Acts 2017
488
22.
Duties of controller
(1) Every controller shall adopt policies and implement
appropriate technical and organisational measures so as to ensure and be
able to demonstrate that the processing of personal data is performed in
accordance with this Act.
(2)
The measures referred to in subsection (1) shall include –
(a) implementing appropriate data security and
organisational measures in accordance with section 31;
(b) keeping a record of all processing operations in
accordance with section 33;
(c) performing a data protection impact assessment in
accordance with section 34;
(d) complying with the requirements for prior authorisation
from, or consultation with the Commissioner pursuant
to section 35; and
(e) designating an officer responsible for data protection
compliance issues.
(3) Every controller shall implement such policies and
mechanisms as may be required to ensure verification of the effectiveness
of the measures referred to in this section.
23.
Collection of personal data
(1) Subject to section 44, a controller shall not collect personal
data unless –
(a) it is done for a lawful purpose connected with a function
or activity of the controller; and
(b) the collection of the data is necessary for that purpose.
(2) Subject to subsection (3), where a controller collects personal
data directly from a data subject, the controller shall, at the time of collecting
the personal data, ensure that the data subject concerned is informed of –
(a) the identity and contact details of the controller and,
where applicable, its representative and any data
protection officer;