[ad_1]
(CNS): In September 2021, CIBC FirstCaribbean Bank (Cayman) informed its staff that they would be required to prove they were vaccinated against COVID-19 and produce a weekly negative PCR test or go on unpaid leave. However, after two employees complained to the Office of the Ombudsman, the OMB conducted an investigation and found that the bank had breached some parts of the Data Protection Act (2021 Revision). The office found that the bank did not have a legal basis for collecting the data under the DPA or under the Labour Act, which was the legal basis it relied on.
The OMB also found that an email to staff who had not yet provided their data was sent without the use of the blind copy function, thereby risking inferences being made about their health and medical status, which also violated the DPA.
Since the processing of that personal data is no longer in practice and was not kept longer than needed, corrective action has not been required, the OMB said. However, an enforcement order from the office requires FirstCaribbean to show how it is meeting its obligations regarding the international transfer of personal data, as this was insufficiently explained.
In her written decision, Ombudsman Sharon Roulstone detailed her findings on where the bank did or did not breach the act. She said that the first email from the bank setting out the policy during the pandemic did meet the fairness requirements of the legislation, but it did not have a valid condition or legal basis for processing the data.
Roulstone said the purpose of the processing was explicitly specified and legitimate, but the processing, collecting, analyzing and storing of the employees’ data on their vaccination status and PCR testing was excessive as it was not necessary to meet the bank’s obligation under the Labour Act.
In the enforcement order, she said that FirstCaribbean must ensure that in future it meets all the requirements of the DPA when processing sensitive personal data and only processes personal data that is necessary. The bank must ensure that it does not reveal the private details of staff to others from which inferences can be made.
FirstCaribbean has not demonstrated how it is protecting personal data that is being transferred to jurisdictions that don’t have an adequate level of protection, including the Bahamas, the ombudsman said. Therefore, she has given the company 45 days to explain what it is doing to address that issue and show what safeguards are in place.
See the full enforcement order below:
[ad_2]
Source link