Privacy Policy
1. Scope
The Cayman Islands Government Office – United Kingdom (“CIGO-UK”) respects your privacy and takes care in protecting your personal data. As a data controller, we comply with the Cayman Islands Data Protection Act (2021 Revision) (the “CI DPA”), the United Kingdom General Data Protection Regulation (the “UK GDPR”) and the United Kingdom Data Protection Act 2018 (the “UK DPA”). This privacy notice (“Privacy Notice”) demonstrates our commitment to ensuring your personal data is handled responsibly.
This Privacy Notice does not apply to the CIGO-UK processing personal data relating to our employees, who are covered under our Employee Privacy Notice. This Privacy Notice also does not apply to personal data that may be processed by the Cayman Islands Government Cabinet Office or other agencies that are separate data controllers from the CIGO-UK, including if the personal data were lawfully disclosed to that data controller by the CIGO-UK.
2. What Personal Data We Collect
The CIGO-UK collects personal data, including sensitive personal data as defined in the CI DPA and special category and criminal offence data as provided for in the UK GDPR, directly from you. We may also collect your personal data indirectly from third-party sources. Personal data collected by the CIGO-UK is limited to what is necessary for our processing activities. In this Privacy Notice, personal data means any data relating to an identified or identifiable living individual and includes data required to provide you with consular and student services.
Personal data we collect directly from you
The CIGO-UK may collect the following information directly from you: a. Personal data you provide online, including through the CIGO-UK website, www.cigouk.ky, such as:
i. Your Internet Protocol (“IP”) address, details of which device or version of web browser you used to access our website content, and other information about how you used our website (see our Cookie Notice for more information: https://cigouk.ky/privacy-policy);
ii. Your email address, demographic data (e.g. place of residence, connection to the Cayman Islands, profession), and subscription preferences if you sign up for our newsletters, and how you utilise the emails you receive from us, including whether you open them and which links you click; and
iii. Your name and/or social media handle, public profile photo, and any other information you choose to provide when interacting with the CIGO-UK on various social media platforms, including Facebook, Instagram, X, LinkedIn and YouTube, whether you provide this information through public posts and comments or through direct messaging features;
b. Personal data you provide when you visit the CIGO-UK offices or interact with us at other locations, contact us by email or telephone, or access our programmes and services. If you ask questions about our programmes and services or provide information in order for us to provide you with relevant services or register you for our programmes, these questions or information may also reveal other personal data, e.g. your citizenship, immigration or residency status in the United Kingdom or in the Cayman Islands, employment or educational information, family status, health information, or property ownership;
c. Personal data you provide when you inquire about or apply for a job with the CIGO-UK. If you apply for a job with the CIGO-UK via the Cayman Islands Government e-recruitment platform, an additional privacy notice is available here: https://careers.gov.ky/application/custom/English/privacy-statement.html;
d. Personal data collected via CCTV at the CIGO-UK premises – including images collected via cameras located at the 4th Floor of 34 Dover Street, London, W1S4NG – and through any other lawful and appropriate security and monitoring systems; and
e. Any other personal data where the collection is necessary to achieve our lawful purpose(s).
Personal data collected from other sources
The CIGO-UK may collect the following personal data from other sources:
a. Personal data collected via CCTV at the CIGO-UK premises at 34 Dover Street, London, W1S4NG or other locations where we operate or provide programmes and services, if the images and/or images with audio are lawfully disclosed to the CIGO-UK by the property manager or other third party as the initial data controller that collected the footage at the premises or other location;
b. Personal data contained within publicly available sources of information, e.g. online biographies, public registers, government directories, employment directories and news media;
c. Personal data such as your name, contact details, employment details and potential areas of interest in the work of the CIGO-UK, which may be collected through our engagement and networking efforts;
d. Personal data provided by a family member or other close connection who is accessing a CIGO-UK programme or service, e.g. your parent may seek our advice on student visas or home fees and disclose your name and (intended) educational institution in the course of that interaction; and
e. Any other personal data where the collection is necessary to achieve our lawful purpose(s).
3. How We Use Your Personal Data
The CIGO-UK works to support the extension of all Cayman Islands Government activities in the United Kingdom and Europe. We develop and broaden the connection between the Cayman Islands and the United Kingdom, promote the Cayman Islands within the United Kingdom, create wider opportunities for Caymanian students, and identify synergies within the United Kingdom civil service for the benefit of the Cayman Islands.
The CIGO-UK may use your personal data for the following purposes:
a. Implementing policies, providing services and programmes, and managing your relationship with us;
b. Responding to your inquiries;
c. Verifying your identity;
d. Measuring how users interact with the CIGO-UK’s website and continually improving our communications channels (including by aggregating personal data collected using cookies);
e. Communicating and interacting with website visitors;
f. Communications and public relations activities;
g. Managing accounts payable and receivable, preventing fraud, and protecting public funds;
h. Statistical and other reporting, both internally and externally;
i. Seeking legal advice, and exercising or defending legal rights;
j. Complying with our legal obligations, including legislation that provides for records and information management, procurement, financial management, audit, and similar functions and activities; and
k. Communicating and interacting with job applicants and related third parties (e.g. references) and carrying out recruitment and selection processes.
4. How We Share Your Personal Data
The CIGO-UK may share your personal data as required, including under applicable legislation, with recipients that include other data controllers, our data processors, and third parties. We will only share your personal data as permitted by the CI DPA, UK GDPR and UK DPA.
Your personal data may be shared with the following recipients that support our public functions and operations:
a. With other Cayman Islands public authorities: Personal data may be shared with other Cayman Islands public authorities – here, “public authorities” is defined in the CI DPA and means Ministries, Portfolios, Offices, Departments, Statutory Authorities, Statutory Bodies and Government Companies – for the purposes set out in this Privacy Notice. These recipient public authorities may be separate data controllers (e.g. the Office of the Auditor General), may be assisting the CIGO-UK as a data controller (e.g. the Cabinet Office), or may serve as a data processor for the CIGO-UK (e.g. the Computer Services Department).
b. With data processors external to the Cayman Islands Government: Personal data may be shared with persons providing services to the CIGO-UK as a data processor. When they are acting as data processors, these service providers are only able to use personal data under our instructions. We engage data processors for a variety of processing activities, which may include:
i. Webhosting and Information Technology;
ii. Records and Information Management, including storage facilities;
iii. Communications and promotions;
iv. Events management; and
v. Security operations and fraud prevention.
In limited circumstances, service providers who act as data processors for the CIGO-UK may also act as a separate data controller in relation to their own purposes for processing your personal data, e.g. to provide customer support, or for analytics or machine learning in order to improve their services. These are unrelated to the purposes for which the CIGO-UK processes your personal data and should be clearly and directly disclosed to you by the service provider through their own separate privacy notice. However, you may contact us to ask about our current service providers and specific instances, if any, that we are aware of where your personal data may be processed for a service provider’s own purposes.
c. With legal advisors and other persons if required by law or in relation to legal proceedings or rights: Personal data may be disclosed as legally required, for the purpose of or in connection with proceedings under the law, if necessary to obtain legal advice, or if the disclosure is otherwise necessary to establish, exercise or defend legal rights. This may include disclosing your personal data for the following purposes:
i. Seeking legal advice;
ii. Exercising or defending legal rights;
iii. Complying with internal and external audits or investigations by competent authorities; and
iv. Complying with information security policies or requirements.
d. With other third parties: Personal data may be disclosed to other third-party recipients for the purposes set out in this Privacy Notice and in accordance with relevant legislation.
5. Our Legal Bases for Processing Your Personal Data
Depending on applicable laws and other circumstances, the CIGO-UK will rely on specific legal bases under the UK GDPR and similar “conditions of processing” under the CI DPA, to process your personal data. These may include:
a. A legal obligation to which the CIGO-UK is subject, including various obligations under Cayman Islands legislation which regulates all public sector activities, such as the Procurement Act (2023 Revision) and Procurement Regulations (2022 Revision), the Public Management and Finance Act (2020 Revision) and Financial Regulations (2022 Revision), the Freedom of Information Act (2021 Revision) and Freedom of Information (General) Regulations (2021 Revision) and the National Archive and Public Records Act (2015 Revision) and National Archive and Public Records Regulations, 2007;
b. To perform a task carried out in the public interest, or to exercise our public functions or official authority vested in the CIGO-UK, including the functions of the CIGO-UK to provide consular services and student services to Caymanians and other stakeholders in the United Kingdom and to support the extension of all Cayman Islands Government activities in the United Kingdom;
c. To perform or enter into a contract with you, e.g. as a contractor providing services to the CIGO-UK;
d. To protect your vital interests, or the vital interests of another individual;
e. Consent, e.g. to send you our newsletter or to administer surveys and polls; and
f. For the purposes of legitimate interests pursued by the CIGO-UK or by a third party or parties to whom the personal data may be disclosed, e.g. when taking photographs and videos at our events and sharing them on our social media channels, or when disclosing records containing third party personal data in response to a request submitted under the Cayman Islands Freedom of Information Act (2021 Revision).
Where we process your “sensitive personal data” as defined in the CI DPA, we will also meet at least one second condition of processing under the CI DPA. These conditions may include:
a. To exercise our public functions, including under an enactment;
b. In relation to legal proceedings, including obtaining legal advice and otherwise establishing, exercising or defending legal rights;
c. To protect your vital interests or those of another person, under relevant conditions; and
d. The personal data have been made public as a result of steps you have taken as the data subject.
We will only process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union members; genetic data; biometric data to uniquely identifying an individual; data concerning health; or data concerning an individual’s sex life or sexual orientation (together known as “special category data”), if at least one of the following exceptions applies:
a. You gave explicit consent to the processing of those personal data for one or more specified purposes;
b. To protect your vital interests or those of another individual, under conditions set out in the UK GDPR;
c. You have manifestly made public the personal data being processed;
d. The processing is necessary for the establishment, exercise or defence of legal claims;
e. The processing is necessary for reasons of substantial public interest, on the basis of UK law and under conditions set out in the UK GDPR; and
f. The processing is necessary for archiving purposes in the public interest or for statistical purposes, and it is carried out in line with conditions set out in the UK GDPR and UK DPA, which include the provision of suitable and specific measures to safeguard your rights and interests.
6. Children’s Personal Data
The CIGO-UK may collect personal data relating to children under the age of 16 to enable us to deliver public services and programmes and carry out our functions. We may collect children’s personal data for most of the purposes set out in section 3 of this Privacy Notice. However, our website is not intended for use by children under the age of 13 and we do not knowingly process personal data relating to children under the age of 13 through the use of cookies and similar technologies. Our newsletters are also not promoted to children under the age of 13.
7. Security and International Transfers
The CIGO-UK has put in place appropriate technical, physical and organisational measures to keep your personal data secure. These safeguards to maintain the confidentiality, integrity and availability of your personal data may include, depending on the purpose and other circumstances of the processing:
a. Developing and maintaining written plans to identify, prevent, detect, respond to, and recover from security threats, events and incidents;
b. Developing robust authentication procedures for accessing all systems that store personal data;
c. Administrative and technical controls to restrict access to personal data on a “need to know” basis;
d. Maintaining systems, software and applications, anti-virus software, firewalls, and other computer security safeguards, and appointing appropriate personnel to be responsible for keeping such safeguards up to date, including through actions such as patching, license renewals/expiry monitoring, system health checks and account/user access management;
e. Requiring data processors who process personal data on behalf of the CIGO-UK to maintain appropriate security measures, including through MOUs, agreed Terms of Service or Data Processing Agreements;
f. Maintaining appropriate records of access to and processing of personal data;
g. Ensuring employees are trained on security policies and measures that have been implemented;
h. Auditing security measures implemented to safeguard personal data at regular intervals, including when changes have been made to systems or processes and when legislative changes impact the processing of personal data, and recording the results of such audits;
i. Using appropriate measures, such as encryption, pseudonymisation and chain of custody records, to protect personal data, including when stored on laptops, tablets, external hard drives, USB drives and other portable storage devices;
j. Implementing measures to ensure data protection by design and data protection by default;
k. Utilising appropriate and secure methods to destroy personal data; and
l. Taking all other reasonable measures as required from time to time by legislation, rules and policies.
The CIGO-UK will only transfer your personal data to a country or territory that ensures an adequate level of protection for your rights and freedoms in relation to the processing of your personal data, unless there is a relevant exemption or exception that would make the transfer lawful. Exceptions may include your consent or appropriate safeguards. We may transfer your personal data to the Cayman Islands, where data are stored securely by our IT service provider, the Cayman Islands Government Computer Services Department.
8. How Long We Keep Your Personal Data
The CIGO-UK may store your personal data for as long as we need it in order to fulfil the purposes for which we collected your personal data, and in line with any applicable laws. This includes the Cayman Islands National
Archive and Public Records Act (2015 Revision), which governs the creation, maintenance and disposal of all public records. Sometimes, we may anonymise your personal data so that it is no longer associated with you.
9. Cookies
Cookies, in combination with pixels, local storage objects, and similar devices (collectively, “Cookies” unless otherwise noted), are used to distinguish between visitors to a website. When you visit our website, www.cigouk.ky, small files known as Cookies may be stored on your computer, phone, tablet or any other device through your web browser. Information is stored in these text files.
Enabling Cookies may allow for a more tailored browsing experience and is required for certain website functionality. In the majority of cases, a Cookie does not provide us with any of your personal data.
Please see our website for more information about the use of Cookies.
10. Your Rights
The CIGO-UK will respect and honour your rights in relation to your personal data and implement measures that allow you to exercise your rights under data protection and other applicable legislation.
In accordance with the CI DPA, UK GDPR and UK DPA, your rights in relation to your own personal data include:
a. The right to be informed and the right of access: The right for the CIGO-UK to confirm whether or not your personal data are being processed and, where that is the case, to request access to personal data the CIGO-UK maintains about you as well as supplementary information about why and how we are processing your personal data. This is commonly known as a Data Subject Access Request and certain supplementary information about our processing is contained within this Privacy Notice.
b. Rights in relation to inaccurate personal data: The right to request the rectification, blocking, erasure or destruction of any inaccurate personal data the CIGO-UK maintains on you. We will ensure, through all reasonable measures, that your personal data is accurate, complete and, where necessary, up‑to‑date, especially if it is to be used in a decision-making process. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
c. Right to erasure: The right to require the CIGO-UK to erase your personal data without undue delay and, where the CIGO-UK has made the personal data public, to take reasonable steps to inform other data controllers which are processing those personal data that you have requested the erasure of any links to, or copy or replication of, those personal data that we have erased.
d. The right to stop or restrict processing: The right to restrict or stop how the CIGO-UK uses your personal data in certain circumstances.
e. The right to stop direct marketing: The right to cease the use of your personal data by the CIGO-UK for direct marketing purposes. The CIGO-UK does not currently carry out any direct marketing activities. However, we will update this Privacy Notice and we will also notify you in writing as required if this position changes.
f. The right to data portability: The right to receive your personal data, which you provided to the CIGO-UK, in a structured, commonly used and machine-reasonable format and the right to transmit those personal data to another data controller without hindrance, where the processing is based on consent or contract and being carried out by automated means.
g. Rights in relation to automated decision making: The right to obtain information about and object to the use of automated decision making by the CIGO-UK using your personal data, including profiling, which has certain legal or similarly significant effects. The CIGO-UK does not currently use automated means to make decisions about you. However, we will update this Privacy Notice and we will also notify you in writing as required if this position changes.
h. The right to complain: The right to complain to the Cayman Islands Ombudsman about any perceived violation of the CI DPA by the CIGO-UK, or to the United Kingdom Information Commissioner about any perceived violation of the UK GDPR or UK DPA by the CIGO-UK.
i. The right to seek compensation: The right to seek compensation in the Cayman Islands Court if you suffer damage due to a contravention of the CI DPA by the CIGO-UK.
You may contact the CIGO-UK, using the contact details listed in section 12 below, to ask whether the CIGO-UK is processing your personal data, to access and review your personal data, or to exercise any other rights provided to you under the CI DPA, UK GDPR and UK DPA. The CIGO-UK will take into consideration circumstances where, under the applicable legislation, your rights may be limited or subject to conditions, exemptions or exceptions.
Upon contacting the CIGO-UK, we may need to verify your identity prior to fulfilling a request and may request additional information as required to process your request and provide a prompt response. To learn more about your rights, visit www.ombudsman.ky in relation to the CI DPA or www.ico.org.uk in relation to the UK GDPR and UK DPA.
11. Data Protection Principles
When processing your personal data, the CIGO-UK will comply with the Data Protection Principles defined within the CI DPA and the UK GDPR, which may be combined together to be described as follows:
a. Lawfulness, fairness and transparency: Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Personal data may be processed only if certain conditions under the DPA are met, for example the CIGO-UK as the data controller is subject to a legal obligation that requires the processing or the processing is necessary for exercise of public functions.
b. Purpose limitation: Personal data shall be obtained only for one or more specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes.
c. Data minimisation: Personal data shall be adequate, relevant and not excessive, i.e. limited to what is necessary, in relation to the purpose or purposes for which they are collected or otherwise processed.
d. Data accuracy: Personal data shall be accurate and, where necessary, kept up-to-date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
e. Storage limitation: Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods when processed solely for archiving purposes in the public interest, statistical purposes and other purposes set out in the UK GDPR, subject to appropriate measures as required.
f. Respect for the individual’s rights: Personal data shall be processed in accordance with the rights of data subjects under the CI DPA, UK GDPR and UK DPA, including the right of subject access.
g. Security: confidentiality, integrity and availability: Personal data shall be processed in a manner that ensures appropriate security of the personal data. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss of, destruction of, or damage to personal data.
h. International transfers: Personal data shall not be transferred to another country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data, or unless the personal data will be protected in the receiving country or territory to the required legal standard through other authorised means.
12. How to Contact Us
The CIGO-UK has appointed a Data Protection Leader. If you have any questions about this Privacy Notice or how your personal data is handled, or if you wish to make a complaint, please contact:
Name: Phillippa Knights, Assistant Representative (Policy, International Relations and Operations)
Telephone number: +44 (0) 207 491 7772
Email Address: phillippa.knights@gov.ky
Address: 34 Dover Street, London, W1S 4NG
The CIGO-UK aims to resolve inquiries and complaints in a respectful and timely manner.
13. Changes to this Privacy Notice
The CIGO-UK reserves the right to update this Privacy Notice at any time and will publish a new Privacy Notice when we make any substantial updates. From time to time, the CIGO-UK may also notify you about the processing of your personal data in other ways, including by email or through our publications.
If you have any questions about this privacy notice, please contact the Data Protection Officer.
This Privacy Notice was last updated on 25 August 2025.