Identification Register and Identification Card Privacy Notice

1. Scope

The Office of the Registrar of the Cayman Islands Identification Register (“the Registrar”) respects your privacy and takes care in protecting your personal data. As a data controller, we comply with the Cayman Islands Data Protection Act (2021 Revision) (the "DPA"). This privacy notice ("Privacy Notice") demonstrates our commitment to ensuring your personal data is handled responsibly and applies to all personal data processing undertaken by the following:

  • The Registrar, which includes:
    • The Identification Register (“the Register”)
    • The Identification Card (“the ID Card”).

This Privacy Notice also extends to cover personal data processed through the Registrar’s website(s) and middleware, including mobile and desktop applications used to perform functions in relation to the ID Card where the Registrar is the data controller.

This Privacy Notice does not apply to personal data processed by other public authorities or private entities that may have access to the Register in accordance with the Identification Register Act, 2022 ("the Register Act"). Such entities are responsible for maintaining their own privacy notices in compliance with the DPA.

Throughout this Privacy Notice, references will be made to the Cayman Islands Identification Card Act (“the ID Card Act”), with the Register Act and the ID Card Act being jointly referred to as “the Acts”.

2. What Personal Data We Collect

The Registrar collects personal data directly from you (or a delegate with authority to act on your behalf), and may also obtain it indirectly from third-party sources. The personal data collected is limited to what is necessary for the Registrar to fulfill its functions under the Acts, including enrolment in the Register and issuance of ID Cards to eligible persons. In this Privacy Notice, “personal data” means data relating to a living individual who can be identified. This includes:

  1. Identification details: Unique identification code, PIN and PUK.
  2. Identity facts: Full name, date of birth, nationality, sex, immigration status.
  3. Related Facts: Place of birth, identification code of parents, physical characteristics, signature, photograph, contact information, residential and mailing addresses and emergency contact information.

Additional categories of personal data may be created from the information you provide, including specific data as required under the Register Act, such as:

  1. Unique identification code: Assigned to you upon registration.
  2. Personal Identification Number (PIN): Used to authorise access to online services, which can be reset at any time.
  3. Personal Unblocking Number (PUK): Used to unblock your card and reset your PIN if multiple incorrect attempts are made.

Your personal data may be collected through forms requiring manual input, or from official documents, such as birth certificates, marriage certificates, court orders, utility bills and identification documents. In some cases, we may require additional supporting documentation to verify the accuracy of the data you provide.

Personal data we collect directly from you.

The Registrar may collect the following personal data directly from you:

  1. Identifiers: Details such as your usernames, email addresses and other unique identifiers that you provide through the Registrar's website(s), such as within comments, questions, and online forms, paper forms, and other means of communication.
  2. Identity facts: Your full name, date of birth, nationality, sex, immigration status, and identification code; Related facts such as place of birth, identification code of parents/delegates, physical characteristics, signature, photograph, and residential addresses.
  3. Visual Identifiers: Photos or images that you provide to us, whether mandated by our services or uploaded voluntarily to our systems.
  4. Technical Data: Details such as your IP address, device, location information, date and time, and the browser version you utilise to access our services. This category also accounts for information such as email headers, caller ID data, usage patterns, and more. For further insights into some related data collection practices, such as our use of cookies, you may refer to our Cookie Notice.
  5. Contact Information: Beyond the email addresses specified above, this category encompasses telephone numbers and any other contact details you may provide.
  6. Support and Interaction Details: Data provided within comments, questions, and web forms on the Registrar's website(s) which may include the identifiers and contact information listed above. Depending on the nature, other personal details such as employment status might also be revealed, whether through emails, online form submissions, online chat conversations, or audio and video calls. Additionally, this category captures records of your interactions with our customer support channels, including noting which support portal articles you've accessed or were referred to for assistance, as well as personal data you provide when you:
    1. Visit the Registrar's offices and related government locations.
    2. Otherwise contact the registrar by email, telephone, chat, video call or through our social media channels.
    3. Interact with the Registrar on any of our social media platforms, including Facebook, LinkedIn, X, YouTube and Instagram.
  7. Certificate Details: Information about the certificates stored within your Identification Card, including issuer details, validity period, and key usage purposes (such as non-repudiation or authentication), which are accessed through the middleware as part of the Public Key Infrastructure (PKI) services.
  8. Bluetooth and NFC Data: Information collected using Bluetooth and NFC technologies in our mobile applications.
  9. Interactions with other eGovernment Services: When interacting with the Register and the ID Card services, you may also interface with other eGovernment services, such as eServices Sign In, that are managed under a separate privacy notice. For more information, please refer to the Department of eGovernment Privacy Notice.
  10. Any other personal data where the collection is necessary to achieve our lawful purpose(s).

Personal data collected from other sources.

The Registrar may collect the following personal data from other sources:

  1. Personal data from public authorities and other sources as specified under the Register Act, including when individuals access services offered by the Registrar. This includes personal data such as immigration status, birth information, and information on other registrable events.
  2. Personal data provided by registered persons. In some cases, one registered person may provide personal data relating to other individuals, e.g., when providing emergency contact information or information about family members.
  3. Personal data disclosed by a delegate i.e. parent/guardian, or an authorised representative acting on behalf of an individual applying for or holding a Cayman Islands Identification Card.
  4. Any other personal data where the collection is necessary to achieve our lawful purpose(s).

Video Surveillance.

We use video surveillance at our office location to ensure the safety and security of our employees, visitors and property. A camera is installed at the entrance as part of our access management system, capturing video footage when the doorbell is pressed.

The footage is used to identify visitors and is securely stored for a period of 2 days, after which is it automatically deleted unless required for an ongoing investigation. Access is restricted to authorized personnel only and is not shared with third parties except as required by law.

3. How We Use Your Personal Data

The Registrar is a public authority dedicated to supporting the Cayman Islands Government by delivering efficient, secure, and customer-centred identification services, that support modern public services and programmes. The Registrar may use your personal data for the following purposes:

  1. Establishing and maintaining the Register and the ID Card in accordance with the Acts.
  2. Processing requests for a person’s entry to the Register, update and verification of a person’s information in the Register, requests relating to a person’s entry in the Register, as well as for issuing, renewing, replacing, suspending, or cancelling Cayman Islands Identification Cards.
  3. Maintaining the database(s) for the Register and the ID Card.
  4. Supporting middleware software, including desktop and mobile software for Mac OS and Windows, to enable secure authentication.
  5. Conducting Identity Proofing and Verification (IPV) for enrolment, including online enrolment and remote IPV processes.
  6. Enabling the authentication and verification of identity by authorised entities for the purposes specified in the Acts, such as establishing eligibility for government services, immigration enforcement, and national security.
  7. Providing identification services to support the efficient and effective delivery of government services and benefits.
  8. Facilitating compliance with legal obligations under the Acts and other applicable legislation.
  9. Supporting public administration, policy development, and statistical analysis related to the Register and the ID Card.
  10. Responding to enquiries and managing your relationship with the Registrar.
  11. Verifying your identity when accessing the Registrar's services or interacting with the Registrar.
  12. Providing access to Register and ID Card information to registered persons and other authorised individuals or entities in accordance with the Acts.
  13. Verifying facts about a person to support the Registrar’s functions and operations.
  14. Contacting a person who has been included as an emergency contact or delegate.
  15. Facilitating the delivery of ID Cards, notices, and other official information.
  16. Measuring user interactions with the Registrar's website(s) and improving our communication channels (including through aggregated data from cookies).
  17. Engaging with website visitors and individuals who contact the Registrar.
  18. Seeking legal advice and exercising or defending legal rights in matters related to the Register and the ID Card.
  19. Complying with our legal obligations under the Acts and other applicable legislation, including requirements related to records and information management, financial management, and audit.
  20. Compiling statistical reports for internal and external reporting.

4. How We Share Your Personal Data

The Registrar may share your personal data as required under applicable legislation with recipients that include joint data controllers, data processors, and other third parties. We will only share personal data in accordance with the Acts and the DPA, including the sharing of personal data as instructed by you.

Your personal data may be shared with the following recipients who support the Registrar’s functions and operations:

  1. Other public authorities: Personal data may be shared with public authorities, including Ministries, Portfolios, Offices, Departments, Statutory Authorities, Statutory Bodies and Government-Owned Companies, as permitted under the Acts and in accordance with this Privacy Notice. Such sharing may be necessary for identity verification and authentication, verifying facts about a person, delivering government services, and facilitating compliance with legal obligations.
  2. Data processors external to the CIG: Personal data may be shared with data processors engaged to provide services to the Registrar in compliance with the DPA. These data processors assist in various processing activities, including:
    1. Information Technology: Supporting IT infrastructure and applications essential to the Registrar's operations.
    2. Customer Support: Managing enquiries and support requests.
    3. Security & Fraud Prevention: Monitoring and protecting against security threats and fraudulent activities.
    4. Public Key Infrastructure (PKI) Services: Managing digital certificates and encryption services.
    5. Records & Information Management: Storing, managing, and archiving of records and information.
    6. Communications: Facilitating official communications.
    7. Middleware Operation and Maintenance: Maintaining middleware used for the ID Card services.
    8. Identity Proofing and Verification (IPV): Handling online enrolment, remote IPV, and identity verification.
    9. ID Card Enrolment & Issuance: Supporting the enrolment, issuance, and delivery of Identification Cards.
  3. Legal advisors, regulatory authorities, and other entities as required by law or in connection with legal proceedings: Personal data may be disclosed as required under the Acts or other applicable legislation, regulations, or legal processes. This includes sharing data with legal advisors for the purpose of obtaining legal advice, regulatory bodies and law enforcement agencies, courts and tribunals handling legal proceedings, auditors ensuring compliance, and other authorized entities where necessary to establish, exercise, or defend legal rights. Such disclosures may also occur in the context of internal or external audits, regulatory inquiries, or to comply with information security and governance requirements.
  4. Other third parties: Personal data may be disclosed to third parties as required under the Acts (e.g., when you choose to share your identification information via the ID Card’s QR code or through links generated from the My Info Portal) and in accordance with applicable legislation. Such disclosures may be necessary for purposes including the prevention, detection, or investigation of crimes, safeguarding national security, disaster response, or addressing public health emergencies.

5. Our Legal Bases for Processing Your Personal Data

The Registrar processes personal data based on specific legal bases, or "conditions for processing", under the DPA, depending on applicable laws and circumstances. These include:

  1. Compliance with a legal obligation, processing is required to fulfil the Registrar’s functions e.g., to establish and maintain the Register, to enable the authentication and verification of identity by authorised entities, and to facilitate compliance with legal obligations under the Acts, and to comply with various obligations under the Procurement Act (2023 Revision) and Procurement Regulations (2022 Revision), the Public Management and Finance Act (2020 Revision) and Financial Regulations (2022 Revision), the Public Service Management Act (2018 Revision) and Personnel Regulations (2022 Revision), the Data Protection Act (2021 Revision) and Data Protection Regulations, 2018, and the National Archive and Public Records Act (2015 Revision).
  2. Exercise of public functions, such as processing which supports the functions of the Registrar, including establishing and maintaining the Register, authentication and verification of identity by authorised entities, to provide identification services to support the efficient and effective delivery of government services and benefits, and to support public administration, policy development, and statistical analysis related to the Register.
  3. Performance of a contract, processing is necessary to enter into or fulfil a contract. e.g., when engaging third-party service providers for system maintenance and support or when engaging a courier service to securely deliver ID Cards to applicants.
  4. Protection of vital interests, processing may be necessary in emergency circumstances. e.g., if you are a missing person and to facilitate a search for you.
  5. Legitimate interests pursued by the Registrar or by third parties to whom personal data may be disclosed, e.g., when disclosing records containing third party personal data in response to a request submitted under the Freedom of Information Act (2021 Revision).

6. Children's Personal Data

The Registrar collects personal data relating to children under the age of 18 to fulfill its functions under the Acts, including enrolment in the Register and the issuance of Identification Cards to eligible persons. We may collect children's personal data for any of the purposes set out in section 3 of this Privacy Notice.

7. Security

The Registrar has implemented appropriate technical, physical, and organisational safeguards to ensure the confidentiality, integrity, and availability of your personal data. These security measures include:

  • Secure Access and Confidentiality Protocols: Systems, procedures, and protocols which ensure appropriate access to data while maintaining the security and confidentiality of information in the Register.
  • Information Use and Sharing Policies: Policies, procedures and protocols govern the use and sharing of information contained in the Register; and
  • Auditing and Change Logging: Complete and accurate records are maintained for applications, updates, changes and access to the Register.
  • Encryption: Personal data is encrypted at rest and in transit to prevent unauthorised access, even in the event of interception or if systems are compromised.
  • Middleware Security: Secure middleware software is used for Identification Card services, including regular updates, encryption of data at rest and in transit, and strict access controls. Bluetooth and NFC technologies in our mobile applications are secured to protect personal data during wireless communications.
  • Access Controls: Strict access controls are implemented where appropriate to ensure that only authorised personnel can access personal data, including:
    • Role-Based Access Control: Access is granted based on an individual’s job responsibilities and is limited to the minimum necessary to perform their duties.
    • Multi-Factor Authentication: The requirement to provide multiple forms of identification (e.g., password and security token) to access sensitive systems and data.
    • Regular Access Reviews: User access rights are regularly reviewed and updated to ensure they remain appropriate and to promptly remove access for individuals who no longer require it.
  • Security Monitoring: Continuous monitoring of systems and networks to detect and mitigate potential security threats and incidents, including:
    • Intrusion Detection and Prevention Systems: These systems monitor network traffic for suspicious activities and assist in identifying and blocking potential threats.
    • Vulnerability Scanning and Penetration Testing: Regular assessments and testing are conducted to identify and address potential vulnerabilities in the Registrar's systems and applications.
  • Physical Security: Strict measures are in place to ensure the physical security of its data centers and offices to prevent unauthorised physical access to personal data.
  • Staff Training and Awareness: Regular training ensures staff understand data protection and information security best practices.
  • Third-Party Risk Management: Ensuring that any third parties processing personal data implement appropriate security measures, including:
    • Due Diligence: Conducting thorough due diligence on potential third-party service providers to assess their security posture and compliance with relevant laws and regulations.
    • Contractual Obligations: Where required by law, contracts with third-party service providers include specific security and data protection requirements, such as minimum-security standards, incident reporting obligations, and rights to audit.
  • Additional Security Measures: Implementing additional technological and organisational security safeguards to maintain the integrity and confidentiality of the data, prevent unauthorised use, and to protect against accidental or intentional destruction, loss or damage.

8. International Transfers

The Registrar transfers personal data outside the Cayman Islands only where the receiving country or territory provides an adequate level of protection for your rights and freedoms or where an exemption under the DPA applies. Exemptions may include your explicit consent, or the use of appropriate safeguards, such as the EU’s Standard Contractual Clauses (SCCs).

Personal data is transferred overseas to data processors who provide essential services on the Registrar’s behalf, including:

  1. Secure data hosting and technical support: To ensure the availability, integrity, and security of our systems.
  2. Public Key Infrastructure (PKI) services: To support encryption, authentication, and digital certificate management.
  3. Customer support: To assist with enquiries and support requests related to specific Registrar functions.

These transfers may involve the following jurisdictions:

  1. EU member states, the UK, and Ireland – for Public Key Infrastructure (PKI) services, secure data hosting, and technical support.
  2. Other countries – for customer support related to specific Registrar functions.

All international transfers are subject to strict contractual and security measures to ensure compliance with our data protection obligations.

9. How Long We Keep Your Personal Data

The Registrar retains your personal data only for as long as necessary to fulfil the purpose(s) for which it was collected and in accordance with applicable laws. This includes compliance with the Acts and the National Archive and Public Records Act (2015 Revision), which governs the creation, maintenance, and disposal of public records. Where appropriate, we may anonymise your personal data so that it can no longer be linked to you.

10. Cookies

Cookies, along with pixels, local storage objects, and similar technologies (collectively referred to as "Cookies"), help distinguish between visitors to our website(s).

When you visit our website(s), small text files known as Cookies may be stored on your computer, phone, tablet or other device through your web browser. These files store information that can enhance your browsing experience and enable certain website functionalities.

Enabling Cookies may provide a more tailored browsing experience and is necessary for certain website functionalities. In most cases, Cookies do not provide us with your personal data.

For more information about how we use Cookies, please consult the Cayman Island’s Government’s eGovernment Cookie Notice.

11. Data Protection Principles

When processing your personal data, the Registrar will comply with the eight Data Protection Principles defined within the DPA:

  1. Fair and lawful processing: Personal data shall be processed fairly. In addition, personal data may be processed only if certain conditions are met, for example the data controller is subject to a legal obligation that requires the processing, or the processing is necessary for exercise of public functions.
  2. Purpose limitation: Personal data shall be obtained only for one or more specified, explicit, and legitimate purposes, and not processed further in any manner incompatible with that purpose or those purposes.
  3. Data minimisation: Personal data shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are collected or processed.
  4. Data accuracy: Personal data shall be accurate and, where necessary, kept up to date.
  5. Storage limitation: Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
  6. Respect for the individual’s rights: Personal data shall be processed in accordance with the rights of data subjects under the DPA, including subject access.
  7. Security – confidentiality, integrity, and availability: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. International transfers: Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

12. Your Rights

The Registrar will respect and honour your rights in relation to your personal data and implement measures that allow you to exercise your rights under the DPA, the Acts, and other applicable legislation.

In accordance with the DPA, your rights in relation to your own personal data include:

  1. The right to be informed and the right of access: The right to request access to all personal data the Registrar maintains about you as well as supplementary information about why and how we are processing your personal data. This is commonly known as a Data Subject Access Request and certain supplementary information about our processing is contained within this Privacy Notice.
  2. Rights in relation to inaccurate data: The right to request the rectification, blocking, erasure, or destruction of any inaccurate personal data the Registrar maintains on you. We will ensure, through all reasonable measures, that your personal data is accurate, complete and, where necessary, up-to-date, especially if it is to be used in a decision-making process.
  3. The right to stop or restrict Processing: The right to restrict or stop how the Registrar uses your personal data in certain circumstances.
  4. The right to stop direct marketing: The right to cease the use of your personal data by the Registrar for direct marketing purposes. The Registrar does not currently carry out any direct marketing activities. However, we will update this Privacy Notice as required if this position changes.
  5. Rights in relation to automated decision making: The right to obtain information about and object to the use of automated decision making by the Registrar using your personal data.
  6. The right to complain: The right to complain to the Ombudsman about any perceived violation of the DPA by the Registrar.
  7. The right to seek compensation: The right to seek compensation in the Court if you suffer damage due to a contravention of the DPA by the Registrar.

You may contact the Registrar using the contact details below, to exercise your rights under the DPA or the Acts. This includes your right under the Register Act to obtain a record of access to your identification information.

The Registrar will assess requests in accordance with the Acts, DPA or other applicable legislation, considering any limitations, conditions, exemptions or exceptions that may apply.

Before processing a request, we may need to verify your identity and request additional information if necessary. In accordance with the DPA, the Registrar may charge a reasonable fee for requests deemed unfounded or excessive, or, in some cases, may decline to comply.

To learn more about your rights, visit https://ombudsman.ky/data-protection-organisation/individual-rights.

13. How to Contact Us

The Registrar has appointed a Data Protection Leader. If you have any questions about this Privacy Notice or how your personal data is handled, or if you wish to make a complaint, please contact

Name: Ian Tibbetts, Director of eGovernment and Registrar of the Identity Registry

Telephone Number: +1 (345) 244-3614

Email Addressprivacy@egov.ky

Address: 89 Nexus Way, Suite 8210 | Grand Cayman KY1-9000 | Cayman Islands

The Registrar aims to resolve enquiries and complaints in a respectful and timely manner.

14. Changes to this Privacy Notice

The Registrar reserves the right to update this Privacy Notice at any time and will publish a new Privacy Notice when we make any substantial updates. From time to time, the Registrar may also notify you about the processing of your personal data in other ways, including by email or through our publications.

To keep you informed of changes, we maintain a version history of this Privacy Notice. The table below outlines the history of revisions and reviews, providing details about the version number, type of action (reviewed or updated), date, and any relevant remarks.

Version # Date Remarks
1.0 27/02/2025 Completed Privacy Notice
1.1 (Current) 28/02/2025 Updated wording for clarity and accuracy.
Minor revision to sections 4(d) and 5(c). Added two additional social media pages.