Failure to share information with a nursing home about a resident’s criminal convictions

The Data Protection Commission (DPC) is aware of media coverage where concerns regarding General Data Protection Regulation (GDPR) compliance have been raised with regard to a failure to share information with a nursing home about a resident’s criminal convictions, and the risk that they presented to other residents.

Information about a person’s criminal convictions, or alleged criminal offences, is afforded special protection in data protection law and must be processed carefully, as any inappropriate processing of this type of information can result in significant negative outcomes for the person concerned.

However, there are specific situations where it will be necessary for information about a person’s criminal convictions to be processed, and shared between organisations.

One such situation is where it is necessary for the information to be shared to protect other people, and to deal with a specific identified risk. This is facilitated in data protection law under Section 55(1)(b)(iv) of the Data Protection Act 2018, which makes lawful the processing of such data, where, “necessary to prevent injury or other damage to the data subject or another person or loss in respect of, or damage to, property or otherwise to protect the vital interests of the data subject or another person”.

Where it has been determined that it is strictly necessary in order to protect other people, the consent of the person concerned is not required to share information about their criminal convictions.

In this situation it will be necessary for the organisations to ensure that only the information that they specifically need to address the risk to other people is shared, and that the information is handled in a sensitive and confidential manner by all parties.

The DPC will continue to engage with stakeholders to provide guidance on the processing of personal data in this sensitive context.