Data Protection Act 2018

73

Processing of special categories of personal data (Part 5)

73. (1) The processing of a special category of personal data shall be lawful only where—

(a) section 71 is complied with, and

(b) at least one of the following conditions is met:

(i) where the processing is to be carried out on the basis of the consent of the data subject pursuant to section 71(2)(b), the consent referred to in that paragraph explicitly refers to the special category of personal data concerned;

(ii) the processing is necessary—

(I) to prevent injury or other damage to the data subject or another individual,

(II) to prevent loss in respect of, or damage to, property, or

(III) otherwise to protect the vital interests of the data subject or another individual;

(iii) the personal data to which the processing relates have been made public as a result of steps deliberately taken by the data subject;

(iv) the processing is necessary for—

(I) the administration of justice,

(II) the performance of a function conferred on a person by or under an enactment, or

(III) the performance of a function of the Government or a Minister of the Government;

(v) the processing—

(I) is required for the purposes of providing or obtaining legal advice or for the purposes of, or in connection with, legal claims, prospective legal claims, legal proceedings or prospective legal proceedings, or

(II) is otherwise required for the purposes of establishing, exercising or defending legal rights;

(vi) the processing is necessary for medical purposes and is carried out by, or under the responsibility of—

(I) a health practitioner, or

(II) a person who in the circumstances owes a duty of confidentiality to the data subject that is equivalent to that which would exist if that person were a health practitioner;

(vii) the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law;

(viii) the processing is carried out pursuant to section 71(6);

(ix) the processing is authorised by regulations made under subsection (2).

(2) Regulations may be made permitting the processing of special categories of personal data for the purposes of subsection (1)(b)(ix) where the processing is necessary for reasons of substantial public interest, and without prejudice to the generality of the foregoing, such regulations shall identify the public interest concerned.

(3) Subject to subsection (4), regulations may be made under subsection (2)

(a) by the Minister following consultation with such other Minister of the Government as he or she considers appropriate, or

(b) by any other Minister of the Government following consultation with the Minister and such other Minister of the Government as he or she considers appropriate.

(4) The Minister or any other Minister of the Government shall consult with the Commission before making regulations under subsection (2).

(5) The Commission may, on being consulted under subsection (4), make observations in writing on any matter which is of significant concern to it in relation to the proposed regulations and if the Minister or any other Minister of the Government proposes to proceed to make the regulations notwithstanding that concern, that Minister shall, before making the regulations, give a written explanation as to why he or she is so proceeding to—

(a) the Committee established jointly by Dáil Éireann and Seanad Éireann known as the Committee on Justice and Equality or any Committee established to replace that Committee, and

(b) any other Committee (within the meaning of section 19(1)) which that Minister considers appropriate having regard to the subject matter of the regulations.

(6) The Minister or any other Minister of the Government, as the case may be, making regulations under subsection (2) shall have regard to the need for the protection of individuals with regard to the processing of their personal data and without prejudice to the generality of that need, have regard to—

(a) the nature, scope and purposes of the processing,

(b) the nature of the substantial public interest concerned,

(c) any benefits likely to arise for the data subjects concerned,

(d) any risks arising for the rights and freedoms of such subjects, and

(e) the likelihood of any such risks arising and the severity of such risks.

(7) Where a special category of personal data is processed in accordance with this section, the controller shall ensure that the processing is carried out with appropriate safeguards for the rights and freedoms of the data subject.

(8) In this section—

“health practitioner” has the same meaning as it has in the Health Identifiers Act 2014;

“medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of medical care and treatment and the management of healthcare services.