GDPR: Processing Special Categories of Data
The GDPR made significant changes to the way in which data protection obligations are dealt with. It also increased the obligations where an organisation handles sensitive information (now called Special Categories of Data “SCD”).
Sensitive data is defined by the following categories:
- ethnic origin
- trade union membership
- biometrics (where used for ID purposes)
- sex life
- sexual orientation
The GDPR now treats criminal convictions and offences as a separate data category.
Processing Special Categories of Data
The GDPR sets out the principle that the SCD is more sensitive, and as a consequence requires additional protection when being processed.
Organisations processing SCD must not only comply with the general conditions for processing, (as we discussed in a previous article), but also must be able to demonstrate at least one of the processing conditions for SCD. Failure to do so can lead to significant penalties.
The main processing conditions for SCD are these:
- Explicit consent by the data subject, (BEWARE – as consent can be withdrawn, organisations should therefore avoid relying on consent alone and always where possible process the information under another legitimate basis);
- Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement;
- Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent;
- Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent;
- Data manifestly made public by the data subject;
Other processing conditions are:
- Necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity;
- Necessary for reasons of substantial public interest;
- Necessary for the purposes of preventative or occupational medicine;
- Necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
- Necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1)
If your organisation is processing SCD you must ensure that your policies, privacy notices, contracts etc inform people of the nature of any processing that your organisation carries out, including the lawful principles that your organisation is relying upon. It is also wise to maintain a record of the processing activities should the ICO investigate any complaint.
Processing of Criminal Offence Data
Criminal offence data includes the type of data about criminal allegations, proceedings or convictions that would have been sensitive personal data under the 1998 Data Protection Act. GDPR has extended this class of data to include personal data which is linked to related security measures.
There are separate safeguards for processing personal data which relate to criminal convictions and offences, which also specifies that you can only keep a comprehensive register of criminal convictions if you are doing so under the control of official authority. If your organisation needs to process this type of data, you must still demonstrate that you have a lawful basis for data processing.
As a consequence, the impact on organisations is that it will become much harder to process information about criminal records.
Getting it wrong
The Information Commissioner’s Office (ICO) take the issue of safeguarding SCD seriously and can impose penalties at the higher rate of up to €20m, or 4 % of annual worldwide turnover.
This means that your organisation’s compliance, should it need to handle SCD or criminal offence data is of high importance.
- Review your existing data collection and processing activities. You need to identify whether your organisation collects and processes data caught by the SCD under GDPR.
- Review the conditions on which your organisation processes the SCD and indeed whether it should even collect and process it.
- Ensure your privacy notices and policies are up to date and that you maintain a documented record regarding the processing of data.
- Try not to rely on consent alone but if you do, review your consent procedures to ensure it meets these tighter obligations under the GDPR.