Health Use
Data Protection Act 2018
CHAPTER 2
Processing of personal data relating to criminal convictions and offences
Processing of special categories of personal data
39. Subject to compliance with the Data Protection Regulation and any other relevant
enactment or rule of law, the processing of special categories of personal data shall be
lawful to the extent authorised by Article 9, section 35 and sections 40 to 48.
Processing for purposes of employment and social welfare law
40. Subject to suitable and specific measures being taken to safeguard the fundamental rights
and freedoms of data subjects, the processing of special categories of personal data shall
be lawful where the processing is necessary for the purposes of exercising or performing
any right or obligation which is conferred or imposed by law on the controller or the data
subject in connection with employment or social welfare law.
Processing for purpose of legal advice and legal proceedings
41. The processing of special categories of personal data shall be lawful where the
5
processing—
(a) is necessary for the purposes of providing or obtaining legal advice or for the
purposes of, or in connection with, legal claims, prospective legal claims, legal
proceedings or prospective legal proceedings, or
(b) is otherwise necessary for the purposes of establishing, exercising or defending
legal rights.
Processing for purpose of electoral activities
42. Subject to suitable and specific measures being taken to safeguard the fundamental rights
and freedoms of data subjects, the processing of personal data revealing political
opinions shall be lawful where the processing is carried out in the course of election
activities for the purpose of compiling data on peoples’ political opinions by—
(a) a political party,
(b) a body established by or under an enactment (other than the Act of 2014 or a
former enactment relating to companies within the meaning of section 5 of that
Act), or
(c) a candidate for election to, or a holder of, elective political office.
Processing for purposes of administration of justice and performance of functions
43. Subject to suitable and specific measures being taken to safeguard the fundamental rights
and freedoms of data subjects, the processing of special categories of personal data shall
be lawful where the processing respects the essence of the right to data protection and is
necessary and proportionate for—
(a) the administration of justice, or
(b) the performance of a function conferred on a person by or under an enactment or
by the Constitution.
Processing for insurance and pension purposes
44. Subject to suitable and specific measures being taken to safeguard the fundamental rights
and freedoms of data subjects, the processing of data concerning health shall be lawful
where the processing is necessary and proportionate for the purposes of the following:
(a) a policy of insurance or life assurance,
(b) a policy of health insurance or health-related insurance,
(c) an occupational pension, a retirement annuity contract or any other pension
arrangement, or
(d) the mortgaging of property.
Processing for reasons of substantial public interest
45. (1) Processing of special categories of personal data shall be lawful where the processing
is carried out in accordance with regulations made under subsection (2).
(2) Regulations may be made authorising the processing of special categories of personal
data where the processing is necessary for reasons of substantial public interest and
without prejudice to the generality of the foregoing, such regulations shall—
(a) identify the substantial public interest concerned, and
(b) comply with section 32(6).
(3) Regulations may be made under subsection (2) by—
(a) the Minister, following consultation with such other Minister of the Government
as he or she considers appropriate and the Commission, or
(b) any other Minister of the Government following consultation with the Minister,
such other Minister of the Government as he or she considers appropriate and the
Commission.
(4) The Minister or any other Minister of the Government, as the case may be, making
regulations under subsection (2) shall have regard to the need for the protection of
individuals with regard to the processing of their personal data and without prejudice
to the generality of that need, have regard to—
(a) the nature, scope and purposes of the processing,
(b) the nature of the substantial public interest concerned,
(c) any benefits likely to arise for the data subjects concerned,
(d) any risks arising for the rights and freedoms of such subjects, and
(e) the likelihood of any such risks arising and the severity of such risks.
(5) Regulations made under subsection (2) shall—
(a) respect the essence of the right to data protection, and
(b) enable processing of such data only in so far as is necessary and proportionate to
the aim sought to be achieved.
Processing of special categories of personal data for purposes of Article 9(2)(h)
46. (1) Subject to subsection (2) and to suitable and specific measures being taken to
safeguard the fundamental rights and freedoms of data subjects, the processing of
special categories of personal data shall be lawful where it is necessary—
(a) for the purposes of preventative or occupational medicine,
(b) for the assessment of the working capacity of an employee,
(c) for medical diagnosis,
(d) for the provision of medical care, treatment or social care,
(e) for the management of health or social care systems and services, or
(f) pursuant to a contract with a health professional.
(2) Processing shall be lawful in accordance with subsection (1) where it is undertaken by
or under the responsibility of—
(a) a health practitioner, or
(b) a person who in the circumstances owes a duty of confidentiality to the data
subject that is equivalent to that which would exist if that person were a health
practitioner.
(3) In this section, “health practitioner” has the same meaning as it has in the Health
Identifiers Act 2014.
Processing ofor purposes of public interest in the area of public health
47. Subject to suitable and specific measures to safeguard the fundamental rights and
freedoms of data subjects, the processing of special categories of personal data shall be
lawful where it is necessary for public interest reasons in the area of public health
including—
(a) protecting against serious cross-border threats to health, and
(b) ensuring high standards of quality and safety of health care and of medicinal
products and medical devices.
Processing for archiving in the public interest, scientific ,historical research or statistical purposes
48. Subject to compliance with section 36, the processing of special categories of personal
data is lawful where such processing is necessary and proportionate for—
(a) archiving purposes in the public interest,
(b) scientific or historical research purposes, or
(c) statistical purposes.
Processing of personal data relating to criminal convictions and offences
49. (1) Without prejudice to the Criminal Justice (Spent Convictions and Certain
Disclosures) Act 2016 and subject to compliance with Article 6(1) and to suitable and
specific measures being taken to safeguard the fundamental rights and freedoms of the
data subject, personal data referred to in Article 10 (in this section referred to as
“Article 10 data”) may be processed—
(a) under the control of official authority, or
(b) where—
(i) the data subject has given explicit consent to the processing for one or more
specified purposes except where the law of the European Union or the law of
the State prohibits such processing,
(ii) processing is necessary and proportionate for the performance of a contract
to which the data subject is a party or in order to take steps at the request of
the data subject prior to entering into a contract,
(iii) processing is—
(I) necessary for the purpose of providing or obtaining legal advice or for
the purposes of, or in connection with, legal claims, prospective legal
claims, legal proceedings or prospective legal proceedings, or
(II) otherwise necessary for the purposes of establishing, exercising or
defending legal rights,
(iv) processing is necessary to prevent injury or other damage to the data subject
or another person or loss in respect of, or damage to, property or otherwise to
protect the vital interests of the data subject or another person, or
(v) processing is permitted in regulations made under subsection (3) or is
otherwise authorised by the law of the State.
(2) Processing under the control of official authority referred to in subsection (1)(a)
includes processing required for the following purposes:
(a) the administration of justice;
(b) the exercise of a regulatory, authorising or licensing function or determination of
eligibility for benefits or services;
(c) protection of the public against harm arising from dishonesty, malpractice,
breaches of ethics or other improper conduct by, or the unfitness or incompetence
of, persons authorised to carry on a profession or other activity;
(d) enforcement actions aimed at preventing, detecting or investigating breaches of
the law of the European Union or the law of the State that are subject to civil or
administrative sanctions;
(e) archiving in the public interest, scientific or historical research purposes or
statistical purposes where the processing is carried out in accordance with section
36 for those purposes by or on behalf of a public authority or public body.
(3) Without prejudice to the Criminal Justice (Spent Convictions and Certain
Disclosures) Act 2016 and subject to compliance with Article 6(1), to suitable and
specific measures being taken to safeguard the fundamental rights and freedoms of the
data subject and subject to subsection (6), regulations may be made permitting the
processing of Article 10 data where the processing is necessary to—
(a) assess the risk of fraud or prevent fraud, or
(b) ensure network and information systems security, and prevent attacks on and
damage to computer and electronic communications systems.
(4) Regulations may be made under subsection (3) by—
(a) the Minister, following consultation with such other Minister of the Government
as he or she considers appropriate and the Commission, or
(b) any other Minister of the Government following consultation with the Minister,
such other Minister of the Government as he or she considers appropriate and the
Commission.
(5) The Minister or any other Minister of the Government, as the case may be, making
regulations under subsection (3) shall have regard to the need for the protection of
individuals with regard to the processing of their personal data and without prejudice
to the generality of that need, have regard to—
(a) the nature, scope and purposes of the processing,
(b) any risks arising for the rights and freedoms of individuals, and
(c) the likelihood of any such risks arising and the severity of such risks.
(6) A person who knowingly or recklessly contravenes this section or any regulations
made under subsection (3) commits an offence and is liable—
(a) on summary conviction to a class A fine or imprisonment for a term not
exceeding 12 months or both, or
(b) on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for
a term not exceeding 5 years, or both.
(7) In this section, “Article 10 data” shall include personal data relating to the alleged
commission of an offence and any proceedings in relation to such an offence.
GDPR
Section 5
Restrictions
Article 23
Restrictions
1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
(a)
national security;
(b)
defence;
(c)
public security;
(d)
the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
(e)
other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security;
(f)
the protection of judicial independence and judicial proceedings;
(g)
the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
(h)
a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g);
(i)
the protection of the data subject or the rights and freedoms of others;
(j)
the enforcement of civil law claims.
2. In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions at least, where relevant, as to:
(a)
the purposes of the processing or categories of processing;
(b)
the categories of personal data;
(c)
the scope of the restrictions introduced;
(d)
the safeguards to prevent abuse or unlawful access or transfer;
(e)
the specification of the controller or categories of controllers;
(f)
the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
(g)
the risks to the rights and freedoms of data subjects; and
(h)
the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction.