24. Conditions for processing sensitive personal data in accordance with the first standard

24.—

1. The conditions referred to in section 22(1)(b) are that—

(a) the data subject consents in writing to the processing of the sensitive personal data;

(b) the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred, or imposed, by law on that data controller in connection with employment or social security benefits;

(c) the processing is necessary—

(i) in order to protect the vital interests of the data subject or another individual, in any case where—

(A) consent cannot be given by or on behalf of the data subject; or

(B) the data controller cannot reasonably be expected to obtain the consent of the data subject, the data controller having exhausted all reasonable efforts to obtain that consent; or

(ii) in order to protect the vital interests of another individual, in any case where consent by or on behalf of the data subject has been unreasonably withheld;

(d) the processing—

(i) is carried out in the course of legitimate actions by any body or association which—

(A) is not established or conducted for profit; and

(B) exists for political, philosophical, religious or trade-union purposes;

(ii) is carried out with appropriate safeguards for the rights and freedoms of data subjects;

(iii) relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes; and

(iv) does not involve disclosure of the personal data to a third party without the consent of the data subject;

(e) the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject;

(f) the processing—

(i) is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings);

(ii) is necessary for the purpose of obtaining legal advice; or

(iii) is otherwise necessary for the purposes of establishing, exercising or defending legal rights;

(g) the processing is necessary for—

(i) the administration of justice; or

(ii) the exercise of any functions conferred on any person by or under any enactment;

(h) the processing—

(i) is either—

(A) the disclosure of sensitive personal data by a person as a member of an anti-fraud organisation or otherwise in accordance with any arrangements made by such an organisation; or

(B) any other processing by a person referred to in sub-paragraph (A) or another person of sensitive personal data so disclosed; and

(ii) is necessary for the purposes of preventing fraud;

(i) the processing is necessary for medical purposes and is undertaken by—

(i) a health professional; or

(ii) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional;

(j) the processing—

(i) is of sensitive personal data consisting of information as to racial or ethnic origin;

(ii) is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between individuals of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained; and

(iii) is carried out with appropriate safeguards for the rights and freedoms of data subjects;

(k) the sensitive personal data are processed in circumstances specified in an order made by the Minister in accordance with section 74(3)(e) for the purposes of this section.

2. In this section— “anti-fraud organisation” means any unincorporated association, body corporate, or other person, who enables or facilitates any sharing of information to prevent fraud, or who has any of the aforementioned matters as one of its purposes; “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

3. The Minister may by order in accordance with section 74(3)(e)—

(a) exclude the application of subsection (1)(b) or (g) in such cases as may be specified; or

(b) provide that, in such cases as may be specified, the condition in subsection (1)(b) or (g) is not to be regarded as satisfied unless such further conditions as may be specified in the order are also satisfied.

4. The Minister may, by order in accordance with section 74(3)(e), specify circumstances in which processing falling within subsection (1)(j)(i) or (ii) is, or is not, to be taken for the purposes of subsection (1)(j)(iii) to be carried out with appropriate safeguards for the rights and freedoms of data subjects.

5. The Commissioner may by order in accordance with section 74(3)(f) specify the cases in which the conditions specified in subsection (1) shall be deemed not to have been met regardless of whether the consent of the data subject has been obtained.

6. For the avoidance of doubt, a data subject may at any time withdraw consent to the processing of any sensitive personal data in respect of that data subject.