This notice sets out how Health Services Authority (HSA) will process personal information as a Data Controller.
Who are we?
At the Health Services Authority (HSA), we aim to provide you with the highest quality healthcare. To do this we must keep information about you, your health and the care we have provided to you or plan to provide to you. This privacy statement provides a summary of how we use your data.
The Health Services Authority is the Data Controller of data for the purposes of the Cayman Islands Data Protection Law 2017 (referred to as DPL). A Data Controller of your data means we are responsible for collecting, storing and handling your personal and sensitive personal data when you register with us as a patient.
Personal data is any information about a living and identifiable person. This includes anything that identifies or describes an individual: their background, financial, or social circumstances. Examples of personal data include: full name, Medical Record Number (“MRN”), address, phone number.
Sensitive personal data is a subset of personal data which carries increased risks. This includes, but not limited to personal data consisting of their racial or ethnic origin, political opinions, religious belief, medical data, and physical or mental condition.
What information we collect about you?
We collect and process the following information:
- Basic details about you, but not limited to your full name (including previous names such as your maiden name), address, date of birth, contact details (telephone numbers and email address), Medical Record Number (“MRN”) and next of kin contact details;
- Contacts we have had with you, such as clinic visits or hospital admissions notes and reports about your health and any treatment and care you need;
- Details and records about your health, treatment and care, your medical conditions (physical and mental), results of investigations such as X-rays, scans and laboratory tests relevant information from other health professionals, relatives or those who care for you;
- Report from bystanders in the event you are unable to do so; and
- Information either from us or a delegated third party to provide information on your patient experience at the HSA.
What do we do with your Personal Data?
Most of the information we process is provided to us directly by you. We also receive personal data indirectly, from referral details from your physician or any other healthcare provider, or directly from you or your authorised representative.
We use the information that you have given us in order to:
- Provide direct health care services to you (emergency, diagnostic, surgical, consultation, etc.);
- Remind you about your appointments and send you relevant correspondence about our services and/or programmes;
- Evaluate the care we provide to ensure it is of the highest standard and quality, e.g., clinical audit, service improvement (via our patient satisfaction survey);
- Support the funding of your care with your consent, e.g., with insurance companies, Needs Assessment Unit or any other pay or source.
- Help to train and educate healthcare professionals e.g., clinicians and students
- Report and investigate complaints, and claims;
- Report events to the appropriate authorities if required to do so by law
- Contact you with regards to patient satisfaction surveys relating to services you have used within our hospital so as to further improve our services to patients;
- Provide you with your financial statements for services rendered to you;
- Contact you for outstanding financial balance on your account; and
Where possible, we will always look to anonymise/pseudonymise your personal data / sensitive personal data so as to protect your confidentiality and we will only use or share the minimum information necessary.
Section 11 of the DPL defines “direct marketing” as:
The communication, by whatever means, of any advertising, marketing, promotional or similar material, that is directed to individuals.
The HSA may send you promotional/marketing information
Under the regulation of the DPL, individuals have the right to object to the processing of data if it happens in the context of direct marketing
Legal Basis for Processing Personal Data
The HSA is a statutory authority established under the Health Services Authority Law (2018 Revision). The legal basis for the majority of our processing is:
- The processing is necessary in order to protect the vital interests of the person (referred to as the data subject in Data Protection Law). This would apply in emergency situations such as in the Emergency Department
- The processing is necessary for a task carried out in the public interest or in the exercise of official authority vested in the controller; for the HSA this official authority is vested in us through the Health Services Authority Law and Ministry of Health.
- For entering into and managing contracts with the individuals concerned, for example our employees. The legal basis is:
- The processing is necessary for the HSA to perform a contract to which the data subject is a party or in order to take steps at the request of the data subject with a view to entering into a contract.
Where we process sensitive personal data, for example data concerning health, racial or ethnic origin, or sexual orientation, we are required to meet an additional legal basis as defined in the DPL. Where we are processing sensitive personal data for purposes related to the provision of health services, the legal basis is:
- The processing is necessary for medical purposes and is undertaken by a health professional or a person who, in the circumstances owes a duty of confidentiality equivalent to that which would arise if that person were a health professional; and
Medical purposes as defined above includes the purposes of preventative medicine, medical diagnosis, the provision of care and treatment and the management of healthcare services.
Where we process sensitive personal data for employment purposes, the legal basis is:
- The processing is necessary for the purposes of exercising or performing a right, or obligation, conferred or imposed by law on the data controller in connection with the data subject’s employment.
The HSA may also process personal data or sensitive personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), in the course of an audit, for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:
- The processing is necessary for the HSA to perform a public function, or a function of a public nature exercised in the public interest;
- The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract; and
- The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except if the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
Use of your Data for Research Purposes
The HSA participates and supports health and care research. Conducting high-quality clinical research helps us keep improving the HSA care by finding out which treatments work best. To be effective, we may need to contact you to ask you whether you wish to take part in our research.
Any research project including personal data would require your consent. In the event where pseudonymised data will be used, research approval needs to be granted by the HSA Ethics Committee. The HSA Ethics Committee safeguards patient’s confidentiality and anonymity of personal and sensitive personal data for the strict purpose of scientific research. HSA may share anonymised data for research purposes with third parties.
Use of your Data for Patient Satisfaction Survey
HSA undertakes patient experience survey, as the data controller or through a delegated trusted third party as a data processor. The personal data may be used to contact patients who use any service provided by the HSA.
Personal data includes your full name, email addresses, HSA location of service (such as, but not limited to the district clinics, pharmacies, specialist clinics, Cayman Brac and Little Cayman) and phone numbers. The personal data of the next of kin may also be used for patients who are minor or those unable to provide a rational feedback. The HSA does not use sensitive personal data as a part of our patient satisfaction survey. The data processors or third parties undertaking your patient experience survey do not ask questions pertaining to your sensitive personal data.
The legal basis for processing your data for patient satisfaction survey is:
- The processing is necessary for the purposes of legitimate interests pursued by the HSA.
Closed Circuit Television (“CCTV”)
We employ surveillance cameras (CCTV) on and around our premises for the purposes of crime prevention and detection and to monitor operational and safety related incidents.
Images captured by CCTV will not be kept for longer than necessary and will be held securely. However, on occasions there may be a need to keep images for longer than the typical retention period, for example where a crime is being investigated.
The HSA ensures that the use of the CCTV is publicised by appropriate signage and service users will be advised of any use in clinical areas and in wards.
In addition, CCTV data may be shared as required by law with third parties such as the police or courts where there is a legal basis to do so.
Children below 18 years
The Regulations define a child as a person under the age of eighteen years old.
For children below 18 years, parental consent is necessary for the processing of data to be lawful
Who we share your data with, and why?
We will share information with the following main partner organisations:
Other Hospitals and organisations that are involved in your care so that you receive good quality care;
Clinical Commissioning Groups;
General Practitioners (GPs);
Health Insurance Companies and other payer sources for processing of payment for medical services; and
The Police or Courts or other legally established entities for matters of an investigatory or evidentiary nature, where required by Law.
Sharing with non-HSA Organisations
For your benefit and with your consent (except as required by a legal basis), we may also need to share information from your records with non-HSA organisations who are providing you with care or other services, such as social services or other healthcare organisations and healthcare providers.
We may also be asked to share basic information about you, such as your name and parts of your address, which does not include sensitive personal data such as your health records. Generally, we would only do this to assist another organisation to carry out their duties (such as usages of healthcare services, public health or national audits).
Non-HSA organisations may include, but are not restricted to:
- social services;
- education services;
- local authorities;
- the police;
- voluntary sector providers; and
- private sector providers.
How do we protect your data?
We only keep your information for as long as it is necessary to fulfil the purposes for which the personal data was collected, or otherwise as required under applicable laws and regulations. This includes for the purpose of meeting any legal, accounting, or other reporting requirements or obligations. The HSA’s Data retention policy sets out the minimum retention timescales.
We may, instead of destroying or erasing your personal data, anonymise it so that it cannot be associated with or tracked back to you. We reserve the right to retain and use such anonymised data for any legitimate business purpose without further notice to you.
We use a range of physical, electronic, and managerial measures to ensure that we keep your personal data secure, accurate and up to date. These measures include:
- education and training to relevant staff to ensure they are aware of our privacy obligations when handling personal data;
- administrative and technical controls to restrict access to personal data on a ”need to know” basis;
- technological security measures, including firewalls, encryption and anti-virus software; and
- physical security measures, such as security passes to access our premises.
The transmission of data over the internet (including by e-mail) is never completely secure.
Transfers outside the Cayman Islands
Unless certain exemptions apply or protective measures taken, personal data will not be disclosed or transferred outside the Cayman Islands to a country or territory which does not ensure an adequate level of protection for the rights and freedoms of data subjects.
Public Health Department
The HSA public health team in collaboration with the Public Health Department is required to screen and ascertain the immunization status of all school children in the Cayman Islands. Please note that this is not consenting for immunization. Such information is facilitated by gathering the updated personal data from the records of students kept in schools. The personal data collected includes students’ names, ages, contact details of parents/ guardians as well as the immunization status of the students ascertained through matching the students with the records in the HSA database. The Public Health Department keeps record of all children in schools which is updated annually by the School Nurses.
In addition, the Cayman Islands has a mandate to report to International organizations such as WHO/PAHO on our vaccination rates. It would be impossible to do this without an accurate understanding of which students are currently enrolled in schools in the Cayman Islands.
As a result of the transient nature of the Cayman Islands population, it is necessary to collect up-to-date class lists from each school on an annual basis. Utilising personal data collected by the HSA when students first register to attend a school in the Cayman Islands would not provide an accurate representation of the current compulsory school-age population, as there is no obligation to inform the HSA if and when children are no longer enrolled in a school in the Cayman Islands, either because they/their family have relocated to another jurisdiction or because they are attending a school overseas e.g. a boarding school, which is not an uncommon arrangement as children enter higher year groups. Therefore, collection of these personal data from the schools is necessary in order to fulfil the purpose and also promotes data accuracy, which is in line with the Fourth Data Protection Principle. The minimum personal data are collected in order to identify the child and match him/her to the record held by the Public Health Department (name and date of birth). This is in line with the Third Data Protection Principle, ensuring the data collected are adequate, relevant and not excessive in relation to the purpose. The current mobile telephone numbers of parents/guardians are also sought in line with the Third and Fourth Data Protection Principle, as these details are required in order to contact parents/guardians in relation to health screening and immunisations. Given contact details may change over time, updating these on an annual basis ensures the HSA is able to carry out its functions effectively and maintains an accurate database.
In general, the public health department may require personal data and or sensitive personal data to undertake:
- surveillance and monitoring of health determinants, risks, morbidity, and mortality
- preparedness and public health response to disease outbreaks, natural disasters, and other emergencies
This is a function of national public interest. The legal basis for processing these personal data is that this is essential to facilitate the performance of an important and necessary public health function by the Public Health Department, which is the condition set out in paragraph 5(c) of Schedule 2 to the Data Protection Law.
Your Rights Under the Data Protection Law
The DPL grants individuals a number of rights in relation to their personal data. We must respond to requests in relation to your rights within thirty days of receipt; however, there are some exceptions to this.
The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data, and there are some other circumstances in which we may not uphold a request to exercise a right. Your rights and how they apply are described below:
The right to be informed
Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly – at the point of contact.
The right of access
You have the right to obtain a copy of personal data that we hold about you and other information specified in the DPL, although there are exceptions to what we are obliged to disclose.
A situation in which we may not provide all the information is where, in the opinion of an appropriate health professional, such a disclosure would be likely to cause serious harm to your or somebody else’s physical or mental health.
The right to rectification
You have the right to ask us to rectify any inaccurate data that we hold about you. You also have the right to ask us to complete information you think is incomplete.
The right to stop/restrict processing
You have the right to request that we stop processing, not begin processing, or cease processing for a specified purpose or in a specified way. This is not an absolute right, and, depending on the legal basis that applies, we may have overriding legal bases to continue processing the data.
The right to stop direct marketing
You have the right to stop direct marketing from the HSA. Be it SMS, postal mail, or emails. If you no longer want to receive such advertising, you can ask the HSA to stop. See above the contact information for HSA’s Compliance Manager.
The right in relation to automated decision making
You have the right to object to being subject to a decision based solely on automated processing, including profiling. Should we perform any automated decision-making, we will record this in our privacy notice, and ensure that you have an opportunity to request that the decision involves personal consideration.
The right to complain
You have the right to complain through our internal process if you are not happy with any aspect of the HSA’s processing of personal data or believe that the rights are not being respected.
Do you have a complaint or questions?
Dr. Vinton Douglas (Interim Compliance Manager)
95 Hospital Road
George Town, Grand Cayman
PO Box 915GT, KY1-1103
Telephone: (345) 244 2618
Post: Director of Corporate Services
Alternatively, you have the right to complain to the Office of the Ombudsman. The contact details are as follows:
The Office of the Ombudsman
5th Floor, Anderson Square
64 Shedden Road
(345) 946 6283
How do we maintain your data?
Your personal data can be held in a variety of formats, including paper records, electronically on computer systems, in video and audio files. We hold and process your data in accordance with the DPL and with the National Archive and Public Records Law.
We have a duty to:
- maintain full and accurate records of the care we provide to you;
- keep records about you confidential and secure; and
- provide information in a format that is accessible to you.
Your personal data will only be kept for as long as is necessary and will be destroyed in accordance with the HSA’s Data Retention Policy and National Archive and Public Records Law.
How long we keep your data?
We will only retain your personal data for as long as the law requires us to and as long as it is needed.
Feedback data will be stored for two years.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time. We will notify you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.