| Responsibility | Data Protection Leader (“DPL”) | Revision Description | Author | Eldon Chisholm | |||
| Version | 1.0 |
First version of the External Privacy Notice approved by Chief Officer Stran Bodden and issued for publication. |
Date | 22 May 2025 | |||
Version Control Notice:
This document is a controlled document that supersedes all previous versions. Please discard any previous copies of this document dated prior to the version and publication date noted above this page.
Anyone who obtains an electronic or printed version of this document is responsible for ensuring that they have the latest version. The latest version of this document is available as listed above and can also be obtained by email on request to the Data Protection Leader as listed in section 11.
The Cayman Islands Government (“CIG”) Ministry of Tourism & Trade Development (“TTD”) respects your privacy and takes care in protecting your personal data. As a data controller, we comply with the Cayman Islands Data Protection Act (2021 Revision) (“DPA”).
This privacy notice (“Privacy Notice”) demonstrates our commitment to ensuring your personal data is handled responsibly and applies to the TTD, including where the TTD as a Civil Service Entity is the data controller for financial management and recruitment activities relating to both the core Ministry and to the Department of Tourism. This Privacy Notice does not otherwise apply to the personal data processing activities of the Department of Tourism, i.e. where they carry out their departmental functions. This Privacy Notice also does not apply to the processing of personal data relating to our employees, who are covered under our Employee Privacy Notice.
The TTD collects personal data, including sensitive personal data, directly from you and may also collect your personal data indirectly from third party sources. Personal data collected by the TTD is limited to what is necessary for our processing activities. In this Privacy Notice, personal data includes any data relating to an identified or identifiable living individual.
The TTD may collect the following information directly from you or from other sources:
a. Personal data you provide through the TTD website – if it is necessary for your personal data to be provided to us by the CIG Department of Communications, which manages all GOV.KY websites – including personal data provided within comments and questions. You may review the privacy notice for all GOV.KY websites, including information about the use of cookies, at https://gov.ky/privacy-policy;
b.Personal data you provide when you visit the TTD offices and other locations; contact us by email, by telephone or through our social media channels; or access our programmes and services;
c.Personal data you provide when you apply for sponsorship via the Visitor Experience Development Fund;
d.Personal data collected via CCTV at the TTD premises, including images via cameras at the Government Administration Building located at 133 Elgin Avenue on Grand Cayman – if it is necessary for the CCTV footage to be provided to us by the CIG Department of Facilities Management, which manages the CCTV system for our premises. We may also collect your personal data directly or indirectly through other lawful and appropriate security and monitoring systems;
e.Personal data that you provide when you inquire about or apply for a job with the TTD. If you apply for a job with the TTD via the CIG e-recruitment platform, an additional privacy notice is available here: https://careers.gov.ky/application/custom/English/privacy-statement.html;
f. Any personal data you choose to provide when interacting with the TTD our social media platforms, including our pages on Instagram, @ttdcayman, and Facebook,facebook.com/ttdcayman.
Any other personal data where the collection is necessary to achieve our lawful purpose(s).
The purpose of the Civil Service is to make the lives of those we serve better. We are dedicated to supporting the elected government by delivering caring, modern and customer-centred public services and programmes, which deliver value for money. The TTD may use your personal data for the following purposes:
a.Implementing policies, providing services and programmes, and managing your relationship with us;
b.Responding to your enquiries;
c.Verifying your identity;
d.Measuring how users interact with the TTD website and social media pages to continually improve our communications channels;
e.Communicating and interacting with website visitors and social media followers and engaged users;
f. Communications and public relations activities, including sending you marketing communications;
g.Managing accounts payable and receivable, preventing fraud, and protecting public funds;
h.Statistical and other reporting, both internally and externally;
i. Seeking legal advice, and exercising or defending legal rights;
j. Complying with our legal obligations, including all legislation that applies across the public sector, e.g. legislation that provides for records and information management, procurement, human resource management, financial management, internal and external audit, and similar functions and activities; and
k.Communicating and interacting with job applicants and related third parties (e.g. references) and carrying out recruitment and selection processes.
The TTD may share your personal data as required, including under applicable legislation, with recipients that include our data processors and third parties. We will only share your personal data as permitted by the DPA.
Your personal data may be shared with the following recipients that support our public functions and operations:
a. With other public authorities: Personal data may be shared with other public authorities – here, “public authorities” means Ministries, Portfolios, Offices, Departments, Statutory Authorities, Statutory Bodies and Government Companies – for the purposes set out in this Privacy Notice.
b. With data processors external to the CIG: Personal data may be shared with persons providing services to the TTD as a data processor in compliance with the DPA. When they are acting as data processors, these service providers are only able to use personal data under our instructions. We engage data processors for a variety of processing activities, which may include:
i. Webhosting;
ii.Information Technology;
iii.Records and Information Management, including storage facilities;
iv.Communications;
v. Marketing and campaigns;
vi.Events management; and
vii.Security operations and fraud prevention.
In limited circumstances, service providers who act as data processors for the TTD may also act as a separate data controller in relation to their own purposes for processing your personal data, e.g. to provide customer support, or for analytics or machine learning in order to improve their services. These are unrelated to the purposes for which the TTD processes your personal data and should be clearly and directly disclosed to you by the service provider through their own separate privacy notice
c.With legal advisors and other persons if required by law or in relation to legal proceedings or rights: Personal data may be disclosed as legally required, for the purpose of or in connection with proceedings under the law, if necessary to obtain legal advice, or if the disclosure is otherwise necessary to establish, exercise or defend legal rights. This may include disclosing your personal data for the following purposes:
i. Seeking legal advice;
ii.Exercising or defending legal rights;
iii.Complying with internal and external audits or investigations by competent authorities;
iv.Complying with information security policies or requirements; and
b. With other third parties: Personal data may be disclosed to other third-party recipients for the purposes set out in this Privacy Notice and in accordance with the DPA.
Depending on applicable laws and other circumstances, the TTD will rely on specific legal bases, or “conditions of processing”, under the DPA to process your personal data. These may include:
a.A legal obligation to which the TTD is subject, e.g. to comply with obligations under the Procurement Act (2023 Revision) and Procurement Regulations (2022 Revision), the Public Management and Finance Act (2020 Revision) and Financial Regulations (2024 Revision), the Public Service Management Act (2018 Revision) and Personnel Regulations (2022 Revision), the Data Protection Act (2021 Revision) and Data Protection Regulations, 2018, and the National Archive and Public Records Act (2015 Revision);
b.To exercise public functions, including managing the Visitor Experience Development Fund;
c.To perform or enter into a contract with you, including an employment agreement with or a contract for you or your employer to provide goods or services to the TTD;
d.To protect your vital interests;
e.Consent, e.g. to send you marketing communications or to administer surveys and polls; and
f.For the purposes of legitimate interests pursued by the TTD or by a third party or parties to whom the personal data may be disclosed, e.g. when disclosing records containing third party personal data in response to a request submitted under the Freedom of Information Act (2021 Revision).
Where we process your sensitive personal data, we will also meet a second legal basis. These may include:
a.To exercise our public functions;
b.To protect your vital interests;
c.In relation to legal proceedings, including obtaining legal advice and otherwise establishing, exercising or defending legal rights; and
d.If you have taken steps to make the personal data public, e.g. when conducting background checks.
The TTD collects personal data relating to children under the age of 18 to enable us to carry out our functions. We may collect children’s personal data for any of the purposes set out in section 3 of this Privacy Notice.
The TTD has put in place appropriate technical, physical and organisational measures in order to keep your personal data secure. You may request a description of the general measures taken to protect your personal data by contacting our Data Protection Leader in writing as set out in section 11 of this Privacy Notice.
We will only transfer your personal data to a country or territory that ensures an adequate level of protection for your rights and freedoms in relation to the processing of your personal data, unless there is a relevant exemption or exception under the DPA. Exceptions may include your consent or appropriate safeguards.
The TTD may store your personal data for as long as we need it in order to fulfil the purpose(s) for which we collected your personal data, and in line with any applicable laws. This includes the National Archive and Public Records Act (2015 Revision), which governs the creation, maintenance and disposal of all public records. Sometimes, we may anonymise your personal data so that it is no longer associated with you.
The TTD will respect and honour your rights in relation to your personal data and implement measures that allow you to exercise your rights under the DPA and other applicable legislation.
In accordance with the DPA, your rights in relation to your own personal data include:
a.The right to be informed and the right of access: The right to request access to all personal data the TTD maintains about you as well as supplementary information about why and how we are processing your personal data. This is commonly known as a Data Subject Access Request and certain supplementary information about our processing is contained within this Privacy Notice.
b. Rights in relation to inaccurate data: The right to request the rectification, blocking, erasure or destruction of any inaccurate personal data the TTD maintains on you. We will ensure, through all reasonable measures, that your personal data is accurate, complete and, where necessary, up‑to‑date, especially if it is to be used in a decision-making process.
c. The right to stop or restrict Processing: The right to restrict or stop how the TTD uses your personal data in certain circumstances.
d.The right to stop direct marketing: The right to cease the use of your personal data by the TTD for direct marketing purposes.
e.Rights in relation to automated decision making: The right to obtain information about and object to the use of automated decision making by the TTD using your personal data. The TTD does not currently use automated means to make decisions about you. However, if this position changes, we will update this Privacy Notice and we will also notify you in writing as required.
f.The right to complain: The right to complain to the Ombudsman about any perceived violation of the DPA by the TTD.
g.The right to seek compensation: The right to seek compensation through the Courts if you suffer damage due to a contravention of the DPA by the TTD.
You may contact the TTD, using the contact details listed below, to access and review your personal data or to exercise any other rights provided to you under the DPA. The TTD will take into consideration circumstances where, under the DPA or other applicable legislation, your rights may be limited or subject to conditions, exemptions or exceptions.
Upon contacting the TTD, we may need to verify your identity prior to fulfilling a request or request additional information as required. In accordance with the DPA, the TTD may also charge a reasonable fee in relation to your request if it is unfounded or excessive in nature, or reserve the right not to comply with the request at all.
To learn more about your rights, visit www.ombudsman.ky.
When processing your personal data, the TTD will comply with the eight Data Protection Principles defined within the DPA:
a.Fair and lawful processing: Personal data shall be processed fairly. In addition, personal data may be processed only if certain conditions are met, for example the data controller is subject to a legal obligation that requires the processing or the processing is necessary for exercise of public functions.
b.Purpose limitation: Personal data shall be obtained only for one or more specified, explicit and legitimate purposes, and not processed further in any manner incompatible with that purpose or those purposes.
c.Data minimisation: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.
d. Data accuracy: Personal data shall be accurate and, where necessary, kept up-to-date.
e.Storage limitation: Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
f. Respect for the individual’s rights: Personal data shall be processed in accordance with the rights of data subjects under the DPA, including subject access.
g. Security – confidentiality, integrity and availability: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
h. International transfers: Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The TTD has appointed a Data Protection Leader If you have any questions about this Privacy Notice or how your personal data is handled, or if you wish to make a complaint, please contact:
Name: Eldon Chisholm - Policy Advisor & Data Protection Leader
Telephone number: 244-2419
Email Address: Eldon.Chisholm@gov.ky
Address: 5th Floor Government Admin Building
The TTD aims to resolve inquiries and complaints in a respectful and timely manner.
The TTD reserves the right to update this Privacy Notice at any time and will publish a new Privacy Notice when we make any substantial updates. From time to time, the TTD may also notify you about the processing of your personal data in other ways, including by email or through our publications.
This Privacy Notice was last updated on 22nd May 2025.