6. (1) Pursuant to section 28(2) of the Act, a data controller or data processor may collect personal data indirectly from—
(a) any person other than the data subject;
(b) publications or databases;
(c) surveillance cameras, where an individual is identifiable or reasonably identifiable;
(d) information associated with web browsing; or
(e) biometric technology, including voice or facial recognition.
(2) A data controller or data processor shall, in collecting personal data—
(a) ensure that processing is limited to personal data which the data subject has permitted the data controller or data processor to collect;
(b) undertake steps to ensure that personal data is accurate, not in excessive and up to date;
(c) undertake processes to secure personal data; and
(d) comply with the lawful processing principles set out under part IV of the Act.
(3) Where a data controller or data processor collects personal data indirectly, the data controller or data processor shall within fourteen days inform the data subject of the collection.
(4) Where a data controller or data processor intends to use personal data for a new purpose, the data controller or data processor shall ensure that the new purpose is compatible with the initial purpose for which the personal data was collected.
(5) Where the new purpose is not compatible with the initial purpose, a data controller or data processor shall seek fresh consent from the data subject in accordance with regulation 4.