External Privacy Notice

The Cayman Islands Public Library Services (“the CIPLS”) respects your privacy and take care in protecting your personal data. As a data controller, we comply with the Cayman Islands Data Protection Act (2021 Revision) (the “DPA”). This privacy notice (“Privacy Notice”) demonstrates our commitment to ensuring your personal data is handled responsibly and applies to the processing of personal data undertaken by the CIPLS’ in fulfilling our mandate.
 

The CIPLS collects personal data, including sensitive personal data, directly from you and may also collect your personal data indirectly from third party sources. Personal data collected by the CIPLS is limited to what is necessary for our processing activities.

 

Personal data we collect directly from you
The CIPLS collects the following information directly from you:

i. Personal data you provide through the CIPLS’s websites, such as details provided through our membership application portal, including your name and email address if you provide these details in our web form. If you ask questions about our public services and programmes or provide information about your relationship with us, this may also reveal other personal data;
ii. Personal Data you provide when you visit the CIPLS’s offices and other locations, contact us by email or telephone, or access our programmes and services, including our online application and registration portals;
iii. Personal data, including images collected via CCTV at the CIPLS’s premises at 68 Edward St. George Town, Grand Cayman and on premises at all the district libraries.
iv. Any information you choose to provide when interacting with the CIPLS on social media platforms, including Facebook and Instagram.

 

Personal data collected from other sources
The CIPLS may collect personal data from other sources including:

i. Third parties or other entities within the Cayman Islands Government that verify personal data that you provide to the CIPLS; and
ii. Third Parties that support the CIPLS in the processing of personal data in the exercise of public functions.
 

The purpose of the Civil Service is to make the lives of those we serve better. We are dedicated to supporting the elected government by delivering caring, modern and customer-centred public services and programmes, which deliver value for money. The CIPLS may use your personal data for the following purposes:

 

i. Implementing policies, providing services and programmes, and managing your relationship with us;
ii. Tracking your attendance for security, health and safety purposes;
iii. Responding to your inquiries;
iv. Verifying your identity and other information provided;
v. To determine demographics for book acquisition;
vi. Measuring how users interact with the CIPLS’s online platforms and continually improving our communications channels (including by aggregating personal data collected using cookies);
vii. Communicating and interacting with you;
viii. Communications and public relations activities;
ix. Managing accounts payable and receivable, preventing fraud, and protecting public funds;
x. Statistical and other reporting, both internally and externally;
xi. Seeking legal advice, and exercising or defending legal rights;
xii. Complying with our legal obligations, including all legislation that apply across the public sector; and
 

The CIPLS may share your personal data as required, including under applicable legislation, with recipients that include joint data controllers, our data processors, and third parties. We will only share your personal data as permitted by the Cayman Islands DPA.

Your personal data may be shared with the following recipients that support our public functions and operations:

i. With other public authorities: Personal data may be shared with other public authorities being Ministries, Portfolios, Offices, Departments, Statutory Authorities, Statutory Bodies and Government Companies for the purposes set out in this Privacy Notice.

ii. With data processors external to the CIG: Personal data may be shared with persons providing services to the CIPLS as a data processor in compliance with the Cayman Islands DPA. These service providers are only able to use personal data under our instructions and may include:

a. Webhosting;
b. Information Technology;
c. Security operations and fraud prevention.

 

iii. With legal advisors and other persons if required by law or in relation to legal proceedings or rights: Personal data may be disclosed as legally required, for the purpose of or in connection with proceedings under the law, if necessary to obtain legal advice, or if the disclosure is otherwise necessary to establish, exercise or defend legal rights. This may include disclosing your personal data for the following purposes:

a. Seeking legal advice;
b. Exercising or defending legal rights;
c. Complying with internal and external audits or investigations by
competent authorities;
d. Complying with information security policies or requirements.
 

Depending on applicable laws and other circumstances, the CIPLS will rely on specific legal bases, or “conditions of processing”, under the Cayman Islands DPA to process your personal data. These may include:

 

i. A legal obligation to which the CIPLS is subject, and to comply with various
obligations under the CIG Framework.
ii. To exercise public functions, including the delivery of a range of programmes
and services to the public that enable the CIG to achieve the strategic goals for
Education.
iii. To perform or enter into a contract with you, such as for the provision of goods
and services;
iv. Consent, in order to send you marketing communications or to administer
surveys and polls; and
v. For the purposes of legitimate interests pursued by the CIPLS or by a third
party or parties to whom the personal data may be disclosed.

 

Where we process your sensitive personal data, we will also meet a second legal basis. These may include:

 

i. To exercise our public functions; and
ii. In relation to legal proceedings, including obtaining legal advice and otherwise
establishing, exercising or defending legal rights.
 

The CIPLS collects personal data relating to children under the age of 18 to enable us to deliver public services and programmes and carry out our functions. We may collect children’s personal data for any of the purposes set out in section 3 of this Privacy Notice.

7. Security and International Transfers

The CIPLS has put in place appropriate technical, physical and organisational measures in order to keep your personal data secure. These safeguards to maintain the confidentiality, integrity and availability of your personal data may include:

 

i. Developing and maintaining written plans to identify, prevent, detect, respond to, and recover from security threats, events and incidents; 
ii. Developing robust authentication procedures for accessing all systems that store Personal data;
iii. Maintaining systems, software and applications, anti-virus software, firewalls,and other computer security safeguards, and appointing appropriate personnel to be responsible for keeping such safeguards up to date.
iv. Requiring Data Processors who process personal data on behalf of the CIPLS to maintain appropriate security measures, including through MOUs, agreed Terms of Service or Data Processing Agreements;
v. Ensuring employees are trained on security policies and measures that have been implemented;
vi. Using appropriate measures, such as encryption, pseudonymisation and chain of custody records to protect personal data.

 

The CIPLS will not transfer personal data to countries or territories that do not ensure an adequate level of protection for personal data. We may transfer your personal data outside of the Cayman Islands to Canada and the United Kingdom where data are stored securely by our IT service providers.

We will only transfer your personal data to a country or territory that ensures an adequate level of protection for your rights and freedoms in relation to the processing of your personal data, unless there is a relevant exemption or exception under the Cayman Islands DPA. Exceptions may include your consent or appropriate safeguards.

8. How Long We Keep Your Personal Data

The CIPLS may store your personal data for as long as we need it in order to fulfil the purpose(s) for which we collected your personal data, and in line with any applicable laws. This includes the National Archive and Public Records Act (2015 Revision), which governs the creation, maintenance and disposal of all public records. Sometimes, we may anonymise your personal data so that it is no longer associated with you.

9. Cookies

Cookies, in combination with pixels, local storage objects, and similar devices (collectively, "Cookies"), are used to distinguish between visitors to a website. 

 

When you visit the CIPLS’s website, small files known as Cookies may be stored on your computer, phone, tablet or any other device through your web browser. Information is stored in these text files.

 

Enabling Cookies may allow for a more tailored browsing experience and is required for certain website functionality. In the majority of cases, a Cookie does not provide us with any of your personal data.

10. Your Rights

The CIPLS will respect and honour your rights in relation to your personal data and implement measures that allow you to exercise your rights under the DPA and other applicable legislation.

In accordance with the DPA, your rights in relation to your personal data include:

 

i. The right to be informed and the right of access: The right to request access to all personal data the CIPLS maintains about you as well as supplementary information about why and how we are processing your personal data. This is commonly known as a Data Subject Access Request and certain supplementary information about our processing is contained within this Privacy Notice.
ii. Rights in relation to inaccurate data: The right to request the rectification, blocking, erasure or destruction of any inaccurate personal data the CIPLS maintains on you. We will ensure, through all reasonable measures, that your personal data is accurate, complete and, where necessary, up‐to‐date, especially if it is to be used in a decision-making process.
iii. The right to stop or restrict Processing: The right to restrict or stop how the CIPLS uses your personal data in certain circumstances.
iv. The right to stop direct marketing: The right to cease the use of your personal data by the CIPLS for direct marketing purposes. The CIPLS does not currently carry out any direct marketing activities. However, we will update this Privacy Notice and we will also notify you in writing as required if this position changes.
v. Rights in relation to automated decision making: The right to obtain information about and object to the use of automated decision making by the CIPLS using your personal data. The CIPLS does not currently use automated means to make decisions about you. However, we will update this Privacy Notice and we will also notify you in writing as required if this position changes.
vi. The right to complain: The right to complain to the Ombudsman about any perceived violation of the DPA by the CIPLS.
vii. The right to seek compensation: The right to seek compensation in the Court if you suffer damage due to a contravention of the DPA by the CIPLS.

 

You may contact the CIPLS, using the contact details listed below, to access and review your personal data or to exercise any other rights provided to you under the DPA. The CIPLS will take into consideration circumstances where, under the DPA or other applicable legislation,   your rights may be limited or subject to conditions, exemptions or exceptions.

 

Upon contacting the CIPLS, we may need to verify your identity prior to fulfilling a request and may request additional information as required. In accordance with the DPA, the CIPLS may also charge a reasonable fee in relation to your request if it is unfounded or excessive in nature, or the CIPLS may reserve the right not to comply with the request at all.

 

To learn more about your rights, visit www.ombudsman.ky.

11. Data Protection Principles

When processing your personal data, the CIPLS will comply with the eight Data Protection Principles defined within the Cayman Islands DPA:

 

i. Fair and lawful processing: Personal data shall be processed fairly. In addition, personal data may be processed only if certain conditions are met, for example the data controller is subject to a legal obligation that requires the processing or the processing is necessary for exercise of public functions.
ii. Purpose limitation: Personal data shall be obtained only for one or more specified, explicit and legitimate purposes, and not processed further in any manner incompatible with that purpose or those purposes.
iii. Data minimisation: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are collected or processed.
iv. Data accuracy: Personal data shall be accurate and, where necessary, kept up-to-date.
v. Storage limitation: Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
vi. Respect for the individual’s rights: Personal data shall be processed in accordance with the rights of data subjects under the DPA, including subject access.
vii. Security – confidentiality, integrity and availability: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
viii. International transfers: Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
 

The Ministry of Education has appointed a Data Protection Leader which also serves the CIPLS. If you have any questions about this Privacy Notice or how your personal data is handled, or if you wish to make a complaint, please contact:

Name: Stacy-Ann Dewar, Data Protection, Information and Records Manager
Telephone number: (345) 244-2483
Email Address: stacy-ann.dewar@gov.ky
Address: Government Administration Building, 133 Elgin Avenue, Box 108, Grand Cayman

The CIPLS aims to resolve inquiries and complaints in a respectful and timely manner.
 

he CIPLS reserves the right to update this Privacy Notice at any time and will publish a new Privacy Notice when substantial updates are made. From time to time, the CIPLS may also notify you about the processing of your personal data in other ways, including by email or through our publications.