PART 4
COLLECTION, USE AND DISCLOSURE OF
PERSONAL DATA
Division 1 — Consent
Consent required
13.  An organisation must not, on or after 2 July 2014, collect, use or disclose personal data about an individual unless —
(a)the individual gives, or is deemed to have given, his or her consent under this Act to the collection, use or disclosure, as the case may be; or
(b)the collection, use or disclosure (as the case may be) without the individual’s consent is required or authorised under this Act or any other written law.
Provision of consent
14.—(1)  An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless —
(a)the individual has been provided with the information required under section 20; and
(b)the individual provided his or her consent for that purpose in accordance with this Act.
(2)  An organisation must not —
(a)as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual; or
(b)obtain or attempt to obtain consent for collecting, using or disclosing personal data by providing false or misleading information with respect to the collection, use or disclosure of the personal data, or using deceptive or misleading practices.
(3)  Any consent given in any of the circumstances in subsection (2) is not validly given for the purposes of this Act.
(4)  In this Act, references to consent given, or deemed to have been given, by an individual for the collection, use or disclosure of personal data about the individual include consent given, or deemed to have been given, by any person validly acting on that individual’s behalf for the collection, use or disclosure of such personal data.
Deemed consent
15.—(1)  An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if —
(a)the individual, without actually giving consent mentioned in section 14, voluntarily provides the personal data to the organisation for that purpose; and
(b)it is reasonable that the individual would voluntarily provide the data.
(2)  If an individual gives, or is deemed to have given, consent to the disclosure of personal data about the individual by one organisation to another organisation for a particular purpose, the individual is deemed to consent to the collection, use or disclosure of the personal data for that particular purpose by that other organisation.
(3)  Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A:
(a)the disclosure of that personal data by A to another organisation (B);
(b)the collection and use of that personal data by B;
(c)the disclosure of that personal data by B to another organisation.
[40/2020]
(4)  Where an organisation collects personal data disclosed to it by B under subsection (3)(c), subsection (3)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (3)(a).
[40/2020]
(5)  Subsections (3) and (4) apply to personal data provided before 1 February 2021 by an individual to an organisation with a view to the individual entering into a contract with the organisation —
(a)on or after 1 February 2021; or
(b)which contract was entered into before 1 February 2021 and remains in force on that date,
as if subsections (3) and (4) —
(c)were in force when the personal data was so provided; and
(d)had continued in force until 1 February 2021.
[40/2020]
(6)  Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following:
(a)the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary —
(i)for the performance of the contract between P and A; or
(ii)for the conclusion or performance of a contract between A and B which is entered into at P’s request, or which a reasonable person would consider to be in P’s interest;
(b)the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a);
(c)the disclosure of that personal data by B to another organisation, where the disclosure is reasonably necessary for any purpose mentioned in paragraph (a).
[40/2020]
(7)  Where an organisation collects personal data disclosed to it by B under subsection (6)(c), subsection (6)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (6)(a).
[40/2020]
(8)  Subsections (6) and (7) apply to personal data provided before 1 February 2021 by an individual to an organisation in relation to a contract that the individual entered into before that date with the organisation, and which remains in force on that date, as if subsections (6) and (7) —
(a)were in force when the personal data was so provided; and
(b)had continued in force until 1 February 2021.
[40/2020]
(9)  Subsections (3), (4), (5), (6), (7) and (8) do not affect any obligation under the contract between P and A that specifies or restricts —
(a)the personal data provided by P that A may disclose to another organisation; or
(b)the purposes for which A may disclose the personal data provided by P to another organisation.
[40/2020]
Deemed consent by notification
15A.—(1)  This section applies to the collection, use or disclosure of personal data about an individual by an organisation on or after 1 February 2021.
[40/2020]
(2)  Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if —
(a)the organisation satisfies the requirements in subsection (4); and
(b)the individual does not notify the organisation, before the expiry of the period mentioned in subsection (4)(b)(iii), that the individual does not consent to the proposed collection, use or disclosure of the personal data by the organisation.
[40/2020]
(3)  Subsection (2) does not apply to the collection, use or disclosure of personal data about the individual for any prescribed purpose.
[40/2020]
(4)  For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual —
(a)conduct an assessment to determine that the proposed collection, use or disclosure of the personal data is not likely to have an adverse effect on the individual;
(b)take reasonable steps to bring the following information to the attention of the individual:
(i)the organisation’s intention to collect, use or disclose the personal data;
(ii)the purpose for which the personal data will be collected, used or disclosed;
(iii)a reasonable period within which, and a reasonable manner by which, the individual may notify the organisation that the individual does not consent to the organisation’s proposed collection, use or disclosure of the personal data; and
(c)satisfy any other prescribed requirements.
[40/2020]
(5)  The organisation must, in respect of the assessment mentioned in subsection (4)(a) —
(a)identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual;
(b)identify and implement reasonable measures to —
(i)eliminate the adverse effect;
(ii)reduce the likelihood that the adverse effect will occur; or
(iii)mitigate the adverse effect; and
(c)comply with any other prescribed requirements.
[40/2020]
Withdrawal of consent
16.—(1)  On giving reasonable notice to the organisation, an individual may at any time withdraw any consent given, or deemed to have been given under this Act, in respect of the collection, use or disclosure by that organisation of personal data about the individual for any purpose.
(2)  On receipt of the notice mentioned in subsection (1), the organisation concerned must inform the individual of the likely consequences of withdrawing his or her consent.
(3)  An organisation must not prohibit an individual from withdrawing his or her consent to the collection, use or disclosure of personal data about the individual, but this section does not affect any legal consequences arising from such withdrawal.
(4)  Subject to section 25, if an individual withdraws consent to the collection, use or disclosure of personal data about the individual by an organisation for any purpose, the organisation must cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the personal data (as the case may be) unless such collection, use or disclosure (as the case may be) without the individual’s consent is required or authorised under this Act or other written law.
Collection, use and disclosure without consent
17.—(1)  An organisation may —
(a)collect personal data about an individual, without the individual’s consent or from a source other than the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 1 of the Second Schedule;
(b)use personal data about an individual without the individual’s consent, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 2 of the Second Schedule; or
(c)disclose personal data about an individual without the individual’s consent, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 3 of the Second Schedule.
[40/2020]
(2)  Unless otherwise provided under this Act, an organisation may —
(a)collect personal data about an individual that the organisation receives by way of a disclosure to the organisation —
(i)on or after 1 February 2021 in accordance with subsection (1)(c); or
(ii)before 1 February 2021 in accordance with section 17(3) as in force before that date,
for purposes consistent with the purpose of that disclosure, or for any purpose permitted by subsection (1)(a); or
(b)use or disclose personal data about an individual that —
(i)is collected by the organisation on or after 1 February 2021 in accordance with subsection (1)(a); or
(ii)was collected by the organisation before 1 February 2021 in accordance with section 17(1) as in force before that date,
for purposes consistent with the purpose of that collection, or for any purpose permitted by subsection (1)(b) or (c), as the case may be.
[40/2020]
Division 2 — Purpose
Limitation of purpose and extent
18.  An organisation may collect, use or disclose personal data about an individual only for purposes —
(a)that a reasonable person would consider appropriate in the circumstances; and
(b)that the individual has been informed of under section 20, if applicable.
Personal data collected before 2 July 2014
19.  Despite the other provisions in this Part, an organisation may use personal data about an individual collected before 2 July 2014 for the purposes for which the personal data was collected unless —
(a)consent for such use is withdrawn in accordance with section 16; or
(b)the individual, whether before, on or after 2 July 2014, has otherwise indicated to the organisation that he or she does not consent to the use of the personal data.
Notification of purpose
20.—(1)  For the purposes of sections 14(1)(a) and 18(b), an organisation must inform the individual of —
(a)the purposes for the collection, use or disclosure of the personal data (as the case may be) on or before collecting the personal data;
(b)any other purpose of the use or disclosure of the personal data of which the individual has not been informed under paragraph (a), before the use or disclosure of the personal data for that purpose; and
(c)on request by the individual, the business contact information of a person who is able to answer on behalf of the organisation the individual’s questions about the collection, use or disclosure of the personal data.
(2)  An organisation, on or before collecting personal data about an individual from another organisation without the individual’s consent, must provide the other organisation with sufficient information regarding the purpose of the collection to allow that other organisation to determine whether the disclosure would be in accordance with this Act.
(3)  Subsection (1) does not apply if —
(a)the individual is deemed to have consented to the collection, use or disclosure (as the case may be) under section 15 or 15A; or
(b)the organisation collects, uses or discloses the personal data without the individual’s consent in accordance with section 17.
[40/2020]
(4)  Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation —
(a)entering into an employment relationship with the individual or appointing the individual to any office; or
(b)managing or terminating the employment relationship with or appointment of the individual.
[40/2020]
(5)  For the purposes of subsection (4), the organisation must inform the individual of the following:
(a)the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual;
(b)on request by the individual, the business contact information of a person who is able to answer the individual’s questions about that collection, use or disclosure (as the case may be) on behalf of the organisation.
[40/2020]