Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

The Privacy Rules specify that a body corporate may collect sensitive personal data:

  • for a lawful purpose connected with a function or activity of the body corporate or any person on its behalf; and
  • if the collection of sensitive personal data or information is considered necessary for that purpose.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

Yes, the Privacy Rules specify that sensitive personal data cannot be retained for longer than is required for the purpose for which it was lawfully collected or as otherwise required under another law. Under the data retention provisions set out in various laws, companies are generally required to retain data for eight financial years.

Do individuals have a right to access personal information about them that is held by an organisation?

Under the Privacy Rules, data subjects have a right to review the information provided by them. The data controller, at the request of the data subjects, must correct any deficiencies or inaccuracies in the information provided. Further, data controllers must address data subjects' grievances in a timely manner and in any event within one month of receiving the grievance.

Do individuals have a right to request deletion of their data?

The Privacy Rules do not specifically provide data subjects with the right to request deletion of their data. However, data subjects have the right to withdraw their consent to process data. Once consent is withdrawn, data controllers and processors cannot process the data subject's sensitive personal data. If a data subject withdraws his or her consent, the data processor can stop the provision of services. 

Consent obligations

Is consent required before processing personal data?

Under the Privacy Rules, the data subject’s consent is required before processing any sensitive personal data. Consent must be obtained in writing by letter, fax, email or any mode of electronic communication. Consent must be express and thus implied consent is not recognised. 

If consent is not provided, are there other circumstances in which data processing is permitted?

Prior express consent must be obtained from the data subject, with no exceptions. However, notably, the Privacy Rules apply only if the parties have not agreed to their own reasonable security practices and procedures. 

What information must be provided to individuals when personal data is collected?

The Privacy Rules require data controllers to provide data subjects with the following information:

  • the fact that the information is being collected;
  • the purpose for which the information is being collected;
  • the intended recipients of the information; and
  • the name and address of the agency that is collecting the information and will retain it.

Click here to view the full article.