Principles relating to processing of personal data

4. (1) Personal data shall be

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject;

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

(d) accurate and, where necessary, kept up to date and every reasonable step shall be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; and

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

(2) A data controller shall, in relation to all of the personal data he processes, comply with the requirements set out in subsection (1).

(3) A data controller may specify the purpose for which personal data is obtained pursuant to subsection 1(b)

(a) in any notice given for the purposes of section 5(3)(a) by the data controller to the data subject; or

(b) in a notification given to the Commissioner pursuant to Part III.

(4) In determining whether any disclosure of personal data is compatible with the purpose for which the data is obtained in accordance with subsection 1(b), regard is to be had to the purpose for which the personal data is intended to be processed by any person to whom the data is disclosed.

(5) Subsection 1(d) is not contravened by reason of any inaccuracy in personal data which accurately record information obtained by the data controller from the data subject or a third party in a case where

(a) having regard to the purpose for which the data was obtained and further processed, the data controller has taken reasonable steps to ensure the accuracy of the data; and

(b) the data subject has notified the data controller of the data subject’s view that the data is inaccurate and the data indicates that fact.

(6) Pursuant to subsection 1(f), having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to

(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and

(b) the nature of the data to be protected.

(7) The data controller shall take reasonable steps to ensure that his employees who have access to the personal data comply with the requirements set out in subsection (1).

(8) Pursuant to subsection 1(f), where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller shall

(a) choose a data processor who provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out; and

(b) take reasonable steps to ensure compliance with the measures referred to in paragraph (a).

(9) Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with subsection 1(f) unless

(a) the processing is carried out under a contract

(i) which is made or evidenced in writing; and

(ii) under which the data processor is to act only on instructions from the data controller; and

(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by subsection 1(f).

(10) A person who fails to comply with the requirements set out in subsection (1) is guilty of an offence and is liable on summary conviction to a fine of $500 000 or to imprisonment for 3 years or to both.

<-- Contents page