Additional bases for collection, use and disclosure of personal data without consent
Part 1
COLLECTION OF PERSONAL DATA
1. The collection of personal data about an individual, if —
(a)
the personal data was disclosed by a public agency; and
(b)
the collection of the personal data by the organisation is consistent with the purpose of the disclosure by the public agency.
Part 2
USE OF PERSONAL DATA
Division 1 — Public interest
1. The use of personal data about an individual, if —
(a)
the personal data was disclosed by a public agency; and
(b)
the use of the personal data by the organisation is consistent with the purpose of the disclosure by the public agency.
Division 2 — Business improvement purpose
1.—(1) Subject to the conditions in sub‑paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes:
(a)
improving or enhancing any goods or services provided, or developing new goods or services to be provided, by the organisation;
(b)
improving or enhancing the methods or processes, or developing new methods or processes, for the operations of the organisation;
(c)
learning about and understanding the behaviour and preferences of P or another individual in relation to the goods or services provided by the organisation;
(d)
identifying any goods or services provided by the organisation that may be suitable for P or another individual, or personalising or customising any such goods or services for P or another individual.
(2) Sub‑paragraph (1) applies only if —
(a)
the purpose for which the organisation uses personal data about P cannot reasonably be achieved without the use of the personal data in an individually identifiable form; and
(b)
a reasonable person would consider the use of personal data about P for that purpose to be appropriate in the circumstances.
(3) To avoid doubt, sub‑paragraph (1) does not apply to the use of personal data about P for the purpose of sending to P or another individual a message for an applicable purpose within the meaning given by section 37(6).
(4) In this paragraph, “organisation” excludes a corporation within the meaning given by section 4(1) of the Companies Act 1967.
Division 3 — Research
1. The use of personal data about an individual for a research purpose (including historical or statistical research), if —
(a)
the research purpose cannot reasonably be accomplished unless the personal data is used in an individually identifiable form;
(b)
there is a clear public benefit to using the personal data for the research purpose;
(c)
the results of the research will not be used to make any decision that affects the individual; and
(d)
in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual.
Part 3
DISCLOSURE OF PERSONAL DATA WITHOUT CONSENT
Division 1 — Public interest
1. The disclosure of personal data about an individual to a public agency, where the disclosure is necessary in the public interest.
2. The disclosure of personal data about an individual who is a current or former student of an educational institution to a public agency for the purposes of policy formulation or review.
3. The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review:
(a)
a healthcare institution licensed under the Private Hospitals and Medical Clinics Act 1980;
(b)
a licensee under the Healthcare Services Act 2020;
(c)
a prescribed healthcare body.
4. The disclosure of personal data about any individual to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that prescribed law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer.
Division 2 — Research
1. The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if —
(a)
the research purpose cannot reasonably be accomplished unless the personal data is disclosed in an individually identifiable form;
(b)
it is impracticable for the organisation to seek the individual’s consent for the disclosure;
(c)
there is a clear public benefit to disclosing the personal data for the research purpose;
(d)
the results of the research will not be used to make a decision that affects the individual; and
(e)
in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual.