Part 4 » Principles and Rules Relating to Processing of Personal Data¶
12. Principles relating to processing of personal data¶
-
A data controller or data processor shall ensure that personal data is —
- processed lawfully, fairly and transparently;
- collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- accurate and where necessary, kept up to date, with every reasonable step taken to ensure that any inaccurate personal data is erased or rectified without delay;
- stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed;
- processed in accordance with the rights of a data subject; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against any loss, destruction or damage, using appropriate technical or organisational measures.
-
For the purposes of subsection 1(b), processing of personal data for purposes of archiving in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purpose.
13. Processing of personal data¶
Subject to the other provisions of this Act, a data controller may process personal data where —
- the data subject has given consent to the processing of that data subject’s personal data;
-
the processing is necessary —
- for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- for compliance with a legal obligation to which the data controller is subject;
- in order to protect the vital interests of the data subject or of another natural person;
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
- for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child; or
- the processing relates to personal data which is manifestly made public by the data subject.
14. Processing of sensitive personal data¶
-
A person shall not process sensitive personal data, unless—
- processing is necessary for the establishment, exercise or defence of a legal claim or whenever a court is exercising a judicial function;
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services ;or
- processing is necessary for reasons of public interest.
-
Personal data under subsection (1)(b) may be processed when the data is processed by or under the responsibility of a professional, subject to secrecy and other obligations imposed by any law or professional bodies regulating them.
-
Personal data referred to under subsection (1) © shall be processed only where adequate measures to safeguard the rights and freedoms of the data subject have been put in place.
15. Consent, justification and objection¶
- A data controller shall not process personal data unless the data subject consents to the processing.
- A data subject may consent to the processing of that data subject’s personal data in writing.
- Prior to giving consent, the data subject shall be informed of the data subject’s right to withdraw the consent.
- A data controller shall, where processing is based on consent, demonstrate that the data subject has consented to the processing.
- Where a data subject consents in the form of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
- A data subject shall have the right to withdraw consent at any time.
- The withdrawal of consent shall not affect the lawfulness of processing based on consent under subsection (5) before its withdrawal and all personal data collected following withdrawal of the consent shall, subject to the provisions of this Act, be destroyed immediately.
- A data subject may object, at any time, to the processing of that data subject’s personal data.
- Where a data subject has objected to the processing of that data subject’s personal data, the data controller or data processor shall no longer process that personal data.
16. Collection of personal data¶
- Subject to subsection (2), a data controller shall collect personal data directly from a data subject.
-
A data controller may collect personal data from a source other than the data subject if —
- the data is contained in or derived from a public record or has intentionally been made public by the data subject;
- the data subject has consented to the collection of data from another source;
- collection of data from another source would not prejudice the interest of the data subject;
-
collection of data from another source is necessary—
- to avoid prejudice to the maintenance of the law and order by any public body, including the prevention, detection, investigation, prosecution and punishment of an offence;
- to comply with an obligation imposed by law; or
- for the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated; or
- for the purposes of national security;
-
collection from the data subject would prejudice a lawful purpose of the collection;
- compliance is not reasonably practicable in the circumstances of the particular case; or
-
it is —
- necessary for the provision of an emergency medical service to the data subject;
- required for the establishment of the identity of the data subject and the collection is authorised by a law written for that purpose;
- necessary to prevent a reasonable threat to national security, defence or public order; or
- necessary to prevent, investigate or prosecute a cognisable offence.
17. Processing of child and vulnerable person’s personal data¶
- Where a data subject is a child or a vulnerable person, that data subject’s right may be exercised by that data subject’s parents, legal guardian or a person exercising parental responsibility as the case may be.
- A data controller shall not process a child’s or vulnerable person’s personal data unless consent is given by the child’s or vulnerable person’s parent, legal guardian or a person exercising parental responsibility.
- A data controller shall, where the personal data of a child or a vulnerable person is involved, make every reasonable effort to verify that consent has been given or authorised, taking into account available technology.
- A data controller shall incorporate appropriate mechanisms for age verification and parental consent in the processing of personal data of a child.
18. Offence and penalty for contravention of personal data obligation¶
-
A body corporate that contravenes the provisions of this Part commits an offence and is liable on conviction to —
- a fine not exceeding one hundred million penalty units; or
- two percent of annual turnover of the preceding financial year, whichever is higher.
-
Where the offence is committed by a natural person, that person shall be liable, on conviction to a fine not exceeding one million penalty units or to imprisonment for a term not exceeding five years, or to both.