What is special category data?
Under the UK GDPR, certain types of personal data are considered more sensitive and are granted additional protection. This is often referred to as special category data and includes the following types of personal information:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Genetic data
- Biometric data
- Health data
- Sex life and sexual orientation
The reason this data merits extra protection is because it could create significant risks to the individuals’ fundamental rights and freedoms.
What should we do if we intend to process this data?
The fist step to undertake if you intend to process special category data would be to confirm whether you need to conduct a DPIA for your planned activities using special category data. DPIA’s are mandatory for any type of processing which is likely to be high risk which means a DPIA is more likely to be needed when handling special category data. This does not mean it will always be essential, it will depend on the necessary, nature, scale, and your purpose for using this data.
After the DPIA, if you still intend to process special category data you must determine a lawful basis for processing that data under Article 6 of the UK GDPR and then meet one of the exceptions of Article 9 (which lists when the situations you can rely on to process special category data).
Whilst we won’t go through all the exceptions in this article, some examples of where an organisation would be able to process special category data would be where explicit consent has been obtained from the individual, or if it is necessary for the purposes of preventative or occupational medicine, to assess the working capacity of an employee, to provide a medical diagnosis or other health care or treatment, or if it is necessary for the purposes of carrying out the obligations and exercising rights of the controller or of the data subject in employment, social security and social protection law.
What if we suffer a data breach of this data?
You must record all data breaches internally including what caused it, what happened, the data affected, the effects of the breach and any action taken and rationale. In certain circumstances, you are required to report the breach to the ICO, this is only if the breach is likely to result in a risk to the rights and freedoms of individuals which can be physical, material or non-material. As special category data is considered higher risk data, if a breach involves data of this nature, it is more likely to reach the bar for reporting.