Data Protection Act 2018

68

Saver for regulations under Act of 1988

68. (1) Notwithstanding subsection (1) of section 8, the Data Protection Act 1988 (Section 2A) Regulations 2013 (S.I. No. 313 of 2013) and the Data Protection Act 1988 (Section 2A) Regulations 2016 (S.I. No. 220 of 2016) shall, in addition to applying for the purposes referred to in that subsection, apply for all other purposes for which they applied immediately before the commencement of that subsection and, in so far only as they apply for the second-mentioned purposes, they shall be deemed to have been made under section 38 and may be amended or revoked accordingly.

(2) (a) The Data Protection Health Regulations shall continue in force upon and after the commencement of section 7 (in so far as it relates to the repeal of section 4(8) of the Act of 1988) until the first set of regulations are made under section 60(5)(a).

(b) The Data Protection Health Regulations are amended—

(i) in Regulation 3, by—

(I) the deletion of the definition of “the Act”,

(II) the deletion of the definition of “health professional”, and

(III) the insertion of the following definitions:

“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 20169 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);

‘health practitioner’ has the same meaning as it has in the Health Identifiers Act 2014.”,

(ii) in Regulation 4(1), by—

(I) the substitution of “a request under Article 15 of the Data Protection Regulation” for “a request under section 4(1)(a) of the Act”, and

(II) the substitution of “the physical or mental health of the data subject, but this restriction on providing information applies only to the extent to which, and for so long as, that likelihood pertains.” for “the physical or mental health of the data subject.”,

(iii) in Regulation 5, by—

(I) the substitution of “health practitioner” for “health professional” in each place it occurs,

(II) the substitution, in paragraph (1)(a), of “a request under the said Article 15 of the Data Protection Regulation” for “a request under the said section 4(1)(a)”, and

(III) the substitution, in paragraph (2)(a), of “within the meaning of section 2 of the Medical Practitioners Act 2007 or a medical practitioner practising medicine pursuant to section 50 of that Act” for “within the meaning of the Medical Practitioners Act 1978 (No. 4 of 1978), or registered dentist, within the meaning of the Dentists Act 1985 (No. 9 of 1985)”,

and

(iv) by the deletion of Regulation 6.

(c) A request referred to in Regulation 4(1) of the Data Protection Health Regulations which includes a request for health data (within the meaning of those Regulations) that was received but not responded to before the commencement of section 7 (in so far as it relates to the repeal of section 4(8) of the Act of 1988) shall be treated as if it were a request under Article 15 of the Data Protection Regulation.

(3) (a) The Data Protection Social Work Regulations shall continue in force upon and after the commencement of section 7 (in so far as it relates to the repeal of section 4(8) of the Act of 1988) until the first set of regulations are made under section 60(5)(b).

(b) The Data Protection Social Work Regulations are amended—

(i) in Regulation 3, by—

(I) the deletion of the definition of “the Act”,

(II) the insertion of the following definition:

“ ‘Data Protection Regulation’ means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 201610 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);”,

and

(III) the substitution of the following definition for the definition of “social work data”:

“ ‘social work data’ means personal data kept for, or obtained in the course of, carrying out social work by a public authority, public body, voluntary organisation or other body but excludes any health data within the meaning of the Data Protection (Access Modification) (Health) (Regulations) 1989 (S.I. No. 82 of 1989) and ‘social work’ shall be construed accordingly.”,

(ii) in Regulation 4—

(I) in paragraph (1), by—

(A) the substitution of “a request under Article 15 of the Data Protection Regulation” for “a request under section 4(1)(a) of the Act”, and

(B) the substitution of “the physical or mental health or emotional condition of the data subject, but this restriction on providing information applies only to the extent to which, and for as long as, that likelihood pertains.” for “the physical or mental health or emotional condition of the data subject.”,

and

(II) in paragraph (3), by the substitution of “under Article 15 of the Data Protection Regulation” for “under section 4(1)(a) of the Act”,

and

(iii) the deletion of Regulation 5.

(c) A request referred to in Regulation 4(1) of the Data Protection Social Work Regulations which includes a request for social work data (within the meaning of those Regulations) that was received but not responded to before the commencement of section 7 (in so far as it relates to the repeal of section 4(8) of the Act of 1988) shall be treated as if it were a request under Article 15 of the Data Protection Regulation.

(4) The Regulations of 2011 shall apply to—

(a) each special category of personal data that, immediately before the coming into operation of this section—

(i) constituted sensitive personal data to which those Regulations applied, or

(ii) would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such commencement,

and

(b) Article 10 data that, immediately before such coming into operation—

(i) constituted sensitive personal data to which those Regulations applied, or

(ii) would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such coming into operation.

(5) The Regulations of 2011 are amended—

(a) in Regulation 3, by the substitution of “Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, processing” for “Processing”,

(b) in Regulation 4, by the substitution of “Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, processing” for “Processing”, and

(c) by the insertion of the following Regulation after Regulation 6:

“7. In these Regulations, “suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects” shall be construed in accordance with section 36 of the Data Protection Act 2018.”.

(6) The Regulations of 2015 shall, in addition to applying to sensitive personal data to which the Act of 1988 applies, apply to—

(a) each special category of personal data that, immediately before the coming into operation of this section—

(i) constituted sensitive personal data to which those Regulations applied, or

(ii) would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such commencement,

and

(b) Article 10 data that, immediately before such coming into operation—

(i) constituted sensitive personal data to which those Regulations applied, or

(ii) would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such coming into operation.

(7) The Regulations of 2015 are amended—

(a) in Regulation 2, by the substitution of “Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, the processing” for “The processing”, and

(b) by the insertion of the following Regulation after Regulation 2:

“3. In these Regulations, “suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects” shall be construed in accordance with section 36 of the Data Protection Act 2018.”.

(8) The Regulations of 2016 shall, in addition to applying to sensitive personal data to which the Act of 1988 applies, apply to—

(a) each special category of personal data that, immediately before the coming into operation of this section—

(i) constituted sensitive personal data to which those Regulations applied, or

(ii) would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such commencement,

and

(b) Article 10 data that, immediately before such coming into operation—

(i) constituted sensitive personal data to which those Regulations applied, or

(ii) would have constituted sensitive personal data to which those Regulations applied had the data existed immediately before such coming into operation.

(9) The Regulations of 2016 are amended—

(a) in Regulation 2, by the substitution of “Subject to suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects, the processing” for “The processing”, and

(b) by the insertion of the following Regulation after Regulation 2:

“3. In these Regulations, “suitable and specific measures to safeguard the fundamental rights and freedoms of data subjects” shall be construed in accordance with section 36 of the Data Protection Act 2018.”.

(10) In this section—

“Article 10 data” has the meaning assigned to it in section 55;

“Data Protection Health Regulations” means the Data Protection (Access Modification) (Health) Regulations 1989 (S.I. No. 82 of 1989);

“Data Protection Social Work Regulations” means the Data Protection (Access Modification) (Social Work) Regulations 1989 (S.I. No. 83 of 1989);

“Regulations of 2011” means the Data Protection Act 1988 (Section 2B) Regulations 2011 (S.I. No. 486 of 2011);

“Regulations of 2015” means the Data Protection Act 1988 (Section 2B) Regulations 2015 (S.I. No. 240 of 2015);

“Regulations of 2016” means the Data Protection Act 1988 (Section 2B) (No. 2) Regulations 2016 (S.I. No. 427 of 2016);

“sensitive personal data” has the meaning assigned to it by the Act of 1988.