At a glance
The conditions for sensitive processing in Schedule 8 of the Act are:
- necessary for judicial and statutory purposes – for reasons of substantial public interest;
- necessary for the administration of justice;
- necessary to protect the vital interests of the data subject or another individual;
- necessary for the safeguarding of children and of individuals at risk;
- personal data already in the public domain (manifestly made public);
- necessary for legal claims;
- necessary for when a court acts in its judicial capacity;
- necessary for the purpose of preventing fraud; and
- necessary for archiving, research or statistical purposes.
Again, you must be able to demonstrate that the processing is strictly necessary and satisfy one of the conditions in Schedule 8 or is based on consent. Strictly necessary in this context means that the processing has to relate to a pressing social need, and you cannot reasonably achieve it through less intrusive means.
- What are the conditions?
- What is an appropriate policy document?
- What are judicial and statutory purposes/administration of justice?
- When is processing appropriate for individual’s vital interests?
- What about personal data already in the public domain?
- When does processing relate to safeguarding of children and of individuals at risk?
- What about legal claims and judicial acts?
- When can data be processed for preventing fraud?
- What about archiving?
When undertaking ‘sensitive processing’, in order to comply with the first principle, you must either have consent for processing or be able to satisfy one of the conditions in Schedule 8. Consent should not always be a default condition as it may not be appropriate in the circumstances. You will also need an appropriate policy document in place.
An appropriate policy document must explain:
(a) your procedures for ensuring compliance with the law enforcement data protection principles; and
(b) your policies on the retention and erasure of this data.
Our template appropriate policy document shows the kind of information this should contain.
The sensitive processing must be necessary for the administration of justice, or the exercise of a function conferred ‘on a person’ by enactment. This covers a constable and other competent authorities.
In addition, in order to satisfy this condition, you must be able to demonstrate that the processing is necessary for reasons of substantial public interest.
This condition only applies in cases of life or death, such as if you disclose an individual’s medical history to a hospital’s A&E department who are treating them after a serious road accident. Data protection law should not be a barrier to processing data in these circumstances.
This condition is met in cases where consent is not appropriate because the individual is under 18 or at risk, but the processing is necessary for reasons of substantial public interest, and is to protect them from harm or to protect their well-being.
This condition applies if the data subject has deliberately made the information public.
This condition is met if the processing is necessary for the establishment, exercise or defence of a legal claim or whenever a court is acting in its judicial capacity.
You should use this condition if the processing is necessary for the purposes of preventing fraud. If it involves sharing data with organisations that do not fall within the definition of a competent authority, the processing needs to comply with the applied GDPR elements in the DP Act, and you need to have a lawful basis for sharing the data.
You can use this condition if processing is necessary for archiving in the public interest; for scientific or historical research purposes, or for statistical purposes. However, you cannot use it if it will result in decisions being made that effect a particular individual, or is likely to cause substantial damage or substantial distress to an individual.