal data for the following purposes:
  • Seeking legal advice;
  • Exercising or defending legal rights;
  • Complying with internal and external audits or investigations by competent authorities;
  • Complying with information security policies or requirements; and
• With other third parties:Personal data may be disclosed as required or permitted by law for the purposes set out in this Employee Privacy Notice. Your name, photo and official contact details will be available to all other civil servants through the my-VISTA Employee Directory, the Hub (the CIG intranet), and (if you have a CIG email address and network account) Microsoft Outlook and other Microsoft applications. Depending on your position with the OCP and participation in certain activities, your name, photo, contact details or other personal data – including information about your public life and official business as well as your educational background, professional qualifications and experience – may also be published on our website, in annual reports and other publications, and on our social media channels.

The OCP will rely on specific legal bases, or “conditions of processing”, under the DPA to process your personal data. These legal bases may include:

• A legal obligationto which the OCP is subject, e.g. to comply with various obligations under the Public Service Management Act (2018 Revision) and Personnel Regulations (2022 Revision), the Public Management and Finance Act (2020 Revision) and Financial Regulations (2022 Revision), the National Archive and Public Records Act (2015 Revision), the Freedom of Information Act (2021 Revision), the Complaints (Maladministration) Act (2018 Revision), the Police (Complaints by the Public) Law (2017), Standards in Public Life Act (2021 Revision)(Section 11), Cayman Islands Coast Guard Act (2021), and the Police Act (2021 Revision).
• To exercise our public functions,including under an enactment;
• To perform a contractwith you, i.e. your Employment Agreement;
• To protect your vital interests;
• Consent, e.g. to administer certain surveys and polls or to participate in certain social activities; and
• For the purposes of legitimate interests pursued by the OCP or by a third party or parties to whom the personal data may be disclosed, e.g. when disclosing records containing third party personal data in response to a request submitted under the Freedom of Information Act (2021 Revision).

Where we process your sensitive personal data, as defined in the DPA, we will also meet a second legal basis. These legal bases may include:

• If it is necessary to exercise or perform a right, or obligation, conferred or imposed on the OCP by law – including but not limited to under the Public Service Management Act (2018 Revision) and Personnel Regulations (2022 Revision) – in connection with your employment;
• To exercise our public functions,including under an enactment;
• In relation to legal proceedings, including obtaining legal advice and otherwise establishing, exercising or defending legal rights; and

The OCP has put in place appropriate technical, physical and organisational measures in order to keep your personal data secure to maintain confidentiality, integrity and availability of your personal data.

The OCP will not transfer your personal data to another country or territory unless it will be adequately protected. We may transfer your personal data outside of the Cayman Islands with the relevant safeguards based on IT services and other contractual arrangements.

We will only transfer your personal data to a country or territory that ensures an adequate level of protection for your rights and freedoms in relation to the processing of your personal data, unless there is a relevant exemption or exception under the DPA. Exceptions may include where you have provided your consent to the transfer or where the transfer is carried out on terms approved by the Ombudsman as ensuring appropriate safeguards.

The OCP may store your personal data for as long as we need it in order to fulfil the purpose(s) for which we collected your personal data, and in line with any applicable laws. This includes the National Archive and Public Records Act (2015 Revision), which governs the creation, maintenance and disposal of all public records.

Records containing your personal data will be disposed of in accordance with the Cayman Islands National Archive (CINA) Administrative Disposal Schedule #3 for Human Resource Management, which is available to download at cina.gov.ky/portal/pls/portal/docs/1/10422155.PDF, and other relevant administrative or Operational Disposal Schedules. Sometimes, we may anonymise your personal data so that it is no longer associated with you in public records that are retained longer, e.g. if we aggregate certain types of employee personal data to create statistics.

The OCP will respect and honour your rights in relation to your personal data and implement measures that allow you to exercise your rights under the DPA and other applicable legislation.

In accordance with the DPA, your rights in relation to your own personal data include:

• The right to be informed and the right of access:The right to request access to all personal data the OCP maintains about you as well as supplementary information about why and how we are processing your personal data, commonly known as a Subject Access Request. Certain supplementary information about our processing is contained within this Employee Privacy Notice. As a civil servant, you are also able to directly approach your manager or HR team to request any information on your
• Rights in relation to inaccurate data:The right to request the rectification, blocking, erasure or destruction of any inaccurate personal data the OCP maintains on you. We will ensure, through all reasonable measures, that your personal data is accurate,
• The right to stop or restrict processing:The right to stop or restrict how the OCP uses your personal data in certain circumstances. The OCP is not required to comply with a notice to stop or restrict processing if it is necessary for the performance of a contract to which you are a party, i.e. your Employment Agreement, or if it is necessary to comply with any legal obligation. However, you may object to the use of your personal data in other circumstances, e.g. for promotional purposes. Certain activities will also be optional, e.g. participating in surveys or in employee social activities and events.
• The right to stop direct marketing:The right to stop the OCP from using your personal data for direct marketing purposes.
• Rights in relation to automated decision making:The right to obtain information about and object to the use of automated decision making by the OCP using your personal data.
• The right to complain:The right to complain to the Ombudsman about any perceived violation of the DPA by the OCP.
• The right to seek compensation:The right to seek compensation in the courts if you suffer damage due to a contravention of the DPA by the OCP.

You may contact the OCP, using the contact details in section 10, to make a formal Subject Access Request to access and review your personal data or to exercise any other rights provided to you under the DPA. The OCP will take into consideration circumstances where, under the DPA or other applicable legislation, your rights may be limited or subject to conditions, exemptions or exceptions.

To access information that is contained within your personnel file, you may also contact your manager or our HR team via email RCIPSHR@rcips.ky or telephone 345-244-2900.

To learn more about your rights under the DPA, visit www.ombudsman.ky.

When processing your personal data, the OCP will comply with the eight Data Protection Principles defined within the DPA:

• Fair and lawful processing:Personal data shall be processed fairly. In addition, personal data may be processed only if certain conditions are met, for example the Data Controller is subject to a legal obligation that requires the processing or the processing is necessary for exercise of public functions.
• Purpose limitation:Personal data shall be obtained only for one or more specified, explicit and legitimate purposes, and not processed further in any manner incompatible with that purpose or those purposes.
• Data minimisation:Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.
• Data accuracy:Personal data shall be accurate and, where necessary, kept up-to-date.
• Storage limitation:Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
• Respect for the individual’s rights:Personal data shall be processed in accordance with the rights of data subjects under the DPA, including subject access.
• Security – confidentiality, integrity and availability:Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
• International transfers:Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The OCP has appointed a Data Protection Leader, who has operational responsibilities for data protection under the CIG Privacy Policy. If you have any questions about this Employee Privacy Notice or how your personal data are handled, or if you wish to make a complaint, please contact:

Name: Darren Rigg, Data Protection/Freedom of Information Manager

Telephone number: 345 649 2938

Email Address: Darren.rigg@rcips.ky

															RCIPS Headquarters,
															4th Floor, RBC Building,
															24 Shedden Road, George Town
															P.O. Box 909, Grand Cayman, KY1-1103
														

The OCP aims to resolve inquiries and complaints in a respectful and timely manner.

If you would like to make a Subject Access Request, the Information Manager for the OCP, who has been appointed under the Freedom of Information Act (2021 Revision), handles these requests. Requests relating to your own personal data may be made in writing to Raymond Christian, Information Manager, email: foi.pol@gov.ky or Raymond.christian@rcips.ky, telephone: 345-649-2938. Depending on the scope of your request, to ensure you receive all records and information you are entitled to by law, your request may be processed under the DPA, under the Freedom of Information Act (2021 Revision), or under both enactments.

The OCP reserves the right to update this Employee Privacy Notice at any time and will publish a new Employee Privacy Notice when we make any updates.

From time to time, the OCP may also notify you about the processing of your personal data in other ways, including verbally and by email.

This Privacy Notice was last updated on 20th January 2023.