Data Protection Act 1988
F12[Processing of sensitive personal data.
2B.—(1) Sensitive personal data shall not be processed by a data controller unless:
(a) sections 2 and 2A (as amended and inserted, respectively, by the Act of 2003) are complied with, and
(b) in addition, at least one of the following conditions is met:
(i) the consent referred to in paragraph (a) of subsection (1) of section 2A (as inserted by the Act of 2003) of this Act is explicitly given,
(ii) the processing is necessary for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment,
(iii) the processing is necessary to prevent injury or other damage to the health of the data subject or another person or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where—
(I) consent to the processing cannot be given by or on behalf of the data subject in accordance with section 2A(1)(a) (inserted by the Act of 2003) of this Act, or
(II) the data controller cannot reasonably be expected to obtain such consent,
or the processing is necessary to prevent injury to, or damage to the health of, another person, or serious loss in respect of, or damage to, the property of another person, in a case where such consent has been unreasonably withheld,
(iv) the processing—
(I) is carried out in the course of its legitimate activities by any body corporate, or any unincorporated body of persons, that—
(A) is not established, and whose activities are not carried on, for profit, and
(B) exists for political, philosophical, religious or trade union purposes,
(II) is carried out with appropriate safeguards for the fundamental rights and freedoms of data subjects,
(III) relates only to individuals who either are members of the body or have regular contact with it in connection with its purposes, and
(IV) does not involve disclosure of the data to a third party without the consent of the data subject,
(v) the information contained in the data has been made public as a result of steps deliberately taken by the data subject,
(vi) the processing is necessary—
(I) for the administration of justice,
(II) for the performance of a function conferred on a person by or under an enactment, or
(III) for the performance of a function of the Government or a Minister of the Government,
(vii) the processing—
(I) is required for the purpose of obtaining legal advice or for the purposes of, or in connection with, legal proceedings or prospective legal proceedings, or
(II) is otherwise necessary for the purposes of establishing, exercising or defending legal rights,
(viii) the processing is necessary for medical purposes and is undertaken by—
(I) a health professional, or
(II) a person who in the circumstances owes a duty of confidentiality to the data subject that is equivalent to that which would exist if that person were a health professional,
(ix) the processing is necessary in order to obtain information for use, subject to and in accordance with the Statistics Act 1993, only for statistical, compilation and analysis purposes,
(x) the processing is carried out by political parties, or candidates for election to, or holders of, elective political office, in the course of electoral activities for the purpose of compiling data on people’s political opinions and complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects,
(xi) the processing is authorised by regulations that are made by the Minister and are made for reasons of substantial public interest,
(xii) the processing is necessary-for the purpose of the assessment, collection or payment of any tax, duty, levy or other moneys owed or payable to the State and the data has been provided by the data subject solely for that purpose,
(xiii) the processing is necessary for the purposes of determining entitlement to or control of, or any other purpose connected with the administration of any benefit, pension, assistance, allowance, supplement or payment under the Social Welfare (Consolidation) Act 1993, or any nonstatutory scheme administered by the Minister for Social, Community and Family Affairs.
(2) The Minister may by regulations made after consultation with the Commissioner—
(a) exclude the application of subsection (1)(b)(ii) of this section in such cases as may be specified, or
(b) provide that, in such cases as may be specified, the condition in the said subsection (1)(b)(ii) is not to be regarded as satisfied unless such further conditions as may be specified are also satisfied.
(3) The Minister may by regulations make such provision as he considers appropriate for the protection of data subjects in relation to the processing of personal data as to—
(a) the commission or alleged commission of any offence by data subjects,
(b) any proceedings for an offence committed or alleged to have been committed by data subjects, the disposal of such proceedings or the sentence of any court in such proceedings,
(c) any act or omission or alleged act or omission of data subjects giving rise to administrative sanctions,
(d) any civil proceedings in a court or other tribunal to which data subjects are parties or any judgment, order or decision of such a tribunal in any such proceedings,
and processing of personal data shall be in compliance with any regulations under this subsection.
(4) In this section—
"health professional" includes a registered medical practitioner, within the meaning of the Medical Practitioners Act 1978, a registered dentist, within the meaning of the Dentists Act 1985 or a member of any other class of health worker or social worker standing specified by regulations made by the Minister after consultation with the Minister for Health and Children and any other Minister of the Government who, having regard to his or her functions, ought, in the opinion of the Minister, to be consulted;
"medical purposes" includes the purposes of preventive medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.]
Inserted (1.07.2003) by Data Protection Amendment Act 2003 (6/2003), s. 4, S.I. No. 207 of 2003. Amendments to section pursuant to 6/2003, s. 23 in respect of manual data held in relevant filing systems on the passing of 6/2003 commenced (24.10.2007) by s. 23(4), subject to transitional provision in subs. (5).
Modifications (not altering text):
Term “registered medical practitioner” construed (3.7.2008) by Medical Practitioners Act 2007 (25/2007), s. 108(1), S.I. No. 231 of 200.
Construction of references to registered medical practitioner and Medical Council, etc.
108.— (1) Every reference to a registered medical practitioner contained in any enactment or any statutory instrument shall be construed as a reference to a registered medical practitioner within the meaning of section 2.
Power pursuant to subs. (1)(b)(xi) exercised (12.07.2022) by Data Protection Act 1988 (Section 2B) Regulations 2022 (S.I. No. 354 of 2022).
Power pursuant to subs. (1)(b)(xi) exercised (30.07.2016) by Data Protection Act 1988 (Section 2 B) (No. 2) Regulations 2016 (S.I. No. 427 of 2016).
Power pursuant to subs. (1)(b)(xi) exercised (30.07.2016) by Data Protection Act 1988 (Section 2 B) Regulations 2016 (S.I. No. 426 of 2016); revoked other than for certain excepted purposes (25.05.2018) by Data Protection Act 2018 (7/2018), s. 7(3), (4) and sch. 1 item 10, S.I. No. 174 of 2018. The excepted purposes in subs. (4) are 7/2018, s. 8(1)(b) (the processing of such data under the Criminal Justice (Forensic Evidence and DNA Database System) Act 2014 (11/2014) or the Vehicle Registration Data (Automated Searching and Exchange) Act 2018 (5/2018) to the extent that the Act of 1988 is applied in those Acts) and s. 8(2), (3) (transitional provisions).
Power pursuant to subs. (1)(b)(xi) exercised (10.06.2015) by Data Protection Act 1988 (Section 2B) Regulations 2015 (S.I. No. 240 of 2015).
Power pursuant to subs. (1)(b)(xi) exercised (15.06.2012) by Data Protection Act 1988 (Section 2B) Regulations 2012 (S.I. No. 209 of 2012).
Power pursuant to subs. (1)(b)(xi) exercised (27.09.2011) by Data Protection Act 1988 (Section 2B) Regulations 2011 (S.I. No. 486 of 2011).