(b) the cost of implementing any of the security measures;
(c) the special risks that exist in the processing of the data; and
(d) the nature of the data being processed.
28.
Duty to destroy personal data
(1)
Where the purpose for keeping personal data has lapsed, the data
controller shall –
(a)
destroy such data as soon as reasonably practicable;
and
(b)
(2)
notify any data processor holding such data.
Any data processor who receives a notification under subsection (1)
(b) shall, as soon as reasonably practicable, destroy the data specified by
the data controller.
29.
Unlawful disclosure of personal data
(1)
Any data controller who, without lawful excuse, discloses personal
data in any manner that is incompatible with the purposes for which such
data has been collected shall commit an offence.
(2)
Any data processor who, without lawful excuse, discloses personal
data processed by him without the prior authority of the data controller on
whose behalf such data is or has been processed shall commit an offence.
(3)
Subject to subsection (4), any person who (a)
obtains access to personal data, or obtains any information
constituting such data, without prior authority of the data controller
or data processor by whom such data is kept; and
(b)
discloses the data or information to another person,
shall commit an offence.
(4)
Subsection (3) shall not apply to a person who is an employee or
agent of a data controller or processor and is acting within his mandate.