- DPO's Blog
- Key issues
How should businesses process special category data?
- 3 minutes
- By eleanor blackwood
What is special category data?
In short, ‘special category data’ is any personal data that’s classed as ‘sensitive’.
It’s considered to be sensitive, because if used to identify a person, it can impact their fundamental rights and freedoms.
Under GDPR, ‘special category data’ is any data that reveals or relates to a person’s:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (such as voice recognition or Face ID)
- Sex life
- Sexual Orientation
Why is special category data important to process properly?
Special category data is very important because as we mentioned, it has the potential to seriously threaten a person's rights and freedoms. For example, their right to respect for private and family life.
This is why you, as a business, need to take extra care when processing special category, or ‘sensitive’, data. Plus, you could potentially face more serious legal consequences if it’s breached or processed unlawfully than if it were non-sensitive personal data.
What further measures does it need for processing?
Firstly, you need to be clear about why you need to process (collect, use and store) special category data. So you need to identify a legal basis under Article 6 GDPR.
The legal bases under Article 6:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
You then need to identify a separate condition under Article 9 (five of these conditions are in GDPR, and the other five are added by DPA 2018). Some legal bases, such as ‘legitimate interests’, don’t align with any condition, and you need both. So you shouldn’t, for example, use sensitive data for advertising purposes
The separate conditions under Article 9:
- Explicit consent (consent to data processing for a specified purpose)
- Employment, social security and social protection
- Vital interests
- Not-for-profit bodies
- Made public by the data subject
- Legal claims or judicial acts
- Reasons of substantial public interest
- Health or social care
- Public health
- Archiving, research and statistics
It’s generally advised that you don’t rely on consent as a legal basis for processing sensitive data. This is because consent can be withdrawn at any time. If you can’t find another legal basis, consent needs to be: freely given, specific, informed and unambiguous, and properly separable in an agreement to any other issue.
You may need to fill in an ‘appropriate policy document’, and give details such as why exactly you processed this data and the security measures you have in place to protect it.
You should consider whether you need to fill in a data protection impact assessment (DPIA) for any processing that's considered to be high risk.
This does apply to all personal data, but please do be particularly careful with special category data that you:
1) ensure your obligations of data minimisation, security and transparency are met, and
2) keep up-to-date records of your processing activities.
If there’s a data breach, or you're SAR’d, you need to prove that you processed data lawfully.
For more details on how to process personal data lawfully, see our GDPR article.
Finally, whenever special category data is used, especially when it’s used without the consent of the individual, it’s particularly important to weigh up the benefit of processing vs the individual's rights and freedoms. This is called proportionality and necessity.
As a common example:
If a doctor is aware of John’s mental health issues and is concerned about John’s child, she would have a ‘vital interests’ basis to share this information. But, she would have to weigh up the risk of sharing John’s health data with the seriousness of her concern for the child. She would also have to make sure that if she was to share John’s health issues with another party, it would be strictly information that's relevant and necessary to help the child. She must take a proportionate and necessary risk.
Remember that because processing special category data risks a person’s rights and freedoms, you should only do so if it’s for the benefit of the person or for society as a whole. You must show this by identifying a legal basis in Article 6, and a condition in Article 9. If you do or will process special category data, make sure you should take extra steps to protect it, including investing in your data protection systems, and document the whole process well.
As a business, we know that the prospect of handling data can be worrying. Particularly with sensitive, special category data, it’s incredibly important to get right.
But, following the above advice should hopefully help!
As ever, if you have any further questions, we’re here to help. Just get in touch or see our companies page, below.
How major data breach class actions are changing everything
- DPO's Blog
Lloyd vs. Google case set a new precedent: that the loss of control of your data, which holds economic value, is enough to be awarded compensation.
- 7 minutes
GDPR: Everything you need to know
- DPO's Blog
- Data basics
GDPR stands for General Data Protection Regulation. It’s an EU (European Union) law, but it affects businesses worldwide to different extents.
- 5 minutes