Processing of sensitive personal data

9.(1) Processing of sensitive personal data shall be prohibited unless

(a) the data subject gives his consent to the processing;

(b) the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment;

(c) the processing is necessary in order to protect the vital interests of the data subject or another person, in a case where

(i) consent cannot be given by or on behalf of the data subject; or

(ii) the data controller cannot reasonably be expected to obtain the consent of the data subject;

(d) the processing is necessary in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld;

(e) the processing

(i) is carried out in the course of its legitimate activities by any body or association which

(A) is not established or conducted for profit; and

(B) exists for political, philosophical, religious or trade union purposes;

(ii) is carried out with appropriate safeguards for the rights and freedoms of data subjects;

(iii) relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes; and

(iv) does not involve disclosure of the personal data to a third party without the consent of the data subject;

(f) the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject;

(g) the processing is necessary

(i) for the purpose of, or in connection with, any legal proceedings including prospective legal proceedings;

(ii) for the purpose of obtaining legal advice; or

(iii) otherwise for the purposes of establishing, exercising or defending legal rights;

(h) the processing is necessary for the administration of justice;

(i) the processing is necessary for the exercise of any functions of either House of Parliament;

(j) the processing is necessary for the exercise of any functions conferred on any person by or under an enactment;

(k) the processing is necessary for the exercise of any functions of a public authority;

(l) the processing is necessary for medical purposes and is undertaken by

(i) a health care professional; or

(ii) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health care professional;

(m) the processing

(i) is of sensitive personal data consisting of information as to racial or ethnic origin; and

(ii) is necessary for the purpose of identifying or keeping under review, the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained; and

(iii) is carried out with appropriate safeguards for the rights and freedoms of data subjects.

(2) The Minister may by order specify circumstances other that those identified in subsection (1) where sensitive personal data may be processed.

(3) An order made pursuant to subsection (2) is subject to negative resolution.

(4) For the purposes of subsection (1)(l) “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of health care services

<-- Contents page