§ 15A — Deemed consent by notification

15A.—(1) This section applies to the collection, use or disclosure of personal data about an individual by an organisation on or after 1 February 2021.[40/2020]

(2) Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if —(a)

the organisation satisfies the requirements in subsection (4); and

(b)

the individual does not notify the organisation, before the expiry of the period mentioned in subsection (4)(b)(iii), that the individual does not consent to the proposed collection, use or disclosure of the personal data by the organisation.[40/2020]

(3) Subsection (2) does not apply to the collection, use or disclosure of personal data about the individual for any prescribed purpose.[40/2020]

(4) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual —(a)

conduct an assessment to determine that the proposed collection, use or disclosure of the personal data is not likely to have an adverse effect on the individual;

(b)

take reasonable steps to bring the following information to the attention of the individual:(i)

the organisation’s intention to collect, use or disclose the personal data;

(ii)

the purpose for which the personal data will be collected, used or disclosed;

(iii)

a reasonable period within which, and a reasonable manner by which, the individual may notify the organisation that the individual does not consent to the organisation’s proposed collection, use or disclosure of the personal data; and

(c)

satisfy any other prescribed requirements.[40/2020]

(5) The organisation must, in respect of the assessment mentioned in subsection (4)(a) —(a)

identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual;

(b)

identify and implement reasonable measures to —(i)

eliminate the adverse effect;

(ii)

reduce the likelihood that the adverse effect will occur; or

(iii)

mitigate the adverse effect; and

(c)

comply with any other prescribed requirements.[40/2020]

—(1) This section applies to the collection, use or disclosure of personal data about an individual by an organisation on or after 1 February 2021.[40/2020]

(2) Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if —(a)

the organisation satisfies the requirements in subsection (4); and

(b)

the individual does not notify the organisation, before the expiry of the period mentioned in subsection (4)(b)(iii), that the individual does not consent to the proposed collection, use or disclosure of the personal data by the organisation.[40/2020]

(3) Subsection (2) does not apply to the collection, use or disclosure of personal data about the individual for any prescribed purpose.[40/2020]

(4) For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual —(a)

conduct an assessment to determine that the proposed collection, use or disclosure of the personal data is not likely to have an adverse effect on the individual;

(b)

take reasonable steps to bring the following information to the attention of the individual:(i)

the organisation’s intention to collect, use or disclose the personal data;

(ii)

the purpose for which the personal data will be collected, used or disclosed;

(iii)

a reasonable period within which, and a reasonable manner by which, the individual may notify the organisation that the individual does not consent to the organisation’s proposed collection, use or disclosure of the personal data; and

(c)

satisfy any other prescribed requirements.[40/2020]

(5) The organisation must, in respect of the assessment mentioned in subsection (4)(a) —(a)

identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual;

(b)

identify and implement reasonable measures to —(i)

eliminate the adverse effect;

(ii)

reduce the likelihood that the adverse effect will occur; or

(iii)

mitigate the adverse effect; and

(c)

comply with any other prescribed requirements.[40/2020]