GOVERNMENT
23708
48
No.
Act No. 25,2002
GAZETIE, 2 AUGUST 2002
ELECTRONIC
COMMUNICATIONS
AND
TRANSACTIONS ACT, 2002
for the collection, collation, processingor disclosure of any personal information on that
data subject unless he or she is permitted or required to do so by law.
( 2 )A data controller may not electronically request, collect, collate, process or store
personal information on a data subject which is not necessary for the lawful purpose for
which the personal information is required.
(3) The data controller must disclose
in writing to the data subject the specific purpose
for which any personal information is being requested, collected, collated, processedor
stored.
(4) The data controller may not use the personal information for any other purpose
than the disclosed purpose without the express written permission of the data subject,
unless he or she is permitted or required to do so by law.
( 5 ) The data controller must,for as long as the personal information is used and for a
period of at least one year thereafter, keep a record of the personal information and the
specific purpose for which the personal information was collected.
(6) A data controller may not disclose any of the personal information held by it to a
third party. unless required or permitted by law or specifically authorised to do so in
writing by the data subject.
(7) The data controller must. for as long as the personal information is used and for a
period ofat least one year thereafter, keep a record of any third party to whom the
personal information was disclosed and of the date on which and the purpose for which
it was disclosed.
(8) The data controller must delete or destroy all personal information which has
become obsolete.
(9) A party controlling personal information may use that personal information to
compile profiles for statistical purposes and may freely trade with such profiles and
statistical data. as long as the profiles or statistical data cannot be linked to any specific
data subject by a third party.
5
10
15
20
25
CHAPTER IX
PROTECTION OF CRITICAL DATABASES
Scope of critical database protection
30
52. The provisions of this Chapter only apply to a critical database administratorand
critical databases or parts thereof.
Identification of critical data andcritical databases
53. The Minister may by notice in the Guzerre( a ) declare certain classes of information which is of importance to the protection 35
of the national security of the Republic or the economic and socialwell-being
of its citizens to be critical data for the purposes of this Chapter; and
( [ I ) establish procedures to be followed in the identification of critical databases
for the purposes of this Chapter.
Registration of critical databases
40
54. ( 1 ) The Minister may by notice in the Gazerto determine( a ) requirements for the registration of critical databases with the Department or
such other body as the Minister may specify;
(bj procedures to be followed for registration: and
(cJ any other matter relating to registration.
45
( 3 ) For purposes of this Chapter, registration of a critical database means recording
the following information in a register maintained by the Department or by such other
body as the Minister may specify:
( a ) The full name, address and contact details of the critical database administrator;
50
(12)
the location of the critical database,includingthelocations
of component
parts thereof where a critical database is not stored at a single location; and