Special category data encompasses certain types of more sensitive personal data and gives this greater protection under the UK General Data Protection Regulation (the UK GDPR).
As defined by Article 9 of the UK GDPR, special category data is personal data which reveals:
What does not constitute special category data?
How can an organisation lawfully process special category data?
Article 9 of the UK GDPR includes a general prohibition on the processing of special category data. However, there are 10 exemptions to this prohibition known as “conditions for processing special category data”, such as where an individual has given explicit consent, where there is a substantial public interest, or where the processing is necessary for the defence of legal claims. These conditions are in addition to the “usual” processing conditions required to be met under Article 6. There may also be further conditions imposed under the Data Protection Act 2018, depending on the Article 9 condition that is being used.
Even if the relevant processing conditions apply, before an organisation processes special category data, it should undertake careful analysis and ensure that appropriate safeguards are in place, including where appropriate:
- Undertaking a data protection impact assessment - this is required for any type of processing which is likely to be “high risk”,
- Ensuring the appropriate level of security is in place,
- Ensuring only the minimum required quantities of data are used, and
- Considering if the special category data is going to be used for solely automated decision-making about a person - as this has further controls.
For more information or advice on data protection compliance, please contact Beverley Flynn or another member of the commercial and technology team.