New guidance about “special category data”
The ICO publishes new guidance which is essential reading for organisations handling “special category data”.
In November 2019, the Information Commissioner’s Office (ICO) published new guidance on “special category data”, in response to Article 9(1) of the General Data Protection Regulation ((EU) 2016/679) (GDPR) which identifies some types of personal data as likely to be more sensitive and affords them extra protection.
The purpose of the ICO’s guidance is to provide examples of special category data and how this should be processed in accordance with the GDPR. The guidance is split into four sections:
- What is special category data?
- What are the rules on special category data?
- What are the conditions for processing?
- What are the substantial public interest conditions?
By briefly analysing each section in turn, this article aims to deliver a short guide to navigate the due processing of special category data:
1.Special category data covers the kind of private and sensitive information that identifies attributes intrinsic to the fundamental rights and freedoms of each individual. This includes, for example, personal data revealing racial or ethnic origin or political opinions, personal data revealing religious or philosophical beliefs or trade union membership, genetic data, biometric data (where used for identification purposes), data concerning health, data concerning a person’s sex life and data concerning a person’s sexual orientation.
2. Article 9(1) of the GDPR generally prohibits the processing of special category data. Article 9(2) then goes on to list ten exceptions to the rule, these include the following: (a) explicit consent, (b) employment, social security and social protection (if authorised by law), (c) vital interests, (d) not-for-profit bodies, (e) made public by the data subject, (f) legal claims or judicial acts, (g) reasons of substantial public interest (with a basis in law), (h) health or social care (with a basis in law), (i) public health (with a basis in law), and (j) archiving, research and statistics (with a basis in law).
If you are relying on an exception which requires a basis in law, you must also meet one of the additional conditions set out in Schedule 1 of the Data Protection Act 2018 (DPA).
3. The exceptions set out in Article 9(2) of the GDPR should be relied on with care and we set out below some of the points mentioned within the ICO’s guidance to help when threading these tricky waters:
- “Explicit consent” must be confirmed in a clear statement (whether oral or written), rather than by any other type of affirmative action, it must specify the nature of the special category data and it should be separate from any other consents you are seeking. Consent must be freely given, specific, affirmative (opt-in) and unambiguous, and able to be withdrawn at any time. You should be particularly careful if you ask for consent as a condition of your services, or if you are in a position of power over the individual, for example, if you are a public authority or their employer.
- “Employment, social security and social protection law” requires legal authorisation as set out in condition 1 in Schedule 1 of the DPA. The condition is met if the processing is “necessary”, meaning that it must be a reasonable and proportionate way of achieving one of the purposes set out within the condition, in this case compliance with employment law, or social security and social protection law, and you must not have more data than you need. An appropriate policy document (APD) is also required for this condition to be met. The ICO has produced a template APD for organisations to use.
- “Vital interests” are intended to cover only interests that are essential for someone’s life. This condition is very narrow, and generally only applies to matters of life and death so it is likely to be most relevant for emergency medical care.
- “Not-for-profit bodies” applies to some specified activities of not-for-profit bodies, which must still be able to demonstrate how they meet the specific requirements of the condition and consider data minimisation obligations.
- “Made public by the data subject” permits the processing of special category data if this relates to personal data that the individual themselves has made public. In order to rely on this exception, you need to be confident that it was the individual themselves who actively chose to make their special category data public and that this was unmistakably a deliberate act on their part.
- “Legal claims and judicial acts” can be relied on where the processing is for the purposes of establishing, exercising or defending legal claims or by courts when they are acting in their judicial capacity. In order to rely on the legal claims’ exception, you must be able to justify why processing of the specific data is necessary (see paragraph 3(b) above), to establish, exercise or defend the legal claim.
- “Substantial public interest” for the purposes of UK law can be relied on if one of the 23 specific substantial public interest conditions set out in Schedule 1 of the DPA is met. You must also have an APD (see paragraph 3(b) above) in place for almost all of these conditions.
- “Health or social care” in the context of UK law can be relied on if condition 2 of Schedule 1 of the DPA is met. This condition is fulfilled if the processing is demonstrated to be necessary for the purposes detailed within the condition, for example providing health or social care or assessing an employee’s working capacity. This condition can only be relied on if the personal data is being processed by (or under the responsibility of) a professional who is subject to an obligation of professional secrecy.
- “Public health” in context of UK law can be relied on if condition 3 of Schedule 1 of the DPA is met. To rely on this condition, you must also be able to demonstrate that the processing is necessary for reasons of public interest in the area of public health. In addition, the processing must be carried out either by, or under the responsibility of, a health professional or by someone else who in the circumstances owes a legal duty of confidentiality.
- “Archiving, research and statistics” in context of UK law can be relied on if condition 4 of Schedule 1 of the DPA is met. This condition requires you to demonstrate that the processing is necessary for archiving, research or statistical purposes, comply with the safeguards and restrictions set out in Article 89(1) of the GDPR and section 19 of the DPA and demonstrate that the processing is in the public interest. Not all research is covered by this condition, you need to demonstrate that your research is either scientific or historical in nature.
4.The substantial public interest conditions referred to in point 3(g) above are set out in paragraphs 6 to 28 of Schedule 1 of the DPA. These conditions allow you to process special category data for a variety of specific purposes. If you are clear on your purpose for processing, it should be relatively straightforward to identify the most relevant condition. You then need to consider the detail of that condition carefully and ensure you can demonstrate that it applies. The conditions are narrowly drawn and generally require you to meet a number of specific criteria. In most cases, you must also have an APD in place.
In a world where the right to privacy appears to be a hot commodity, the GDPR attempts to protect what makes you, you. While the legislation undoubtedly brings benefits for individuals, the added compliance can prove to be burdensome, especially for those processing large amounts of special category data.
If you have any questions about handling special category data or would like help preparing an appropriate policy document (APD), please contact Francesca Lombardi.