Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
Section 13 of the Personal Data Protection Act provides that an organisation may collect, use or disclose an individual’s personal data only with an individual’s express or deemed consent.
Section 20 of the Personal Data Protection Act requires organisations to inform individuals of the purposes for which their personal data will be collected, used and disclosed on or before collecting such data.
Section 18 of the Personal Data Protection Act provides that an organisation’s collection, use or disclosure of personal data is limited to purposes:
- that a reasonable person would consider appropriate in the circumstances; and
- for which notification has been made to the individual concerned.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
Yes, Section 25 of the Personal Data Protection Act provides that an organisation must cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals as soon as it is reasonable to assume that:
- the purpose for which that data was collected is no longer being served; and
- retention is no longer necessary for legal or business purposes.
Do individuals have a right to access personal information about them that is held by an organisation?
Yes, individuals have a qualified right to access personal information under Section 21(1) of the Personal Data Protection Act. Access to personal data is limited to:
- personal data that is within the possession and control of the organisation; and
- any information about the ways in which such data has been used one year before the request.
Exceptions to the access obligation under Section 21(3) and the Fifth Schedule of the Personal Data Protection Act exist.
Do individuals have a right to request deletion of their data?
Individuals can request deletion of their data if necessary to correct an error or omission in personal data held by or under the control of an organisation (Section 22(1) of the Personal Data Protection Act).
Otherwise, individuals may withdraw their consent to the collection, use and disclosure of their personal data under Section 16 of the act. Under such circumstances, organisations must cease collecting, using or disclosing the personal data but they are not required to delete it.
Is consent required before processing personal data?
Yes, consent is required under Section 13 of the Personal Data Protection Act.
If consent is not provided, are there other circumstances in which data processing is permitted?
The Second through Fourth Schedules of the Personal Data Protection Act provides for circumstances in which personal data may be collected, used or disclosed without consent.
What information must be provided to individuals when personal data is collected?
Section 20 of the Personal Data Protection Act provides that an organisation must inform the individual of:
- the purposes for which the personal data is being collected, used or disclosed when or before it is collected;
- any other purpose for which the data is being used or disclosed of which an individual has not been informed under Section 20(1)(a), before the use or disclosure of the data for that purpose; and
- on request by the individual, the business contact information of a person who can answer on behalf of the organisation the individual’s questions about the collection, use or disclosure of personal data.
Click here to view the full article.