Privacy Policy
Last Updated: 10 January 2026
Effective Date: 10 January 2026
1. INTRODUCTION
The Cayman Islands Blood Bank (“we”, “us”, or “our”) operates as a division of the Cayman Islands Health Services Authority (HSA). We are committed to protecting your privacy and ensuring the safety and confidentiality of your personal data in accordance with the highest standards.
This Privacy Policy explains how we collect, use, share, retain, and protect your personal information. It applies to all individuals whose data we process, including but not limited to: donors, patients, recipients, visitors, website users, and anyone who interacts with our services through digital or in-person channels.
We adhere to the Cayman Islands Data Protection Act (DPA), 2021 and uphold the privacy and security standards established by the HSA.
2. THE DATA WE COLLECT
We collect personal data to provide safe, effective, and personalized services. This includes:
A. Identity and Contact Data: Your name, date of birth, government-issued identification details, address, email address, and telephone number.
B. Special Category Data: This includes health-related information essential for donation safety and medical care, such as:
- Your blood type and donation history.
- Your responses to medical and lifestyle eligibility screenings.
- Any relevant medical information provided by you or noted by our staff.
C. Technical Data: When you use our website (www.bloodbank.ky), we may automatically collect your IP address, browser type, operating system, and usage information via analytics tools.
D. Appointment Data: Information you provide when scheduling an appointment through our third-party booking platform, Cal.com, such as your name, contact details, and preferred date/time.
E. Visual Data: Photographs taken for visitor security badges or, in clinical contexts, for patient identification and care.
3. HOW WE USE YOUR INFORMATION (PURPOSES & LEGAL BASES)
We will only use your personal data for the purposes for which we collected it, as outlined below. We process your data on the following legal bases under the DPA:
| Purpose of Processing | Categories of Personal Data | Our Legal Basis (Under the DPA) |
| To manage your donor registration, appointments, and records. | Identity, Contact, Appointment Data. | Necessary for the performance of a task in the public interest (operating the national blood bank). |
| To conduct medical screening and ensure the safety of donations for donors and recipients. | Identity, Contact, Special Category (Health) Data. | Explicit Consent (for processing special category health data). Necessary for reasons of public health and preventive medicine. |
| To communicate about your donation, appointments, or follow-up care. | Identity, Contact Data. | Necessary for our legitimate interests (efficient service delivery) and public interest. |
| To send you direct marketing (e.g., donation campaigns, newsletters). | Identity, Contact Data. | Your Explicit, Prior Consent. You can withdraw consent at any time. |
| To ensure the security of our premises, staff, and visitors via CCTV. | Visual Images (CCTV). | Necessary for our legitimate interests (crime prevention, security, and safety). |
| To maintain website security, functionality, and analytics. | Technical Data. | Necessary for our legitimate interests (website administration and improvement). |
| To comply with legal and regulatory obligations (e.g., public health reporting). | All relevant data categories. | Necessary for compliance with a legal obligation. |
4. DIRECT MARKETING
We will only send you direct marketing communications (such as emails or SMS about donation drives, events, or newsletters) if you have given us your prior, explicit, and freely given consent.
You have the absolute right to object to direct marketing and to withdraw your consent at any time. You can opt-out by:
- Clicking the “unsubscribe” link in any marketing email.
- Contacting us at info@bloodbank.ky or (345) 244-2674.
We will never sell, rent, or share your personal information with third-party marketers.
5. HOW WE SHARE YOUR INFORMATION
We treat your information with confidentiality. We only share it in the following circumstances:
- Within the HSA: To maintain centralized medical records and coordinate care.
- Service Providers: With trusted third parties who provide services on our behalf under strict contractual agreements (e.g., Cal.com for scheduling, IT support, cloud storage providers like Microsoft Azure, and external laboratories for blood testing).
- Legal and Regulatory Authorities: Where required by law, public health regulation, or in response to a valid legal request from a law enforcement or regulatory body.
- In an Emergency: To protect your vital interests or the vital interests of another person.
All third parties are contractually obligated to protect your data to the standard required by the DPA.
6. DATA SECURITY
We implement robust technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures include encryption, secure hosting, access controls, and regular security assessments. Our website and booking systems use modern encryption protocols.
7. DATA RETENTION
We retain your personal data only for as long as necessary to fulfill the purposes we collected it for, including to satisfy any legal, accounting, or medical reporting requirements.
Our specific retention periods are:
- Donor Health Records: Retained for 30 years from the date of your last donation, in line with medical standards for traceability and public health.
- Appointment Records: Retained for 7 years for audit and service improvement purposes.
- CCTV Footage: Retained for 30 days, unless required as evidence in an investigation.
- Visitor Photo Badge Data: Deleted within 24 hours of your visit, unless an incident requires longer retention.
- Feedback Data: Retained for 2 years for service evaluation.
- General Administrative Records: Managed in accordance with the Cayman Islands National Archive and Public Records Law.
8. YOUR LEGAL RIGHTS UNDER THE DPA
Under the DPA, you have the right to:
- Request access to your personal data.
- Request correction of inaccurate or incomplete data.
- Withdraw consent at any time (where processing is based on consent).
- Request deletion of your data, under certain conditions.
- Object to or restrict processing of your data.
- Request data portability (where applicable).
These rights are not absolute and may be subject to legal exemptions. To exercise any of these rights, please contact us using the details in Section 12.
You also have the right to lodge a complaint with the Cayman Islands Ombudsman.
9. CHILDREN'S PRIVACY
We do not knowingly collect personal data from individuals under the age of 18 without verified, written consent from a parent or legal guardian. Donation by minors follows strict HSA protocols requiring parental consent and accompaniment.
10. COOKIES & EXTERNAL LINKS
Our website uses essential and analytics cookies. You can manage cookie preferences via your browser settings. For details, please see our separate Cookie Policy.
Our site may contain links to third-party websites. We are not responsible for their privacy practices and encourage you to read their privacy policies.
11. CHANGES TO THIS POLICY
We may update this policy periodically. The "Last Updated" date at the top will reflect changes. Significant changes will be communicated via our website or, where appropriate, by email.
12. CONTACT US
For questions, concerns, or to exercise your data rights, please contact:
The Data Protection Officer
Cayman Islands Blood Bank | Health Services Authority
95 Hospital Road (2nd Floor) | PO Box 915 | Grand Cayman KY11103
Phone: +1 (345) 244-2674
Email: info@bloodbank.ky