Relevant definitions
''data controller'' means any person who electronically
requests, collects,
collates, processes or stores personal information from
or in respect of a
data subject;
''data subject'' means any natural person from or in
respect of whom personal
information has been requested, collected, collated,
processed or stored, after
the commencement of this Act;
''personal information'' means information about an
identifiable individual,
including, but not limited to-
(a) information relating to the race, gender, sex,
pregnancy, marital status,
national, ethnic or social origin, colour, sexual
orientation, age, physical
or mental health, well-being, disability, religion,
conscience, belief,
culture, language and birth of the individual;
(b) information relating to the education or the medical,
criminal or
employment history of the individual or information
relating to financial
transactions in which the individual has been
involved;
(c) any identifying number, symbol, or other particular
assigned to the
individual;
(d) the address, fingerprints or blood type of the
individual;
(e) the personal opinions, views or preferences of the
individual, except where they are about another individual
or about a proposal for a grant, an award or a prize to be
made to another individual;
(f) correspondence sent by the individual that is
implicitly or explicitly of a private or confidential
nature or further correspondence that would reveal the
contents of the original correspondence;
(g) the views or opinions of another individual about the
individual;
(h) the views or opinions of another individual about a
proposal for a grant, an award or a prize to be made to the
individual, but excluding the name of the other individual
where it appears with the views or opinions of the other
individual; and
(i) the name of the individual where it appears with other
personal information relating to the individual or where
the disclosure of the name itself would reveal information
about the individual, but excludes information about an
individual who has been dead for more than 20
years;
CHAPTER VIII
PROTECTION OF PERSONAL INFORMATION
Scope of protection of personal information
50. (1) This Chapter only applies to personal information
that has been obtained through electronic
transactions.
(2) A data controller may voluntarily subscribe to the
principles outlined in section 51 by recording such fact in
any agreement with a data subject.
(3) A data controller must subscribe to all the principles
outlined in section 51 and not merely to parts
thereof.
(4) The rights and obligations of the parties in respect
of the breach of the principles outlined in section 51 are
governed by the terms of any agreement between them.
Principles for electronically collecting personal
information
51. (1) A data controller must have the express written
permission of the data subject for the collection,
collation, processing or disclosure of any personal
information on that data subject unless he or she is
permitted or required to do so by law.
(2) A data controller may not electronically request,
collect, collate, process or store personal information on
a data subject which is not necessary for the lawful
purpose for which the personal information is
required.
(3) The data controller must disclose in writing to the
data subject the specific purpose for which any personal
information is being requested, collected, collated,
processed or stored.
(4) The data controller may not use the personal
information for any other purpose than the disclosed
purpose without the express written permission of the data
subject, unless he or she is permitted or required to do so
by law.
(5) The data controller must, for as long as the personal
information is used and for a period of at least one year
thereafter, keep a record of the personal information and
the specific purpose for which the personal information was
collected.
(6) A data controller may not disclose any of the personal
information held by it to a third party, unless required or
permitted by law or specifically authorized to do so in
writing by the data subject.
(7) The data controller must, for as long as the personal
information is used and for a period of at least one year
thereafter, keep a record of any third party to whom the
personal information was disclosed and of the date on which
and the purpose for which it was disclosed.
(8) The data controller must delete or destroy all
personal information which has become obsolete.
(9) A party controlling personal information may use that
personal information to compile profiles for statistical
purposes and may freely trade with such profiles and
statistical data, as long as the profiles or statistical
data cannot be linked to any specific data subject by a
third party.
