HomeData Protection GuidelinesSensitive Personal DataCollection and retention of Sensitive Personal Data
 

Collection and Retention of Sensitive Personal Data

Schools and ETBs need to be particularly mindful of the special conditions attaching to the processing of sensitive personal data.

Specific conditions attach to the collection and retention by schools/ETBs (as data controllers) of sensitive personal data.  The School/ETB must determine that the processing is necessary, based on one of the grounds set out in (a) below, and one of the grounds set out in (b) below. 

(a) The processing of personal data is necessary for one of the following reasons, or falls under one of the following headings:

  • The data subject has given their fully informed explicit consent to the processing of their data.  In other words, the data subject has been fully informed of the purpose(s) in processing the data, the details of any disclosures (what will be disclosed and to whom) and has supplied their data on that understanding.  Where the data subject is unable to give their explicit, free and informed consent for reasons of physical or mental incapacity or age, explicit consent must be given by a parent/legal guardian to the processing of sensitive personal data.  As a general rule, a student aged 18 years or older may give consent themselves (unless that student is suffering under a disability or condition which may impair their capacity to give consent).  Where a student is under 18 years, consent to processing their sensitive personal data should be obtained from their parent/legal guardian. Note: schools/ETBs should note that consent must be free, informed and capable of being withdrawn at any time. View what is informed consent. In certain cases, the withdrawal of consent would not be applicable, (e.g. where the processing in question has already been completed).
  • The processing is necessary for the performance of a contract to which the data subject is a party or
  • The processing is necessary to take steps at the request of the data subject prior to entering into a contract or
  • The processing is necessary for compliance with a legal obligation to which the data controller is subject (other than an obligation imposed by contract) or
  • The processing is necessary to prevent injury or other damage to the health of the data subject or otherwise to protect their vital interests where the seeking of the consent of the data subject (or the consent of another person on the data subject’s behalf) is likely to result in those interests being damaged
  • The processing is necessary to prevent the serious loss of or damage to property of the data subject or otherwise to protect their vital interests where the seeking of the consent of the data subject (or the consent of another person on the data subject’s behalf) is likely to result in those interests being damage 
  • The processing is necessary for the administration of justice. (Note: this is unlikely to apply to schools/ETBs and is generally reserved for State agencies such as law enforcement authorities, the courts etc).
  • The processing is necessary for the performance of a function conferred upon a person/organisation by or under an enactment or
  • The processing is necessary for the performance of a function of the Government or a Minister of the Government
  • The processing is necessary for the performance of any other function of a public nature performed in the public interest by a person or
  • The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party or parties to whom the data is  disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the fundamental rights and freedoms or legitimate interests of the data subject

AND

(b)    As well as complying with one ground in (a) above, the processing of sensitive personal data is necessary for one of the following reasons:

  • The data subject has given their fully informed explicit consent to the processing of their data.  In other words, the data subject has been fully informed of the purpose(s) in processing the data, the details of any disclosures (what will be disclosed and to whom) and has supplied their data on that understanding.  Where the data subject is unable to give their explicit, free and informed consent for reasons of physical or mental incapacity or age, explicit consent must be given by a parent/legal guardian to the processing of sensitive personal data.  As a general rule, a student aged 18 years or older may give consent themselves (unless that student is suffering under a disability or condition which may impair their capacity to give consent).  Where a student is under 18 years, consent to processing their sensitive personal data should be obtained from their parent/legal guardian. Note: Schools/ETBs should note that consent must be free, informed and capable of being withdrawn at any time. View what is informed consent
  • The processing is necessary for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment
  • The processing is necessary to prevent injury or other damage to the health of the data subject or another person or serious loss in respect of or damage to, property or otherwise to protect the vital interests of the data subject or of another person in a case where consent cannot be given by or on behalf of the data subject or where the data controller cannot reasonably be expected to obtain such consent
  • The processing is necessary to prevent injury to or damage to the health of, another person, or serious loss in respect of, or damage to, the property of another person, in a case where such consent has been unreasonably withheld
  • The processing is carried out in the course of its legitimate activities by any body corporate or any unincorporated body of persons that is (a) not established and whose activities are not carried on for profit and (b) exists for political, philosophical, religious or trade union purposes, is carried out with appropriate safeguards for the fundamental rights and freedoms of data subjects, relates only to individuals who either are members of the body or have regular contact with it in connection with its purposes and does not involve disclosure of the data to a third party without the consent of the data subject. 
  • The information has been made public as a result of steps deliberately taken by the data subject
  • The processing is necessary for the administration of justice (Note: this is unlikely to apply to schools/ETBs and is generally reserved for State agencies such as law enforcement authorities, the courts etc.).
  • The processing is necessary for the performance of a function conferred upon a person/organisation by or under an enactment or
  • The processing is necessary for the performance of a function of the Government or a Minister of the Government
  • The processing is necessary for the purpose of obtaining legal advice or in connection with legal proceedings or prospective legal proceedings or is necessary for the purposes of establishing, exercising or defending legal rights. Note: in any case where a school/ETB is seeking to rely on this ground, it may be prudent to obtain legal advice, although this is not required by the Data Protection Acts.
  • The processing is necessary for medical purposes (which includes preventive medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services) and the processing is undertaken by a health professional (i.e. a registered medical practitioner (e.g. a GP a dentist, a health worker or social worker)
  • The processing is necessary in order to obtain information for use, subject to and in accordance with the Statistics Act 1993, only for statistical, compilation and analysis purposes. Note: this is unlikely to apply to schools/ETBs
  • The processing is carried out by political parties or candidates for election to, or holders of, elective political office, in the course of electoral activities for the purpose of compiling data on people’s political opinions and complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects. Note: this will not apply to schools/ETBs
  • The processing is authorised by regulations that are made by the Minister and are made for reasons of substantial public interest
  • The processing is necessary for the purpose of the assessment, collection or payment of any tax, duty, levy or other moneys owed or payable to the State and the data has been provided by the data subject solely for that purpose. Note: this will generally not apply to schools and will generally apply to State agencies such as the Revenue Commissioners.
  • The processing is necessary for the purpose of determining entitlement to or control of or any other purpose in connection with the administration of any benefit, pension, assistance, allowance, supplement or payment under the Social Welfare (Consolidation) Act 1993 or any nonstatutory scheme administered by the Minister for Social, Community and Family Affairs.  Note: this will generally not apply to schools and will generally apply to State agencies such as the Department of Social Protection.