Guide to Data Protection Act for Data Controllers
- Change log
- Introduction
- How to use this guidance
- Key definitions
- Who does the DPA apply to?
- What is processing of personal data?
- What is a data controller?
- What is a data processor?
- What information does the DPA apply to?
- Data Protection Principles
- First Data Protection Principle - Fair and lawful processing
- Second Data Protection Principle - Purpose limitation
- Third Data Protection Principle - Data minimization
- Fourth Data Protection Principle – Data accuracy
- Fifth Data Protection Principle - Storage limitation
- Sixth Data Protection Principle – Respect for the individual’s rights
- Seventh Data Protection Principle - Security – integrity and confidentiality
- Eighth Data Protection Principle - International transfers
- Legal basis for processing
- Sensitive personal data
- Individual rights
- Personal data breaches
- Exemptions
- National Security
- Crime, government fees and duties
- Health
- Education
- Social Work
- Monitoring, inspection or regulatory function
- Journalism, literature or art
- Research, history or statistics
- Information available to public by or under enactments
- Disclosures required by law or made in connection with legal proceedings
- Personal, family or household affairs
- Honours
- Corporate finance
- Negotiations
- Legal professional privilege and trusts
- Contracts between data controllers and data processors
- Questions or comments?
Sensitive personal data
At a glance
- “Sensitive personal data” is a defined term within the DPA and covers classes of personal data that warrant extra protection.
- In order to legally process sensitive personal data, you must identify both a legal basis (condition) for processing in Schedule 2 as well as a basis for processing sensitive personal data in Schedule 3 of the DPA. These do not have to be linked, but they may be.
- There are eight conditions for processing sensitive personal data in Schedule 3 of the DPA.
- You must determine your condition for processing sensitive personal data before you begin this processing under the DPA, and you should document it.
In brief
- What is “sensitive personal data”?
- What’s different about sensitive personal data?
- What are the conditions for processing special category data?
What is “sensitive personal data”?
Sensitive personal data is a subset of personal data which carries increased risks. Section 3 of the DPA defines “sensitive personal data” as personal data consisting of:
(a) the racial or ethnic origin of the data subject;
(b) the political opinions of the data subject;
(c) the data subject’s religious beliefs or other beliefs of a similar nature;
(d) whether the data subject is a member of a trade union;
(e) genetic data of the data subject;
(f) the data subject’s physical or mental health or condition;
(g) medical data;
(h) the data subject’s sex life;
(i) the data subject’s commission, or alleged commission, of an offence; or
(j) any proceedings for any offence committed, or alleged, to have been committed, by the data subject, the disposal of any such proceedings or any sentence of a court in the Islands or elsewhere.
What’s different about sensitive personal data?
When processing any of the types of sensitive personal data listed above, you must still satisfy one of the conditions for legal processing in Schedule 2, but you must also satisfy one of the conditions in Schedule 3 of the DPA.
This is because the processing of sensitive personal data carries more risks, and so needs more protection. In particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination.
Your choice of an applicable legal basis for processing sensitive personal data in Schedule 3 does not dictate which condition you must apply, and vice versa. Instead, you can use any of the conditions in that schedule. You should choose whichever sensitive data condition is the most appropriate in the circumstances – although in many cases there may well be an obvious link between the two. For example, if your lawful condition for processing (in Schedule 2) is vital interests, it is highly likely that corresponding condition for vital interests (in Schedule 3) will also be appropriate.
In assessing whether a particular piece of information is sensitive data will depend on a reasonableness test. For example, the unfounded rumor that a head of state is holding someone hostage in their basement will not be held to be sensitive personal data about the alleged commission of an offence.
What are the conditions for processing sensitive personal data?
The conditions for processing sensitive personal data are listed in Schedule 3. One of these conditions must apply for the processing to be legal, in addition to one of the conditions in Schedule 2. These conditions for processing sensitive personal data are:
1. Consent
The data subject has given consent to the processing of the personal data.
2. Employment
The processing is necessary for the purposes of exercising or performing a right, or obligation, conferred or imposed by the Act on the data controller in connection with the data subject’s employment.
3. Vital interests
The processing is necessary -
(a) in order to protect the vital interests of the data subject or another person, in a case where consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to obtain the consent of the data subject; or
(b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.
4. Non-profit associations
The processing -
(a) is carried out in the course of its legitimate activities by a body, or association, that is not established or conducted for profit, and exists for political, philosophical, religious or trade union purposes;
(b) is carried out with appropriate safeguards for the rights and freedoms of data subjects;
(c) relates only to data subjects who are members of the body or association or have regular contact with it in connection with its purposes; and
(d) does not involve disclosure of the personal data to a third party without the consent of the data subject.
5. Information made public by data subject
The information contained in the personal data has been made public as a result of steps taken by the data subject.
6. Legal proceedings, etc.
The processing -
(a) is necessary for the purpose of, or in connection with, any legal proceedings;
(b) is necessary for the purpose of obtaining legal advice; or
(c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
7. Public functions
The processing is necessary for -
(a) the administration of justice;
(b) the exercise of any functions conferred on any person by or under an enactment; or
(c) the exercise of any functions of the Crown or any public authority.
8. Medical purposes
(1) The processing is necessary for medical purposes and is undertaken by-
(a) a health professional; or
(b) a person who, in the circumstances, owes a duty of confidentiality equivalent to that which would arise if that person were a health professional.
(2) In this paragraph, “medical purposes” includes the purposes of preventative medicine, medical diagnosis, the provision of care and treatment and the management of healthcare services.
Relevant provisions
Data Protection Act (2021 Revision)
Section 3: Definition of “sensitive personal data”
Schedule 3: Conditions for processing sensitive personal data
Further guidance
Relevant provisions in the GDPR: Article 9(2) and Recital 51
Previous Next