Ministry of Health, Environment & Sustainability Privacy Notice

Version Control Notice:

This document is a controlled document that supersedes all previous versions. Please discard any previous copies of this document dated prior to the version and publication date noted above this page.

Anyone who obtains an electronic or printed version of this document is responsible for ensuring that they have the latest version. The latest version of this document is available on https://www.gov.ky/health-wellness and can also be obtained by email on request to healthandwellness@gov.ky

The Cayman Islands Government Ministry of Health, Environment & Sustainability (MHES),  respects your privacy and takes care in protecting your personal data. As a “Data Controller”, we comply with the Cayman Islands Data Protection Act (2021 Revision) (the “DPA”). This privacy notice (“Privacy Notice”) demonstrates our commitment to ensuring your personal data will be handled responsibly and applies to the Ministry of Health, Environment & Sustainability. 

This Privacy Notice does not apply to the MHES when we are processing personal data relating to our employees, who are covered under our Employee Privacy Notice.  This Privacy Notice also does not apply to the operations of the Department of Health Regulatory Services (DHRS), the Mosquito Research and Control Unit (MRCU), Poinciana Rehabilitation Centre (PRC), Department of Environment (DoE), Department of Environmental Health (DEH), Counselling Centre (DCS), Health Services Authority (HSA), or the National Drug Council (NDC). While these departments and statutory bodies are supported by, and/or are part of the MHES’s broader portfolio of responsibilities, each is a separate Data Controller when carrying out its functions and maintains its own Privacy Notice.

The MHES may collect your personal data, directly from you or indirectly from third party sources. Personal data collected by the MHES will be limited to what is necessary for our processing activities. In this Privacy Notice, “personal data” means any data relating to an identified or identifiable living individual.  The term “personal data” also includes a category of personal data known as “sensitive personal data”, which is defined in the DPA and includes data relating to your physical or mental health or condition, medical data and criminal offence data.  

The MHES may collect the following information directly from you or other sources:

a.     a. Name, data of birth, photograph(s), address(es) and contact details;

b.     b. Personal data contained within government-issued identification document(s);

c.     c. Citizenship/nationality and immigration status in the Cayman Islands;

d.     d. Location data;

e.     e. Information about educational and employment status and history;

f.      f. Financial information;

g.     g. Medical data and information about physical or mental health or conditions;

h.     h. Criminal convictions and information about the commission, or alleged commission, of criminal offences and any proceedings related to offences;

i.       i. Opinions about you;

j.       j. Personal data you provide through our website, https://www.gov.ky/health-wellness/ such as:

                    i) personal data provided within comments and questions, including your name and/or email address if you provide these details in our web form. If you  ask questions about our public services and programmes or provide information about your relationship with us, this may also reveal other personal data, e.g. your location, employment status, immigration status in the Cayman Islands, health, family relationships or property ownership;

                   ii) your email address and subscription preferences if you sign up for our newsletters or notifications, and how you utilise our emails, including whether you open them and which links you click;

k.     k. Personal data you provide when you visit the MHES’s offices and other locations, or when you contact us by email, by telephone or through our social media

          channels;

l.    l. Personal data you provide when interacting with the MHES on our social media platforms, including LinkedIn (MHES-LinkedIn), Facebook (MHES-Facebook), Instagram (@hes.cayman) and YouTube(@mhescayman) pages; the National Energy Policy- Facebook (facebook.com/CaymanEnergy), Instagram (http://www.instagram.com/energycayman/) and LinkedIn; and the National Tree Planting-Facebook (https://www.facebook.com/caymantreeplanting) and Instagram (https://www.instagram.com/caymantreeplanting/) pages.

m.  m. Personal data you provide or that we obtain from third party sources when you access our programmes and services, including our online services;

n.   n.  Personal data collected via CCTV at our premises and other locations where we operate, including images via cameras located at Government Administration Building, 133 Elgin Avenue, George Town.

o.   o. Personal data that you provide when you enquire about or apply for a job with the MHES. If you apply for a job via the CIG e-recruitment platform, an additional privacy notice is available at: https://careers.gov.ky/application/custom/English/privacy-statement.html; and

p.    p. Any other personal data where the collection is necessary to achieve our lawful purpose(s).

The purpose of the Civil Service is to make the lives of those we serve better. We are dedicated to supporting the elected government by delivering caring, modern and customer-centred public services and programmes, which deliver value for money.

MHES is committed to advancing the health and wellbeing of the people of the Cayman Islands through strategic policy development, impactful programmes, and proactive services that foster lasting change. Our mission is to build a healthier, more resilient community by enhancing access to quality healthcare, promoting wellness initiatives, and advocating for policies that protect, empower, and uplift individuals.

The MHES may use your personal data for the following purposes:

a.     Implementing policies, providing services and programmes, and managing your relationship with us;

b.     Managing appointments to and membership of the Medical and Dental Council (MDC), Pharmacy Council(PC), Council for Professionals Allied with Medicine(CPAM),Nursing & Midwifery Council (NMC), Human Tissue Transplant Council(HTTC), National Drug Council (NDC), Mental Health Commission(MHC), Health Insurance Commission (HIC), Health Practice Commission (HPC), Health Appeals Tribunal (HAT) and Health Services Authority(HSA) Board;

c.     Responding to your inquiries;

d.     Verifying your identity;

e.     Measuring how users interact with MHES’s website and continually improving our communications channels (including by aggregating personal data collected using cookies);

f.      Communicating and interacting with website visitors;

g.     Communications and public relations activities;

h.     Managing accounts payable and receivable, preventing fraud, and protecting public funds;

i.       Statistical and other reporting, both internally and externally;

j.       Seeking legal advice, and exercising or defending legal rights;

k.     Complying with our legal obligations, including all legislation that applies across the public sector, e.g. legislation that provides for records and information management, procurement, human resource management, financial management, audit, and similar functions and activities;

l.       Communicating and interacting with job applicants and related third parties (e.g. references) and carrying out recruitment and selection processes;

m.    Ensuring other agencies are able to carry out their public functions if it is necessary for us to disclose your personal data directly to them, including to verify information you have provided;

n.     Reporting a suspected crime or other breach of the law, or assisting a law enforcement agency or other competent authority in the course of an investigation, whether in the Cayman Islands or in another jurisdiction;

o.     Disclosing records held by the MHES if we are required to do so under the Freedom of Information Act (2021 Revision). If we receive a Freedom of Information (“FOI”) request for records that include your personal data, we will always consult with you in writing if we are considering disclosing any of your personal data and you will also have the right to appeal our final decision to the Ombudsman if you have not provided your consent for the disclosure;

The MHES may share your personal data as required, including under applicable legislation, with recipients that include our Data Processors and third parties. We will only share your personal data as permitted by the DPA and in accordance with other applicable laws and policies.

Your personal data may be shared with the following types of recipients:

a.     Other public authorities: Personal data may be shared with other CIG ministries, portfolios, offices, departments, statutory authorities, statutory bodies and government companies as required or permitted by law and for one or more of the purposes set out in this Privacy Notice. These other public authorities include but are not limited to the Office of the Auditor General and Internal Audit Service in the course of an audit; Office of the Ombudsman in the course of an investigation; Royal Cayman Islands Police Service and other law enforcement agencies if a suspected crime is reported; Portfolio of Legal Affairs to obtain legal advice or representation; Treasury Department to manage payments to suppliers; Cabinet or the National Security Council in formal submissions to these statutory bodies; the Computer Services Department and Department of E-Government for information technology services

b.     Data Processors external to the CIG: Personal data may be shared with our service providers. When acting as Data Processors, service providers are only able to use personal data under our instructions. We engage Data Processors for a variety of activities, which may include:

                             i.         Webhosting;

                            ii.         Information Technology;

                           iii.         Records and Information Management, including storage facilities;

                           iv.         Communications, marketing and campaigns, and events management; and

                            v.         Security operations and fraud prevention.

In limited circumstances, service providers who act as data processors for the MHES may also act as a separate data controller in relation to their own purposes for processing your personal data, e.g. to provide customer support, or for analytics or machine learning in order to improve their services. These are unrelated to the purposes for which the MHES processes your personal data and should be clearly and directly disclosed to you by the service provider through their own separate privacy notice. However, you may contact us to ask about our current service providers and specific instances, if any, that we are aware of where your personal data may be processed for a service provider’s own purposes.

c.   Legal advisors and other persons if required by law or in relation to legal proceedings or rights: Personal data may be disclosed as legally required, for the purpose of or in connection with proceedings under the law, if necessary to obtain legal advice, or if the disclosure is otherwise necessary to establish, exercise or defend legal rights. This may include disclosing your personal data for the following purposes:

                             i.         Seeking legal advice;

                            ii.         Exercising or defending legal rights;

                           iii.         Complying with audits or investigations by competent authorities; and

                           iv.         Complying with information security policies or requirements.

d.     Other third parties: Personal data may be disclosed to other third-party recipients for the purposes set out in this Privacy Notice and in accordance with the DPA.

Depending on applicable laws and other circumstances, The MHES will rely on specific legal bases, or “conditions of processing”, under the DPA to process your personal data. These may include:

a.   a.  A legal obligation to which the MHES is subject, or to comply with various obligations under, for example under the Data Protection Act (2021 Revision) and Data Protection Regulations 2018, Endangered Species (Trade and Transport) Act (2017 Revision), Endangered Species Protection and Propagation Act (1999 Revision), National Archive and Public Records Act (2015 Revision) and National Archive and Public Records Regulations 2007, National Conservation Act 2013, The Procurement Act (2023 Revision) and Procurement Regulations (2022 Revision), The Public Management and Finance Act (2020 Revision) and Financial Regulations (2024 Revision), The Public Service Management Act (2018 Revision) and Personnel Regulations (2025 Revision), Public Authority Act (2020),  Standards in Public Life Act (2021);

b.   b.  To exercise public functions, including the functions of The Ministry of Health, Environment & Sustainability to empower people in the Cayman Islands to achieve optimal well-being through strategic policies, innovative programmes and proactive services, governed by the highest principles of justice, personal and public integrity, and excellence of standards and functions under various enactments such as the Public Health Act (2021 Revision). This includes cultivating a lasting legacy of sustainability in the Cayman Islands by achieving environmental, social, and economic balance, with a view to maximising benefits across all three areas of this triple bottom line to make the lives of current and future generations better;  to facilitate Coastal Works licences and Convention on International Trade in Endangered Species of Wild Fauna and Flora (CITES) Permits; to implement the National Energy Policy (202024-2045) and the Climate Change Policy (2024-2050); etc.

c.   c.  To perform services e.g. to provide health, environmental or sustainability services or enter into a contract with you e.g. if you are the successful candidate following a recruitment process for a vacancy within our Civil Service Entity;

d.   d.  To protect your vital interests;

e.   e.  Your Consent, e.g. to administer surveys and polls; and

f.    f.  For the purposes of legitimate interests pursued by the MHES or by a third party or parties to whom the personal data may be disclosed, e.g. when responding to FOI requests or to enquiries from law enforcement agencies and other competent authorities.

Where we process your sensitive personal data, we will also meet a second legal basis. These legal bases may include:

a.   a.  To exercise our public functions e.g. to assess the health status of the population and to develop national health policies

b.   b.  If it is necessary to exercise or perform a right, or obligation, conferred or imposed on the MHES by the Public Service Management Act (2018 Revision), Personnel Regulations (2025 Revision) or any other law in connection with your potential employment, e.g. requiring a medical certificate indicating your physical and mental condition is satisfactory prior to your appointment

c.   c.  To protect your vital interests or those of another individual;

d.   d.  In relation to legal proceedings, including obtaining legal advice and otherwise establishing, exercising or defending legal rights; and

e.   e.  If you have taken steps to make the personal data public, e.g. when conducting background checks;

f.    f.  Your consent;

The MHES collects personal data relating to children under the age of 18 to enable us to deliver public services and programmes and carry out our functions. We may collect children’s personal data for any of the purposes set out in section 3 of this Privacy Notice.

The MHES has implemented appropriate technical, physical and organisational measures in order to keep your personal data secure. These safeguards to maintain the confidentiality, integrity and availability of your personal data may include role-based controls, separation of duties, user access management, strong passwords policy, audit logs and other technical controls e.g. penetration tests to ensure the robustness of our systems.

The MHES will not transfer personal data to countries or territories that do not ensure an adequate level of protection for personal data. We will only transfer your personal data to a country or territory that ensures an adequate level of protection for your rights and freedoms in relation to the processing of your personal data, unless there is a relevant exemption or exception under the DPA. Exceptions may include your consent or appropriate safeguards.

The MHES may store your personal data for as long as we need it in order to fulfil the purpose(s) for which we collected your personal data, and in line with any applicable laws. This includes the National Archive and Public Records Act (2015 Revision), which governs the creation, maintenance and disposal of all public records. Sometimes, we may anonymise your personal data so that it is no longer associated with you.

The MHES will respect and honour your rights in relation to your personal data and implement measures that allow you to exercise your rights under the DPA and other applicable legislation.

In accordance with the DPA, your rights in relation to your own personal data include:

a.     a. The right to be informed and the right of access: The right to request access to all personal data the MHES maintains about you as well as supplementary information about why and how we are processing your personal data. This is commonly known as a Data Subject Access Request (“DSAR”) and certain supplementary information about our processing is contained within this Privacy Notice.

b.     b. Rights in relation to inaccurate data: The right to request the rectification, blocking, erasure or destruction of any inaccurate personal data the MHES maintains on you. We will ensure, through all reasonable measures, that your personal data is accurate, complete and, where necessary, up‑to‑date, especially if it is to be used in a decision-making process.

c.     c. The right to stop or restrict processing: The right to restrict or stop how the MHES uses your personal data in certain circumstances.

d.    d.  The right to stop direct marketing: The right to stop the MHES from using your personal data for direct marketing purposes. The MHES does not currently carry out any direct marketing activities. However, we will update this Privacy Notice and we will also notify you in writing as required if this position changes.

e.     e. Rights in relation to automated decision making: The right to obtain information about and object to the use of automated decision making by the MHES using your personal data. The MHES does not currently use automated means to make decisions about you. However, if this position changes, we will update this Privacy Notice and we will also notify you in writing as required.

f.      f. The right to complain: The right to complain to the Ombudsman about any perceived violation of the DPA by the MHES.

g.     g. The right to seek compensation: The right to seek compensation through the Courts if you suffer damage due to a contravention of the DPA by the MHES.

You may contact the MHES, using the contact details listed below, to make a DSAR to access and review your personal data or to exercise any other rights provided to you under the DPA. The MHES will take into consideration circumstances where, under the DPA or other applicable legislation, your rights may be limited or subject to conditions, exemptions or exceptions.

Upon contacting the MHES, we may need to verify your identity prior to fulfilling a DSAR and may request additional information as required. In accordance with the DPA, the MHES may also charge a reasonable fee in relation to your DSAR if it is unfounded or excessive in nature, or the MHES may reserve the right not to comply with the request at all.

To learn more about your rights, visit www.ombudsman.ky

When processing your personal data, the MHES will comply with the eight Data Protection Principles defined within the DPA:

a.     Fair and lawful processing: Personal data shall be processed fairly. In addition, personal data may be processed only if certain conditions are met, for example the MHES is subject to a legal obligation that requires the processing or the processing is necessary for exercise of public functions.

b.     Purpose limitation: Personal data shall be obtained only for one or more specified, explicit and legitimate purposes, and not processed further in any manner incompatible with that purpose or those purposes.

c.     Data minimisation: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.

d.     Data accuracy: Personal data shall be accurate and, where necessary, kept up-to-date.

e.     Storage limitation: Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.

f.      Respect for the individual’s rights: Personal data shall be processed in accordance with the rights of data subjects under the DPA, including subject access.

g.     Security – confidentiality, integrity and availability: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

h.     International transfers: Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The MHES has appointed a Data Protection Leader, who has operational responsibilities for data protection. If you have any questions about this Privacy Notice or how your personal data are handled, or if you wish to make a complaint, please contact:

Maria Brown-Lewis, Data Protection Leader

Telephone number: (345) 244-3162

Email Address: foi.mhs@gov.ky

Address:           5^th Floor, Ministry of Health, Environment & Sustainability,

133 Elgin Avenue, George Town

The MHES aims to resolve inquiries and complaints in a respectful and timely manner.

If you would like to submit a Data Subject Access Request (DSAR), the Information Manager for the MHES, who has been appointed under the Freedom of Information Act (2021 Revision) (the “FOI Act”), handles these requests. Requests relating to your own personal data may be made in writing to Carolina Ferreira at foi.mhs@gov.ky. Depending on the scope of your request, to ensure you receive all records and information you are entitled to by law, your request may be processed under the DPA, under the FOI Act, or under both enactments.

The MHES reserves the right to update this Privacy Notice at any time and will publish a new Privacy Notice when we make any substantial updates.

From time to time, the MHES may also notify you about the processing of your personal data in other ways, including by email or through our publications.