Sensitive Data

Pre-GDPR Regime I

Higher standards have always applied under Data Protection legislation to the processing of certain categories of data. The processing of sensitive data was permissible in more limited circumstances under the pre-GDPR regime than applied in relation to personal data generally.

Explicit consent was and is usually required for the processing of sensitive personal data.

Sensitive personal data are those relating to the data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, the commission of an offence and the sentence of the court in such proceedings.


Pre-GDPR Regime II

The processing of sensitive personal data was allowed in a number of cases

  • the data subject had given explicit consent;
  • the processing was necessary for the purpose of exercising any rights or obligation imposed by law on the data controller;
  • the processing was necessary to prevent injury or damage to the health of the data subject or another person, or to prevent serious loss of or damage to the property or otherwise protect the vital interest of the data subject, where consent could not be given, by or on behalf of the data subject, where the data controller could not reasonably be expected to obtain such consent or where the processing was necessary for such purpose, or where in such a case, consent had been unreasonably withheld;
  • the processing was carried on in the course of legitimate activities of certain non-commercial bodies; the activities must not be carried on for profit, and the body must exist for political, philosophical, religious, or trade union purposes; the processing was carried out with appropriate safeguards for the fundamental right and freedoms of the person concerned; it relates only to persons who are members of the body or have regular contact with it, in connection with its purposes; and there could be no disclosure to third parties without consent;
  • the information contained in the data had been made public as a result of steps deliberately taken by the data subject;
  • the processing was necessary for the administration of justice or the performance of governmental functions;

Pre- GDPR Regime III

The processing of sensitive personal data was also allowed where

  • the processing was required for the purpose of obtaining legal advice or in connection with legal proceedings, prospective legal proceedings or was otherwise necessary for the purpose of establishing, exercising and defending legal rights;
  • the processing was necessary for medical purposes and was undertaken by a health professional or a person, who in the circumstances owed a duty of confidentiality to the data subject, equivalent to that which would exist if the person was a health professional;
  • the processing was necessary for the purpose of gathering statistics;
  • the processing was carried out by political parties or candidates for the purpose of ascertaining political opinions, provided it complied with their fundamental rights and freedoms;
  • the processing was authorised by regulations;
  • the processing was necessary for the assessment, collection or payment of any tax, duty or levy or other monies payable to the State and the data has been provided only for that purpose; or
  • the processing was necessary for the purpose of determining entitlement to any social protection or social security scheme.

GDPR Restatement

Under the GDPR the processing of personal data

  • revealing racial or ethnic origin;
  • revealing political opinions;
  • revealing religious or philosophical beliefs, or trade union membership;
  • comprising genetic data;
  • biometric data for the purpose of uniquely identifying a natural person;
  • data concerning health; or
  • data concerning a natural person’s sex life or sexual orientation

is prohibited, subject to certain exceptions.

The principal exception is where the data subject has given explicit consent to the processing of those personal data for one or more specified purposes. This is provided that EU or Member State law has not provided that the data subject cannot waive his rights or give consent at all.


Exceptions / Permitted Processing I

The processing of the above sensitive/special category of data is permitted where

  • the processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subject;
  • the processing relates to personal data which are manifestly made public by the data subject;
  • the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  • the processing is necessary for reasons of substantial public interest, on the basis of EU or national law which is proportionate to the aim pursued, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  • the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or national law or pursuant to a contract with a health professional and subject to the below conditions and the required safeguards.

Exceptions / Permitted Processing II

The processing of sensitive / special category of data is permitted where

  • The processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices, on the basis of EU or national law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
  • the processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes based on EU or national law which is proportionate to the aim pursued, respects the essence of the right to data protection and provides for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Sensitive personal data may be processed for personal health reasons or purposes when they are processed by or under the responsibility of a professional or another, subject to the obligation of professional secrecy under EU or Member State law or rules established by national competent bodies.

Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health.


Sensitive personal data and Fundamental Rights

Personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms merit specific protection. The context of their processing could create significant risks to fundamental rights and freedoms. Those personal data should include personal data revealing racial or ethnic origin.

Sensitive personal data may not be processed, unless processing is allowed in specific cases set out in the GDPR. Member States may lay down specific provisions on data protection in order to adapt the application of the rules of the GDPR for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

In addition to the specific requirements for such processing, the general principles and other rules of the GDPR apply, in particular as regards the conditions for lawful processing.


Exceptions to the prohibition on processing sensitive personal data

The GDPR allows exceptions to the prohibition on processing sensitive personal data when provided for in EU or Member State law. It contemplates exceptions, in particular involving the processing of personal data in the field of employment law, social protection law including pensions and for health security, monitoring and alert purposes, the prevention or control of communicable diseases and other serious threats to health. They must be subject to suitable safeguards, so as to protect personal data and other fundamental rights, where it is in the public interest to do so.

Subject to compliance with the GDPR and any other relevant enactment or  rule of law, the processing of sensitive personal data is lawful to the extent authorised by various provisions of the Irish Data Protection Act, most of which are set out below.

The Minister may prescribe other circumstances, in which sensitive personal data may be processed.  There must be suitable safeguards.  The exemptions must be justified by a substantial public interest.


Employment and social welfare law purposes

Subject to suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects, the processing of sensitive personal data is lawful where the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in the field of employment, social security and social protection law.

It must be authorised by EU or Member State law or a collective agreement pursuant to Member State law. It must provide for appropriate safeguards for the fundamental rights and the interests of the data subject.


Legal advice and legal proceedings

The processing of sensitive personal data is permitted where necessary for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.

The processing of sensitive personal data is lawful where it —

  • is necessary for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or
  • is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

Electoral activities and Referendum

Subject to suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects, the processing of personal data revealing political opinions is lawful where the processing is carried out—

  • in the course of electoral activities in the State for the purpose of compiling data on peoples’ political opinions by a political party, or a candidate for election to, or a holder of, elective political office in the State, and
  • by the Referendum Commission in the performance of its functions.

Where in the course of electoral activities, the operation of the democratic system in a Member State requires that political parties compile personal data on people’s political opinions, the processing of such data may be permitted for reasons of public interest, provided that appropriate safeguards are established.

The permitted processing of sensitive political data is limited to that carried out by candidates or parties in the course of electoral activities, for the purpose of compiling data on political opinions.  It is subject to safeguards for fundamental rights and freedoms.  The exemption is limited to the period in which the electoral activities take place.  This will necessarily precede an election. There may be issues of interpretation as to how long the electoral period lasts.


Administration of justice and performance of legal functions

Subject to suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects, the processing of sensitive personal data shall be lawful where the processing respects the essence of the right to data protection and is necessary and proportionate for—

  • the administration of justice, or
  • the performance of a function conferred on a person by or under an enactment or by the Constitution.

Health insurance and pension purposes

The GDPR allows an exception for health purposes, including public health and the management of health-care services, especially in order to ensure the quality and cost-effectiveness of the procedures used for settling claims for benefits and services in the health insurance system, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, the processing of data concerning health is lawful where it is necessary and proportionate for the purposes of the following:

  • a policy of insurance or life assurance,
  • a policy of health insurance or health-related insurance,
  • an occupational pension, a retirement annuity contract or any other pension arrangement, or
  • the mortgaging of property.

Regulations Specifying reasons of substantial public interest

Processing of sensitive personal data is lawful where the processing is carried out in accordance with regulations authorising the processing of sensitive personal data where the processing is necessary for reasons of substantial public interest. The regulations must identify the substantial public interest concerned and have specific protections to safeguard the fundamental rights and freedoms of the data subject.

Regulations may be made by the Minister. They shall be referred to the Data Protection Commission before their enactment, which shall conduct an impact assessment. The impact assessment shall have the purpose of ascertaining whether the proposed processing of special categories is necessary, proportionate, in compliance with the requirements and the GDPR.

In the event that the Minister does not follow the recommendation of the Data Protection Commission, the Government shall publish in Iris Oifigiúil a reasoned written explanation of the decision of the Government not to follow the recommendation and cause to be laid before the Houses of the Oireachtas a statement containing a reasoned written explanation of the decision of the Government not to follow the recommendation.

The Minister making regulations shall have regard to the need for the protection of individuals with regard to the processing of their personal data and shall have regard to—

  • the nature, scope, and purposes of the processing,
  • the nature of the substantial public interest concerned,
  • any benefits likely to arise for the data subjects concerned,
  • any risks arising for the rights and freedoms of such subjects,
  • the likelihood of any such risks arising and
  • the severity of such risks.

Regulations must respect the essence of the right to data protection and   enable processing of such data only in so far as is necessary and proportionate to the aim sought to be achieved.


Measures to Protect Fundamental Rights I

Where a requirement that suitable and specific measures be taken to safeguard the fundamental rights and freedoms of data subjects in processing personal data of those subjects is imposed, those measures may include

  • explicit consent of the data subject for the processing of his or her personal data for one or more specified purposes,
  • limitations on access to the personal data undergoing processing within a workplace in order to prevent unauthorised consultation, alteration, disclosure or erasure of personal data,
  • strict time limits for the erasure of personal data and mechanisms to ensure that such limits are observed,
  • specific targeted training for those involved in processing operations

Measures to Protect Fundamental Rights II

Measures may include, having regard to the state of the art, the context, nature, scope and purposes of data processing and the likelihood of risk to, and the severity of any risk to, the rights and freedoms of data subjects, the following

  • logging mechanisms to permit verification of whether and by whom the personal data have been consulted, altered, disclosed or erased,
  • in cases in which it is not mandatory under the Data Protection Regulation, designation of a data protection officer,
  • where the processing involves data relating to the health of a data subject, a requirement that the processing is undertaken by a qualified health professional
  • pseudonymisation of the personal data, and
  • encryption of the personal data.

Measures to Protect Fundamental Rights III

Regulations may be made for either or both of the following purposes

  • to identify additional suitable and specific measures that may be taken to safeguard the fundamental rights and freedoms of data subjects
  • to specify that a measure or measures referred to above or an additional measure or measures, or both, is or are mandatory in respect of the processing to which they are stated to apply.

Additional suitable and specific measures identified in regulations made may relate to—

  • governance structures,
  • processes or procedures for risk assessment purposes,
  • processes or procedures for the management and conduct of research projects, and
  • other technical and organisational measures designed to ensure that the processing is carried out in accordance with the Data Protection Regulation and processes for testing and evaluating the effectiveness of such measures.

Processing of Sensitive personal data for other Purposes

The processing of sensitive personal data for a purpose other than the purpose for which the data has been collected is lawful to the extent that such processing is necessary and proportionate for the purposes

  • of preventing a threat to national security, defence or public security,
  • of preventing, investigating or prosecuting criminal offences, or
  • of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

References and Sources

Data Protection Act 1988

Data Protection (Amendment) Act 2003

Data Protection Act 2018

Data Protection (Fees) Regulations 1988, S.I. No. 347 of 1988

Data Protection Act 1988 (Commencement) Order 1988, S.I. No. 349 of 1988

Data Protection (Registration Period) Regulations 1988, S.I. No. 350 of 1988

Data Protection (Registration) Regulations 1988, S.I. No. 351 of 1988

Data Protection Act 1988 (Restriction of Section 4) Regulations 1989, S.I. No. 81 of 1989

Data Protection (Access Modification) (Health) Regulations 1989, S.I. No. 82 of 1989

Data Protection (Access Modification) (Social Work) Regulations 1989, S.I. No. 83 of 1989

Data Protection Act 1988 (Section 5 (1) (D)) (Specification) Regulations 1993, S.I. No. 95 of 1993

Data Protection Commissioner Superannuation Scheme 1993, S.I. No. 141 of 1993

Data Protection Act 1988 (Section 16(1)) Regulations 2007, S.I. No. 657 of 2007

Data Protection (Fees) Regulations 2007, S.I. No. 658 of 2007

Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007

Data Protection (Processing of Genetic Data) Regulations 2007, S.I. No. 687 of 2007

Data Protection Act 1988 (Section 5(1)(D)) (Specification) Regulations 2009, S.I. No. 421 of 2009

Data Protection Act 1988 (Section 2B) Regulations 2011, S.I. No.486 of 2011

Data Protection Act 1988 (Section 2B) Regulations 2012, S.I. No.209 of 2012

Data Protection Act 1988 (Section 2A) Regulations 2013, S.I. No.313 of 2013

Data Protection Act 1988 (Commencement) Order 2014, Sino. 337 of 2014

Data Protection Act 1988 (Section 2B) Regulations 2015, S.I. No.240 of 2015

Data Protection Act 1988 (Section 2A) Regulations 2016, S.I. No.220 of 2016

Data Protection Act 1988 (Section 2B) Regulations 2016, S.I. No.426 of 2016

Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016, S.I. No. 427 of 2016

Data Protection (Amendment) Act 2003 (Commencement)Order 2003, S.I. No. 207 of 2003

Data Protection (Amendment) Act 2003 (Commencement) Order 2007, S.I. No. 656 of 2007

Data Protection (Amendment) Act 2003 (Commencement) Order 2014

EU Legislation

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance)

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA

Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Irish Books

EU Data Protection Law Kelleher & Murray           2018

Information & Technology Communications Law Kennedy & Murphy         2017

Social Networking           Lambert               2014

Law Society PPG Hyland Technology & Intellectual Property Law                 2008

Information Technology Law in Ireland   2 Kelleher & Murray       2007

Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016

Privacy & Data Protection Law in Ireland                Kelleher               2015

Data Protection: A Practical Guide to Irish & EU Law         Carey    2010

Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003

EU and UK Texts

Information Technology and Intellectual Property Law 7th ed 2018 Bainbridge 2018

Guide to the General Data Protection Regulation and the UK Data Protection Act 2nd ed

Rosemary Jay 2018

Government and Information: The Law Relating to Access, Disclosure and Their Regulation 5th ed

Patrick Birkinshaw, Mike Varney 2018

Commentary on the EU General Data Protection Regulation Christopher Kuner, Lee A. Bygrave, Christopher Docksey 2018

A User’s Guide to Data Protection: Law and Policy A User’s Guide to Data Protection: Law and Policy 3rd ed Paul Lambert 2018

Protecting Individuals Against the Negative Impact of Big Data: Potential and Limitations of the Privacy and Data Protection Law Approach Manon Oostveen July 2018

Information Exchange and EU Law Enforcement Information Exchange and EU Law Enforcement Anna Fiodorova 2018

Data Privacy and Cybersecurity: A Practical Guide Rafi Azim-Khan 2018

The General Data Protection Regulations (GDPR): How to get GDPR consent Simon McNidder 2018

The Cambridge Handbook of Consumer Privacy Edited by: Evan Selinger, Jules Polonetsky, Omar Tene 2018

Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 5th ed Peter Carey 2018

The EU General Data Protection Regulation (GDPR): A Commentary Lukas Feiler, Nikolaus Forgo, Michaela Weigln 2018

A Practical Guide to the General Data Protection Regulation (GDPR) Keith Markham 2018

EU Data Protection Law EU Data Protection Law Denis Kelleher, Karen Murray 2018

New European General Data Protection Regulation: A Practitioner’s Guide Edited by: Daniel Rucker, Tobias Kugler 2017

Encyclopaedia of Data Protection and Privacy Annual Subscription Rosemary Jay, Hazel Grant, Sue Cullen, Timothy Pitt-Payne 2017

Determann’s Field Guide to International Data Privacy Law Compliance 3rd ed 2017

The EU General Data Protection Regulation (GDPR): A Practical Guide Paul Voigt, Axel von dem Bussche 2017

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide Alan Calder, Richard Campo, Adrian Ross 2017

Privacy, Data Protection and Cybersecurity in Europe Privacy, Data Protection and Cybersecurity in Europe Edited by:  Wolf J. Schunemann, Max-Otto Baumann 2017

Guide to the General Data Protection Regulation: A Companion to the 4th ed of Data Protection Law and Practice Rosemary Jay 2017

Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Post-Reform Personal Data Protection in the European Union: General Data Protection Regulation (EU) 2016/679 Mariusz Krzysztofek 2016

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016

EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Alan Calder, Richard Campo, Adrian Ross 2016

Data Protection and Privacy: International Series Data Protection and Privacy: International Series 3rd ed Edited by: Monika Kuschewsky 2016

Data Protection: The New Rules Ian Long 2016

A User’s Guide to Data Protection A User’s Guide to Data Protection 2nd ed Paul Lambert 2016

The Foundations of EU Data Protection Law Orla Lynskey 2015

Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015

Data Protection: A Practical Guide to UK and EU Law Data Protection: A Practical Guide to UK and EU Law 4th ed Peter Carey 2015

Data Protection: Law and Practice 4th ed with 1st Supplement Data Protection: Law and Practice 4th ed with 1st Supplement Rosemary Jay 2014

Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014

Cloud Computing Law Christopher Millard 2013

Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013

Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013

A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013

Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012

Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012

Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011

Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011

Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011

Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010

Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008