Ok, let’s start with the basics. What is ‘special category data’?
- Personal data revealing:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership.
- Data concerning:
- a person’s sex life
- a person’s sexual orientation.
- Genetic data.
- Biometric data (where used for identification purposes).
In short, special category data is personal data that needs more protection because it is sensitive.
And what does ‘more protection’ mean?
It means that, in addition to ensuring that the processing is generally lawful, fair and transparent, and that it complies with all the other principles and requirements of the UK GDPR, you must comply with the following requirements:
- Prior to processing any special category data, you must not only identify and document a lawful basis under Article 6 (as required for all processing of personal data), but you must also satisfy at least one of the conditions for processing special category data listed in Article 9.
- Of the 10 conditions for processing special category data in Article 9, five require you to meet additional conditions and safeguards set out in Schedule 1 of the Data Protection Act 2018 (“Schedule 1 conditions”). For some Schedule 1 conditions you also need to put in place an ‘appropriate policy document’. The ICO has provided an appropriate policy document template.
- In practice, you may need to use the explicit consent condition for the special category data processing (Article 9(2)(a)). If so, then bear in mind that the individual’s consent must be:
- freely given
- specific, i.e. it must specify the nature of the special category data, and be separate from any other consents
- affirmative, i.e. opt-in
- capable of being withdrawn at any time.
- Article 35 requires you to do a Data Protection Impact Assessment (DPIA) for any type of processing that “is likely to result in a high risk to the rights and freedoms of natural persons”. This is more likely to be the case when processing special category data.
- Article 30 requires controllers to maintain a record of processing activities. The exemption from this obligation for organisations employing fewer than 250 persons (Article 30(5)) does not apply where the processing includes special categories of data.
- Update your privacy notice with specific information about your processing of special category data.