collection;
(d) for the preparation or conduct of proceedings before a court or
tribunal that have been commenced or are reasonably
contemplated;
(e) for the protection of national security;
(f) to avoid the prejudice of a lawful purpose;
(g) to ensure that the data cannot be used in a form in which the data
subject is identified; or
(h) because the data is to be used for historical, statistical or research
purposes.
Security measures
28. (1) A data controller shall take the necessary steps to secure the integrity
of personal data in the possession or control of a person through the adoption of
appropriate, reasonable, technical and organisational measures to prevent
(a) loss of, damage to, or unauthorised destruction; and
(b) unlawful access to or unauthorised processing of personal
data.
(2) To give effect to subsection (1), the data controller shall take
reasonable measures to
(a) identify reasonably foreseeable internal and external risks to
personal data under that person’s possession or control;
(b) establish and maintain appropriate safeguards against the
identified risks;
(c) regularly verify that the safeguards are effectively implemented;
and
(d) ensure that the safeguards are continually updated in
response to new risks or deficiencies. (3) A data
controller shall observe
(a) generally accepted information security practices and procedure,
and
(b) specific industry or professional rules and regulations.
Data processed by data processor or an authorised person
29. (1) A data processor or a person who processes personal data on
behalf of a data controller shall
(a) process the data only with the prior knowledge or authorisation of
the data controller, and
(b) treat the personal data which comes to the knowledge of the data
processor or the other person as confidential.
(2) A data processor or a person who processes personal data on behalf
of a data controller shall not disclose the data unless
(a) required by law, or
(b) in the course of the discharge of a duty.
Data processor to comply with security measures
30. (1) A data controller shall ensure that a data processor who processes