In this edition of ‘Everything you need to know about’ we will be looking at Special Category Data: What it is? How is it separate from standard personal data?, and How can you manage it in a secure and legal manner?
What is Special Category Data?
Special category data is a subset of personal data defined in the GDPR. This data is typically of a far more sensitive nature than standard personal data and has often historically been used to persecute individuals. If special category data is compromised, it has the potential for greater financial, physical, emotional, or reputational harm.
The GDPR has identified the following categories of information as being special category data:
- Personal data revealing racial or ethnic origin;
- Personal data revealing political opinions;
- Personal data revealing religious or philosophical beliefs;
- Personal data revealing trade union membership;
- Genetic data;
- Biometric data (where used for identification purposes);
- Data concerning health;
Data concerning a person’s sex life; and
- Data concerning a person’s sexual orientation.
If you are processing any of these categories of information, you are processing Special Category Data.
Note: Children’s Data and Criminal Records are not classified as special category data under the GDPR. The GDPR gives extra protection to personal data relating to criminal convictions and offences, and children’s data.
How can I process this data lawfully?
Because the use of this data could create significant risks to the rights and freedoms of the data subjects involved, the GDPR states special requirements must be met before this data can be processed. Article 9 of the UK GDPR states that, alongside one of the 6 lawful bases, you must identify one of 10 conditions before you can process special category data.
The 10 conditions are as follows:
- Explicit Consent – The data subject has given their explicit consent to your processing of this data.
- Employment, Social Security and social protection – Processing is required for either of the three stated reasons. This has to be authorized by Union or Member state law or by collective agreement.
- Vital Interests – This generally only applies to matters where the processing is necessary to preserve life.
- Not-for-profit bodies – Processing carried out in the course of a not-for-profit’s legitimate activities and that body has the appropriate safeguards in place. This ONLY can be used for bodies with a political, philosophical, religious or trade-union aim and relates ONLY to the processing of its members/former members/close connections and that the personal data is not disclosed outside that body.
- Manifestly made public – Relates to personal data which has been manifestly been made public by the data subject. This covers information which the individual themselves has made public, such as political or religious beliefs. It does NOT cover information which they have not made public, such as any lost in a data breach.
- Legal claims or judicial acts – Processing is needed for the establishment, exercise, or defense of legal claims and/or where a court is acting in its judicial capacity.
- Substantial public interest – This condition requires further clarification. You must also meet a relevant basis in UK law and one of 23 specific public interests conditions. For further information see Schedule 1 of the UK DPA 2018.
- Health or Social Care – Processing is required for the provision of health care or treatment, or social care. For a full list of professions included in this, see section 204 of the DPA 2018.
- Public Health – Processing necessary for reasons of public interest in the area of public health. This processing can only be undertaken by a health professional or by someone else who in the circumstances owes a legal duty of confidentiality.
- Archiving, research and statistics – Processing necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Should I be worried about processing special category data?
If done correctly, processing special category data should be as easy as standard processing activities. You must always be clear around the necessity of this processing and ensure that the security and protection is your primary concern. Because of the increased risk associated with this information you will have to ensure that you employ the appropriate safeguards for these processing activities, such as greater access controls or encrypted transfers.
The best practice approach to managing this risk is to undertake a Data Protection Impact Assessment (DPIA). This internal risk assessment will identify potential risks and provide the opportunity to assign remedial actions to rectify these.