The procurement policy statement identifies that the CPO’s purpose is to achieve best value for CIG through procurement processes that are open, fair and transparent.
All procurement processes are subject to the Freedom of Information (FOI) Law. The FOI Law identifies information that may be made available under an access to information request and also lists that information that may be exempted from the law, for example, exemption of unreasonable disclosure of personal information. Personal information means information about an identifiable individual.
As part of procurement planning, it is very important to determine whether personal information will be collected, used or disclosed by a contractor resulting from a procurement process by assessing what the contractor’s tasks and responsibilities are at the time of defining the scope of the contractor’s work. When potential privacy risks are raised, risks need to be assessed to identify the nature and scope of those risks.
Some examples of risk by a contractor include:
- collection of excessive personal information or using it in unexpected ways;
- disclosure of personal information without consent;
- not storing information securely; and
- storing of information in a location where it may be subject to intrusive but legal scrutiny by another government or 3rd party.
The privacy requirements should be taken into consideration at the planning phase of the procurement process and any identified safeguards written into the solicitation documents and contracts.
It is not uncommon for a government institution to contract out the management of a program or service involving personal information about citizens to a company based in another country. When information is stored or accessible outside of the Cayman Islands, however, it can be subject not only to Cayman Islands laws but also to the laws of the other country.
One such law is the USA Patriot Act. The Act permits U.S. law enforcement officials to seek a court order allowing them to access the personal records of any individual for the purpose of an anti-terrorism investigation without informing individuals or agencies that such disclosure has occurred. In theory, as a result of government contracting activities, U.S. officials could access information about Caymanians through U.S. firms or their affiliates, even if the data is located in the Cayman Islands.
Although the risk of U.S. authorities using the USA Patriot Act in this way is minimal, it nevertheless exists. This has highlighted the need for special considerations with respect to government contracts involving personal information in order to mitigate such privacy risks.
When privacy risks have been identified, the Public Official responsible for procurement must ensure that appropriate privacy protection strategies are implemented and that appropriate privacy protection clauses are included in the solicitation document. Public Officials are encouraged to consult with their legal and privacy officials to ensure that no misinterpretation occurs and to determine appropriate privacy measures that apply to their particular circumstances. There is no universal approach, and potential contracting situations must therefore be reviewed on a case-by-case basis.
Although the main focus of this guidance document is on addressing privacy concerns and risks, the advice contained in the document can be applied to other information that may pose a security concern as defined in the FOI Law.