Data Protection Act 2018

55

Processing of personal data relating to criminal convictions and offences

55. (1) Without prejudice to the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 and subject to compliance with Article 6(1) and to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of the data subject, personal data referred to in Article 10 (in this section referred to as “Article 10 data”) may be processed—

(a) under the control of official authority, or

(b) where—

(i) the data subject has given explicit consent to the processing for one or more specified purposes except where the law of the European Union or the law of the State prohibits such processing,

(ii) processing is necessary and proportionate for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract,

(iii) processing is—

(I) necessary for the purpose of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or

(II) otherwise necessary for the purposes of establishing, exercising or defending legal rights,

(iv) processing is necessary to prevent injury or other damage to the data subject or another person or loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or another person, or

(v) processing is permitted in regulations made under subsection (3) or is otherwise authorised by the law of the State.

(2) Processing under the control of official authority referred to in subsection (1)(a) includes processing required for the following purposes:

(a) the administration of justice;

(b) the exercise of a regulatory, authorising or licensing function or determination of eligibility for benefits or services;

(c) protection of the public against harm arising from dishonesty, malpractice, breaches of ethics or other improper conduct by, or the unfitness or incompetence of, persons who are or were authorised to carry on a profession or other activity;

(d) enforcement actions aimed at preventing, detecting or investigating breaches of the law of the European Union or the law of the State that are subject to civil or administrative sanctions;

(e) archiving in the public interest, scientific or historical research purposes or statistical purposes where the processing is carried out in accordance with section 42 for those purposes by or on behalf of a public authority or public body.

(3) Without prejudice to the Criminal Justice (Spent Convictions and Certain Disclosures) Act 2016 and subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of the data subject and subject to subsection (7), regulations may be made permitting the processing of Article 10 data where the processing is necessary and proportionate to—

(a) assess the risk of fraud or prevent fraud,

(b) assess the risk of bribery or corruption, or both, or to prevent bribery or corruption, or both, or

(c) ensure network and information systems security, and prevent attacks on and damage to computer and electronic communications systems.

(4) Subject to subsection (5), regulations may be made under subsection (3)

(a) by the Minister following consultation with such other Minister of the Government as he or she considers appropriate, or

(b) by any other Minister of the Government following consultation with the Minister and such other Minister of the Government as he or she considers appropriate.

(5) The Minister or any other Minister of the Government shall consult with the Commission before making regulations under subsection (3).

(6) The Commission may, on being consulted under subsection (5), make observations in writing on any matter which is of significant concern to it in relation to the proposed regulations and, if the Minister or any other Minister of the Government proposes to proceed to make the regulations notwithstanding that concern, that Minister shall, before making the regulations, give a written explanation as to why he or she is so proceeding to—

(a) the Committee established jointly by Dáil Éireann and Seanad Éireann known as the Committee on Justice and Equality or any Committee established to replace that Committee, and

(b) any other Committee (within the meaning of section 19(1)) which that Minister considers appropriate having regard to the subject matter of the regulations.

(7) The Minister or any other Minister of the Government, as the case may be, making regulations under subsection (3) shall have regard to the need for the protection of individuals with regard to the processing of their personal data and without prejudice to the generality of that need, have regard to—

(a) the nature, scope and purposes of the processing,

(b) any risks arising for the rights and freedoms of individuals, and

(c) the likelihood of any such risks arising and the severity of such risks.

(8) A person who knowingly or recklessly contravenes this section or any regulations made under subsection (3) shall be guilty of an offence and shall be liable—

(a) on summary conviction to a class A fine or imprisonment for a term not exceeding 12 months or both, or

(b) on conviction on indictment, to a fine not exceeding €50,000 or imprisonment for a term not exceeding 5 years or both.

(9) In this section, “Article 10 data” shall include personal data relating to the alleged commission of an offence and any proceedings in relation to such an offence.