31
2019
Data Protection
No.
(iii) protecting the vital interests of the data
subject or another person where the data
subject is physically or legally incapable of
giving consent.
46. (1) Personal data relating to the health of a data
subject may only be processed—
Personal data
relating to health.
(a) by or under the responsibility of a health care
provider; or
(b) by a person subject to the obligation of
professional secrecy under any law.
(2) The condition under subsection (1) is met if the
processing—
(a) is necessary for reasons of public interest in the
area of public health; or
(b) is carried out by another person who in the
circumstances owes a duty of confidentiality under
any law.
47. (1) The Data Commissioner may prescribe further
categories of personal data which may be classified as
sensitive personal data.
(2) Where categories of personal data have been
specified as sensitive personal data under subsection (1),
the Data Commissioner may specify any further grounds on
which such specified categories may be processed, having
regard—
(a) to the risk of significant harm that may be caused
to a data subject by the processing of such
category of personal data;
(b) to the expectation of confidentiality attached to
such category of personal data;
(c) to whether a significantly discernible class of data
subjects may suffer significant harm from the
processing of such category of personal data; and
(d) to the adequacy of protection afforded by ordinary
provisions applicable to personal data.
(3) The Data Commissioner may specify other
categories of personal data, which may require additional
safeguards or restrictions.
Further categories
of sensitive
personal data.
!