Sensitive Personal Data

Sensitive Data

The Data Protection Directive requires that Member States of the EU prohibit the processing of special categories of data. Such categories are defined as:

“…data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life”

These are the categories of data that the EU legislature felt were sensitive back in 1995; they are not necessarily that categories that you might feel are sensitive in 2015. Financial data, for example, does not appear on this list nor does location data, though both are arguably more sensitive than knowing whether a person is a member of a trade union.

The Data Protection Directive does not impose an absolute ban on the processing of sensitive personal data, however. The Data Protection Directive goes onto provide for some exceptions which are implemented by section 2B of the Data Protection Act. In addition to where the subject has given his or her “explicit” consent, “…processing is authorised by regulations that are made by the Minister (for Justice) and are made for reasons of substantial public interest…” and data has been “…deliberately…” made public by the subject, the processing of sensitive personal data will also be permitted where it is necessary:

• “…for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment…”;
• “…to prevent injury or other damage to the health of the data subject or another person or serious loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or of another person…” and consent cannot be obtained, cannot reasonably be obtained or has been unreasonably withheld;
• For the “legitimate purposes” of non-profit body that “…exists for political, philosophical, religious or trade union purposes…” but see additional controls;
• for the administration of justice, legal or government function;
• getting legal advice or defending rights;
• for medical purposes and is by a medical professional or equivalent;
• statistical purposes;
• “…in the course of electoral activities…” and undertaken by undertaken by political parties or politicians
• Tax collection
• Statistics
• Social protection

The application of the prohibition on the processing of sensitive personal data is complex; it is discussed in further detail at Chapter 11 of Privacy and Data protection Law in Ireland
[twitter-follow screen_name=’ictlaw_com’]