Page:Personal Data Protection Act 2012.pdf/65

66

FOURTH SCHEDULE—continued :(a) the personal data must be necessary for the prospective party to determine whether to proceed with the business asset transaction; and
 * (b) the organisation and prospective party must have entered into an agreement that requires the prospective party to use or disclose the personal data solely for purposes related to the business asset transaction.

(3) If the organisation enters into the business asset transaction, the employees, customers, directors, officers and shareholders whose personal data is disclosed shall be notified that—
 * (a) the business asset transaction has taken place; and
 * (b) the personal data about them has been disclosed to the party.

(4) In this paragraph and paragraph 1(p)—
 * “business asset transaction” means the purchase, sale, lease, merger or amalgamation or any other acquisition, disposal or financing of an organisation or a portion of an organisation or of any of the business or assets of an organisation other than the personal data to be disclosed under paragraph 1(p);
 * “party” means another organisation that enters into the business asset transaction with the organisation.

4. Paragraph 1(q) shall not apply unless—
 * (a) the research purpose cannot reasonably be accomplished without the personal data being provided in an individually identifiable form;
 * (b) it is impracticable for the organisation to seek the consent of the individual for the disclosure;
 * (c) the personal data will not be used to contact persons to ask them to participate in the research;
 * (d) linkage of the personal data to other information is not harmful to the individuals identified by the personal data and the benefits to be derived from the linkage are clearly in the public interest; and
 * (e) the organisation to which the personal data is to be disclosed has signed an agreement to comply with—
 * (i) this Act;
 * (ii) the policies and procedures relating to the confidentiality of personal data of the organisation that collected the personal data;
 * (iii) security and confidentiality conditions of the organisation disclosing the personal data;