Policing Use
Law Enforcement Purposes
Part 5 of the Data Protection Act 2018 applies to the automatic processing of personal data by or on behalf of a controller carried out for prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of, threats to public security, or the execution of criminal penalties. It also covers data in a structured filing system.
The general principles of data processing under GDPR apply under the Data Protection Act 2018 in slightly modified terms.
The processing of personal data relating to criminal convictions and offences or related security measures must be carried out only under the control of official authority. Where it is authorised by EU or Member State law, these must be provision for appropriate safeguards for the rights and freedoms of data subjects.
A comprehensive register of criminal convictions may be kept only under the control of official authority. The processing of data relating to offences and criminal activities may be carried out only for the purpose of and under the control of, official authority, with suitable safeguards, the subject of limited derogations. The Minister may make regulations for the processing of data relating to criminal offences.
Lawful Processing for Law Enforcement Purposes
The processing of personal data is lawful where, and to the extent that it is necessary for the performance of a function of a controller for the purposes of the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against, and the prevention of, threats to public security, or the execution of criminal penalties. It must have a basis in domestic criminal law or EU law.
The processing of personal data is awful where, and to the extent that the data subject has, given his or her consent. The processing is lawful on the consent basis only where, and to the extent that
- having been informed of the intended purpose of the processing and the identity of the controller, the data subject gives his or her consent freely and explicitly,
- the request for consent is expressed in clear and plain language, and where such consent is given in the context of a written statement that also concerns other matters, the request for consent is presented to the data subject in a manner that is clearly distinguishable from those other matters,
- the data subject may withdraw his or her consent at any time, and he or she shall be informed of this possibility prior to giving consent.
Where a data subject withdraws his or her consent, this does not affect the lawfulness of processing based on that consent prior to the consent being withdrawn.
Where a controller collects personal data for one of the above law enforcement purposes, the controller or another controller may process the data for a purpose so specified other than the purpose for which the data were collected, in so far as the controller is authorised to do so with EU law or law of the State, and the processing is necessary and proportionate to the purpose for which the data are being processed.
Automated decision-making Law Enforcement Context
A decision that produces an adverse legal effect for a data subject or significantly affects a data subject shall not be based solely on automated processing, including profiling, of personal data that relate to him or her unless
- the taking of a decision based solely on automated processing is authorised by the law of the European Union or the law of the State and the law so authorising
- contains appropriate safeguards for the rights and freedoms of the data subject, including the right of the data subject to make representations to the controller in relation to the decision, and
- the controller has taken adequate steps to safeguard the legitimate interests of the data subject.
Profiling that results in discrimination against an individual on the basis of a special category of personal data is prohibited.
Sensitive personal data and Fundamental Rights
Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection. Their processing could create significant risks to the data subject’s fundamental rights and freedoms. Those personal data include personal data revealing racial or ethnic origin.
Sensitive personal data may not be processed, unless it is permitted on a specific basis for doing so, set out in the GDPR. Derogations from the general prohibition on processing sensitive personal data are provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.
Member States law may lay down specific further provisions in order to adapt the rules of the GDPR for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
In addition to the specific requirements for such processing, the general principles and other rules of the GDPR apply, in particular as regards the conditions for lawful processing.
Broader Scope of Use for Criminal Law and Security Purposes
The processing of personal data and special categories of (sensitive) personal data for a purpose other than the purpose for which the data has been collected is lawful to the extent that such processing is necessary and proportionate for the purposes
- of preventing a threat to national security, defence or public security,
- of preventing, investigating or prosecuting criminal offences, or
- where it is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights
Processing of Sensitive Personal Data I
The processing of a sensitive personal data is lawful only where the following data processing principles conditions are complied with and one of the below mentioned grounds apply.
The applicable principles are
- the data shall be processed lawfully and fairly;
- the data shall be collected for one or more specified, explicit and legitimate purposes and shall not be processed in a manner that is incompatible with those purposes;
- the data shall be adequate, relevant and not excessive in relation to the purposes for which they are processed;
- the data shall be accurate, and, where necessary, kept up to date, and every reasonable step shall be taken to ensure that data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- the data shall be kept in a form that permits the identification of a data subject for no longer than is necessary for the purposes for which the data are processed;
- the data shall be processed in a manner that ensures appropriate security of the data, including, by the implementation of appropriate technical or organisational measures, protection against unauthorised or unlawful processing, and accidental loss, destruction or damage.
Processing of Sensitive Personal Data II
The processing of sensitive personal data is lawful only where one of the following conditions is met:
- where the processing is to be carried out on the basis of the consent of the data subject, where such consent explicitly refers to the special category of personal data concerned;
- the processing is necessary to prevent injury or other damage to the data subject or another individual, to prevent loss in respect of, or damage to, property, or otherwise to protect the vital interests of the data subject or another individual; the personal data to which the processing relates have been made public as a result of steps deliberately taken by the data subject;
- the processing is necessary for the administration of justice, the performance of a function conferred on a person by or under an enactment, or the performance of a function of a Minister of the Government;
- the processing is required for the purposes of providing or obtaining legal advice or for, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or is otherwise required for the purposes of establishing, exercising or defending legal rights;
- the processing is necessary for medical purposes and is carried out by, or under the responsibility of a health practitioner, or a person who in the circumstances owes a duty of confidentiality to the data subject that is equivalent to that which would exist if that person were a health practitioner;
- the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law;
- the processing is carried out for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes,
- the processing is authorised by regulations made below.
Processing of Sensitive Personal Data III
Regulations may be made permitting the processing of special categories of personal data. The Minister or any other Minister of the Government, as the case may be, making regulations shall have regard to the need for the protection of individuals with regard to the processing of their personal data.
They shall, without prejudice to the generality of that need, have regard to—
- the nature, scope and purposes of the processing,
- the nature of the substantial public interest concerned,
- any benefits likely to arise for the data subjects concerned,
- any risks arising for the rights and freedoms of such subjects, and
- the likelihood of any such risks arising and the severity of such risks.
Where a special category of personal data is processed, the controller shall ensure that the processing is carried out with appropriate safeguards for the rights and freedoms of the data subject.
Criminal Matters
Without limiting to the Spent Convictions legislation and subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of the data subject, personal data relating to criminal convictions, offences and allegations may be processed under the control of official authority.
Processing under the control of official authority includes processing required for the following purposes:
- the administration of justice;
- the exercise of a regulatory, authorising or licensing function or determination of eligibility for benefits or services;
- protection of the public against harm arising from dishonesty, malpractice, breaches of ethics or other improper conduct by, or the unfitness or incompetence of, persons authorised to carry on a profession or other activity;
- enforcement actions aimed at preventing, detecting or investigating breaches of the law of the European Union or the State that are subject to civil or administrative sanctions;
- archiving in the public interest, scientific or historical research purposes or statistical purposes by or on behalf of a public authority or public body.
Regulations re Criminal Data
Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of the data subject, regulations may be made permitting the processing of data relating to criminal offences, convictions and criminal allegations where the processing is necessary and proportionate
- to assess the risk of fraud or prevent fraud, or
- to ensure network and information systems security and prevent attacks on and damage to computer and electronic communications systems.
The Minister making regulations shall have regard to the need for the protection of individuals with regard to the processing of their personal data and shall have regard to—
- the nature, scope and purposes of the processing,
- any risks arising for the rights and freedoms of individuals, and
- the likelihood of any such risks arising and the severity of such risks.
A person who knowingly or recklessly contravenes the above provisions or any regulations
made thereunder is guilty of an offence and is liable on summary conviction to a class A fine or imprisonment for a term not exceeding 12 months or both, or on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for a term not exceeding 5 years or both.
Criminal Records
Criminal records may be kept. There must be proper safeguards and control mechanisms in order to ensure that individual’s rights are not violated.
The Gardai maintain the Garda Criminal Records office. The disclosure of past convictions is permissible in the context of administration of justice. Past convictions are usually raised at the sentencing phase, after conviction in a criminal matter. Following Constitutional referendum, they are also considered in the context of bail applications.
States may generally prohibit access to the records. The sex offenders register is maintained under the Sex Offenders Act. Persons convicted of certain sexual offences must notify the Gardai of certain details, including changes in their name or address. The obligations last for varying time limits, depending on the nature of the crime.
Disclosure
Statutory provisions that permit, or require, further notification or disclosure of personal data are contained other Acts. Under the Criminal Justice (Money Laundering and Terrorist Financing) Act persons and bodies such as financial institutions, auditors and property service providers who know, suspect or have reasonable grounds to suspect, on the basis of information available to them, that another person has been or is engaged in an offence of money laundering or terrorist financing must report that knowledge or suspicion or those reasonable grounds to the Gardaí and the Revenue Commissioners.
Under the Criminal Justice (Withholding of Information on Offences against Children and Vulnerable Persons) Act, it is an offence to withhold any information on offences referred to in that Act.
The Children First Act 2015 requires certain persons, including health practitioners, teachers and youth workers, who know, believe or suspect that a child has been harmed, is being harmed or is at risk of being harmed, to report that knowledge, belief or suspicion to the Child and Family Agency.
Garda Processing
Most data processing by the Gardai is exempt from the Data Protection Act, by reason of the above-mentioned exemptions. Issues may arise in relation to personal constitutional rights human rights law. A balancing of rights may be required.
The Gardai may, it appears, disclose information in relation to investigations and allegations, where there are exceptional circumstances which justify disclosure for an objective reason. There must be a significant public interest, in order to justify disclosure.
Difficult issues arise in relation to the disclosure of matters relevant to employment involving contact with children. There is mandatory legislation in relation to vetting regulates the position. Apart from this, disclosure may be permissible where it is reasonable in the circumstances.
Non-Governmental Processing of information about Criminal Matters
Without prejudice to the Spent Convictions legislation and subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of the data subject, personal data relating to criminal convictions, offences and allegations may be processed
- where the data subject has given explicit consent to the processing for one or more specified purposes except where EU law or the law of the State prohibits such processing,
- processing is necessary and proportionate for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract,
- processing is necessary for the purpose of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or otherwise necessary for the purposes of establishing, exercising or defending legal rights,
- processing is necessary to prevent injury or other damage to the data subject or another person or loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or another person, or
- processing is permitted under regulations made under the above power or
- is otherwise authorised by the law of the State.
References and Sources
Data Protection Act 1988
Data Protection (Amendment) Act 2003
Data Protection Act 2018
Data Protection (Fees) Regulations 1988, S.I. No. 347 of 1988
Data Protection Act 1988 (Commencement) Order 1988, S.I. No. 349 of 1988
Data Protection (Registration Period) Regulations 1988, S.I. No. 350 of 1988
Data Protection (Registration) Regulations 1988, S.I. No. 351 of 1988
Data Protection Act 1988 (Restriction of Section 4) Regulations 1989, S.I. No. 81 of 1989
Data Protection (Access Modification) (Health) Regulations 1989, S.I. No. 82 of 1989
Data Protection (Access Modification) (Social Work) Regulations 1989, S.I. No. 83 of 1989
Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993, S.I. No. 95 of 1993
Data Protection Commissioner Superannuation Scheme 1993, S.I. No. 141 of 1993
Data Protection Act 1988 (Section 16(1)) Regulations 2007, S.I. No. 657 of 2007
Data Protection (Fees) Regulations 2007, S.I. No. 658 of 2007
Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007
Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007
Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009, S.I. No. 421 of 2009
Data Protection Act 1988 (Section 2B) Regulations 2011, S.I. No.486 of 2011
Data Protection Act 1988 (Section 2B) Regulations 2012, S.I. No.209 of 2012
Data Protection Act 1988 (Section 2A) Regulations 2013, S.I. No.313 of 2013
Data Protection Act 1988 (Commencement) Order 2014, Sino. 337 of 2014
Data Protection Act 1988 (Section 2B) Regulations 2015, S.I. No.240 of 2015
Data Protection Act 1988 (Section 2A) Regulations 2016, S.I. No.220 of 2016
Data Protection Act 1988 (Section 2B) Regulations 2016, S.I. No.426 of 2016
Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016, S.I. No. 427 of 2016
Data Protection (Amendment) Act 2003 (Commencement)Order 2003, S.I. No. 207 of 2003
Data Protection (Amendment) Act 2003 (Commencement) Order 2007, S.I. No. 656 of 2007
Data Protection (Amendment) Act 2003 (Commencement) Order 2014
EU Legislation
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
Irish Books
EU Data Protection Law Kelleher & Murray 2018
Information & Technology Communications Law Kennedy & Murphy 2017
Social Networking Lambert 2014
Law Society PPG Hyland Technology & Intellectual Property Law 2008
Information Technology Law in Ireland 2 Kelleher & Murray 2007
Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016
Privacy & Data Protection Law in Ireland Kelleher 2015
Data Protection: A Practical Guide to Irish & EU Law Carey 2010
Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003
EU and UK Texts
Information Technology and Intellectual Property Law 7th ed 2018 Bainbridge 2018
Guide to the General Data Protection Regulation and the UK Data Protection Act 2nd ed
Rosemary Jay 2018
Government and Information: The Law Relating to Access, Disclosure and Their Regulation 5th ed
Patrick Birkinshaw, Mike Varney 2018
Commentary on the EU General Data Protection Regulation Christopher Kuner, Lee A. Bygrave, Christopher Docksey 2018
A User’s Guide to Data Protection: Law and Policy A User’s Guide to Data Protection: Law and Policy 3rd ed Paul Lambert 2018
Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach Manon Oostveen July 2018
Information Exchange and EU Law Enforcement Information Exchange and EU Law Enforcement Anna Fiodorova 2018
Data Privacy and Cybersecurity: A Practical Guide Rafi Azim-Khan 2018
The General Data Protection Regulations (GDPR): How to get GDPR consent Simon McNidder 2018
The Cambridge Handbook of Consumer Privacy Edited by: Evan Selinger, Jules Polonetsky, Omar Tene 2018
Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 5th ed Peter Carey 2018
The EU General Data Protection Regulation (GDPR): A Commentary Lukas Feiler, Nikolaus Forgo, Michaela Weigln 2018
A Practical Guide to the General Data Protection Regulation (GDPR) Keith Markham 2018
EU Data Protection Law EU Data Protection Law Denis Kelleher, Karen Murray 2018
New European General Data Protection Regulation: A Practitioner’s Guide Edited by: Daniel Rucker, Tobias Kugler 2017
Encyclopaedia of Data Protection and Privacy Annual Subscription Rosemary Jay, Hazel Grant, Sue Cullen, Timothy Pitt-Payne 2017
Determann’s Field Guide to International Data Privacy Law Compliance 3rd ed 2017
The EU General Data Protection Regulation (GDPR): A Practical Guide Paul Voigt, Axel von dem Bussche 2017
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide Alan Calder, Richard Campo, Adrian Ross 2017
Privacy, Data Protection and Cybersecurity in Europe Privacy, Data Protection and Cybersecurity in Europe Edited by: Wolf J. Schunemann, Max-Otto Baumann 2017
Guide to the General Data Protection Regulation: A Companion to the 4th ed of Data Protection Law and Practice Rosemary Jay 2017
Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Mariusz Krzysztofek 2016
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016
EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Alan Calder, Richard Campo, Adrian Ross 2016
Data Protection and Privacy: International Series Data Protection and Privacy: International Series 3rd ed Edited by: Monika Kuschewsky 2016
Data Protection: The New Rules Ian Long 2016
A User’s Guide to Data Protection A User’s Guide to Data Protection 2nd ed Paul Lambert 2016
The Foundations of EU Data Protection Law Orla Lynskey 2015
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015
Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 4th ed Peter Carey 2015
Data Protection: Law and Practice 4th ed with 1st Supplement Data Protection: Law and Practice 4th ed with 1st Supplement Rosemary Jay 2014
Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014
Cloud Computing Law Christopher Millard 2013
Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013
Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013
A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013
Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012
Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012
Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011
Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011
Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011
Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010
Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008