Policing Use
Data Proection Act 2018
CHAPTER 2
Processing of special categories of personal data and processing of personal data relating to
criminal convictions and offences
Processing of special categories of personal data
39. Subject to compliance with the Data Protection Regulation and any other relevant
enactment or rule of law, the processing of special categories of personal data shall be
lawful to the extent authorised by Article 9, section 35 and sections 40 to 48.
Processing for purposes of employment and social welfare law
40. Subject to suitable and specific measures being taken to safeguard the fundamental rights
and freedoms of data subjects, the processing of special categories of personal data shall
be lawful where the processing is necessary for the purposes of exercising or performing
any right or obligation which is conferred or imposed by law on the controller or the data
subject in connection with employment or social welfare law.
Processing for purpose of legal advice and legal proceedings
41. The processing of special categories of personal data shall be lawful where the
5
processing—
(a) is necessary for the purposes of providing or obtaining legal advice or for the
purposes of, or in connection with, legal claims, prospective legal claims, legal
proceedings or prospective legal proceedings, or
(b) is otherwise necessary for the purposes of establishing, exercising or defending
legal rights.
Processing o for purpose of electoral activities
42. Subject to suitable and specific measures being taken to safeguard the fundamental rights
and freedoms of data subjects, the processing of personal data revealing political
opinions shall be lawful where the processing is carried out in the course of election
activities for the purpose of compiling data on peoples’ political opinions by—
(a) a political party,
(b) a body established by or under an enactment (other than the Act of 2014 or a
former enactment relating to companies within the meaning of section 5 of that
Act), or
(c) a candidate for election to, or a holder of, elective political office.
Processing for administration of justice and performance of functions
43. Subject to suitable and specific measures being taken to safeguard the fundamental rights
and freedoms of data subjects, the processing of special categories of personal data shall
be lawful where the processing respects the essence of the right to data protection and is
necessary and proportionate for—
(a) the administration of justice, or
(b) the performance of a function conferred on a person by or under an enactment or
by the Constitution.
Processing o for insurance and pension purposes
44. Subject to suitable and specific measures being taken to safeguard the fundamental rights
and freedoms of data subjects, the processing of data concerning health shall be lawful
where the processing is necessary and proportionate for the purposes of the following:
(a) a policy of insurance or life assurance,
(b) a policy of health insurance or health-related insurance,
(c) an occupational pension, a retirement annuity contract or any other pension
arrangement, or
(d) the mortgaging of property.
Processing for reasons of substantial public interest
45. (1) Processing of special categories of personal data shall be lawful where the processing
is carried out in accordance with regulations made under subsection (2).
(2) Regulations may be made authorising the processing of special categories of personal
data where the processing is necessary for reasons of substantial public interest and
without prejudice to the generality of the foregoing, such regulations shall—
(a) identify the substantial public interest concerned, and
(b) comply with section 32(6).
(3) Regulations may be made under subsection (2) by—
(a) the Minister, following consultation with such other Minister of the Government
as he or she considers appropriate and the Commission, or
(b) any other Minister of the Government following consultation with the Minister,
such other Minister of the Government as he or she considers appropriate and the
Commission.
(4) The Minister or any other Minister of the Government, as the case may be, making
regulations under subsection (2) shall have regard to the need for the protection of
individuals with regard to the processing of their personal data and without prejudice
to the generality of that need, have regard to—
(a) the nature, scope and purposes of the processing,
(b) the nature of the substantial public interest concerned,
(c) any benefits likely to arise for the data subjects concerned,
(d) any risks arising for the rights and freedoms of such subjects, and
(e) the likelihood of any such risks arising and the severity of such risks.
(5) Regulations made under subsection (2) shall—
(a) respect the essence of the right to data protection, and
(b) enable processing of such data only in so far as is necessary and proportionate to
the aim sought to be achieved.
Processing for purposes of Article 9(2)(h)
46. (1) Subject to subsection (2) and to suitable and specific measures being taken to
safeguard the fundamental rights and freedoms of data subjects, the processing of
special categories of personal data shall be lawful where it is necessary—
(a) for the purposes of preventative or occupational medicine,
(b) for the assessment of the working capacity of an employee,
(c) for medical diagnosis,
(d) for the provision of medical care, treatment or social care,
(e) for the management of health or social care systems and services, or
(f) pursuant to a contract with a health professional.
(2) Processing shall be lawful in accordance with subsection (1) where it is undertaken by
or under the responsibility of—
(a) a health practitioner, or
(b) a person who in the circumstances owes a duty of confidentiality to the data
subject that is equivalent to that which would exist if that person were a health
practitioner.
(3) In this section, “health practitioner” has the same meaning as it has in the Health
Identifiers Act 2014.
Processing in the area of public health
47. Subject to suitable and specific measures to safeguard the fundamental rights and
freedoms of data subjects, the processing of special categories of personal data shall be
lawful where it is necessary for public interest reasons in the area of public health
including—
(a) protecting against serious cross-border threats to health, and
(b) ensuring high standards of quality and safety of health care and of medicinal
products and medical devices.
Processing in the public interest, scientific or historical research purposes or statistical purposes
48. Subject to compliance with section 36, the processing of special categories of personal
data is lawful where such processing is necessary and proportionate for—
(a) archiving purposes in the public interest,
(b) scientific or historical research purposes, or
(c) statistical purposes.
Processing of relating to criminal convictions and offences
49. (1) Without prejudice to the Criminal Justice (Spent Convictions and Certain
Disclosures) Act 2016 and subject to compliance with Article 6(1) and to suitable and
specific measures being taken to safeguard the fundamental rights and freedoms of the
data subject, personal data referred to in Article 10 (in this section referred to as
“Article 10 data”) may be processed—
(a) under the control of official authority, or
(b) where—
(i) the data subject has given explicit consent to the processing for one or more
specified purposes except where the law of the European Union or the law of
the State prohibits such processing,
(ii) processing is necessary and proportionate for the performance of a contract
to which the data subject is a party or in order to take steps at the request of
the data subject prior to entering into a contract,
(iii) processing is—
(I) necessary for the purpose of providing or obtaining legal advice or for
the purposes of, or in connection with, legal claims, prospective legal
claims, legal proceedings or prospective legal proceedings, or
(II) otherwise necessary for the purposes of establishing, exercising or
defending legal rights,
(iv) processing is necessary to prevent injury or other damage to the data subject
or another person or loss in respect of, or damage to, property or otherwise to
protect the vital interests of the data subject or another person, or
(v) processing is permitted in regulations made under subsection (3) or is
otherwise authorised by the law of the State.
(2) Processing under the control of official authority referred to in subsection (1)(a)
includes processing required for the following purposes:
(a) the administration of justice;
(b) the exercise of a regulatory, authorising or licensing function or determination of
eligibility for benefits or services;
(c) protection of the public against harm arising from dishonesty, malpractice,
breaches of ethics or other improper conduct by, or the unfitness or incompetence
of, persons authorised to carry on a profession or other activity;
(d) enforcement actions aimed at preventing, detecting or investigating breaches of
the law of the European Union or the law of the State that are subject to civil or
administrative sanctions;
(e) archiving in the public interest, scientific or historical research purposes or
statistical purposes where the processing is carried out in accordance with section
36 for those purposes by or on behalf of a public authority or public body.
(3) Without prejudice to the Criminal Justice (Spent Convictions and Certain
Disclosures) Act 2016 and subject to compliance with Article 6(1), to suitable and
specific measures being taken to safeguard the fundamental rights and freedoms of the
data subject and subject to subsection (6), regulations may be made permitting the
processing of Article 10 data where the processing is necessary to—
(a) assess the risk of fraud or prevent fraud, or
(b) ensure network and information systems security, and prevent attacks on and
damage to computer and electronic communications systems.
(4) Regulations may be made under subsection (3) by—
(a) the Minister, following consultation with such other Minister of the Government
as he or she considers appropriate and the Commission, or
(b) any other Minister of the Government following consultation with the Minister,
such other Minister of the Government as he or she considers appropriate and the
Commission.
(5) The Minister or any other Minister of the Government, as the case may be, making
regulations under subsection (3) shall have regard to the need for the protection of
individuals with regard to the processing of their personal data and without prejudice
to the generality of that need, have regard to—
(a) the nature, scope and purposes of the processing,
(b) any risks arising for the rights and freedoms of individuals, and
(c) the likelihood of any such risks arising and the severity of such risks.
(6) A person who knowingly or recklessly contravenes this section or any regulations
made under subsection (3) commits an offence and is liable—
(a) on summary conviction to a class A fine or imprisonment for a term not
exceeding 12 months or both, or
(b) on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for
a term not exceeding 5 years, or both.
(7) In this section, “Article 10 data” shall include personal data relating to the alleged
commission of an offence and any proceedings in relation to such an offence.