Page:Personal Data Protection Act 2012.pdf/18

Rh (3) An organisation shall designate one or more individuals to be responsible for ensuring that the organisation complies with this Act.

(4) An individual designated under subsection (3) may delegate to another individual the responsibility conferred by that designation.

(5) An organisation shall make available to the public the business contact information of at least one of the individuals designated under subsection (3) or delegated under subsection (4).

(6) The designation of an individual by an organisation under subsection (3) shall not relieve the organisation of any of its obligations under this Act.

Policies and practices

12. An organisation shall—
 * (a) develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act;
 * (b) develop a process to receive and respond to complaints that may arise with respect to the application of this Act;
 * (c) communicate to its staff information about the organisation’s policies and practices referred to in paragraph (a); and
 * (d) make information available on request about —
 * (i) the policies and practices referred to in paragraph (a); and
 * (ii) the complaint process referred to in paragraph (b).

PART IV COLLECTION, USE AND DISCLOSURE OF PERSONAL DATA Division 1—Consent Consent required

13. An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless—