(1) Where a data controller holds personal data collected in connection with a specific purpose, further processing of the personal data shall be for that specific purpose.

(2) A person who processes data shall take into account

(a) the relationship between the purpose of the intended further processing and the purpose for which the data was collected,

(b) the nature of the data concerned,

(d) the consequences that the further processing is likely to have for the data subject, and

(e) the contractual rights and obligations between the data subject and the person who processes the data.

(3) The further processing of data is considered to be compatible with the purpose of collection where

(a) the data subject consents to the further processing of the information,

(b) the data is publicly available or has been made public by the person concerned,

(i) for the prevention, detection, investigation, prosecution or punishment for an offence or breach of law,

(ii) for the enforcement of a law which imposes a pecuniary penalty,

(iii) for the enforcement of legislation that concerns protection of revenue collection,

(iv) for the conduct of proceedings before any court or tribunal that have commenced or are reasonably contemplated, or

(v) for the protection of national security;

(d) the further processing of the data is necessary to prevent or mitigate a serious and imminent threat to

(i) public health or safety, or

(ii) the life or health of the data subject or another individual;

(e) the data is used for historical, statistical or research purposes and the person responsible for the processing ensures that

(i) the further processing is carried out solely for the purpose for which the data was collected, and

(ii) the data is not published in a form likely to reveal the identity of the data subject; or

(f) the further processing of the data is in accordance with this Act.