Data protection law covers most situations in which personal data of an individual is processed, other than in a purely personal context. The fundamental rules and principles of data protection law must be taken into account in the context of all instances where individuals’ personal data are shared in a public sector context. Data controllers are responsible for complying with data protection obligations when processing personal data.
Section 55 of the Data Protection Act 2018 relates to the processing of personal data relating to criminal convictions and offences. Personal data relating to an individual’s criminal convictions, or alleged criminal offences, is afforded special protection in data protection law. There are situations where it may be necessary for information about a person’s criminal convictions to be shared between organisations, one such situation is where it is necessary for the information to be shared to protect other people, and to deal with a specific identified risk.
Section 55(1)(b)(iv) of the Data Protection Act 2018 allows the processing of such personal data, where “necessary to prevent injury or other damage to the data subject or another person or loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or another person”. In such a circumstance, any personal data sharing would need to be looked at on a case by case basis, and only the information needed to address the risk to other people could be shared in a confidential manner.
The HSE as a Data Controller must adhere to the principles of data protection which are set out in the General Data Protection Regulation and the Data Protection Acts 1988-2018. As such I have referred the matter to the HSE for direct reply.
