Compliance
Special category personal data is a type of personal data that, under the UK GDPR, is afforded additional protections. Such protections grant additional rights to data subjects (individuals that the personal data belongs to), and place additional obligations on data controllers (organisations that process personal data for their purposes).
It is important, therefore, to know what special category personal data is and what rights and obligations follow when organisations process special category personal data. We explore the basics in this blog post. More information about data protection law can be found here.
Defining special category personal data
Personal data is defined in the UK GDPR as ‘any information relating to an identified or identifiable natural person.’
This includes any type of information you can think of – images of individuals, videos, voice records, credit reports, extracts of books or news reports, addresses, telephone numbers and so on. Where any of that information relates to a person, it is personal data.
Special category personal data could be contained in this information too, but to qualify as being in the special category, personal data must be information that concerns or reveals certain qualities about a data subject.
These qualities are as follows:
1. race or ethnic origin;
2. political opinions;
3. religious or philosophical beliefs;
4. trade union membership;
5. genetic data;
6. biometric data (where used for identification purposes);
7. health;
8. sex life; or
9. sexual orientation.
Examples of special category personal data
At a basic level, a doctor noting down on an electronic patient record that you have the flu will be special category personal data.
However, it is important to remember that, as with personal data, the rights and obligations attached to special category personal data applies only when the controller can identify the individual to whom the personal data relates. Government statistics detailing the number of individuals with flu in the UK, which are then downloaded and used by a pharmaceutical company, will not be special category personal data.
The terms concerning or revealing is a key point. Even if the information itself was not, for example, information about a political opinion it may qualify as special category personal data. This is because another person could reasonably infer that quality about the data subject using the information (or a combination of that information and other information available to the person).
This legal position has two main consequences for data subjects and data controllers, more simply explained using an example:
You upload a picture of yourself attending a political rally to a social media website. The simple fact of you attending that rally is information about your political opinions.
What if the photo is obscure, or it just looks like you are attending a large gathering (not necessarily a political one). The social media company, for example, could also read the caption which makes it clear that the picture is of you at the rally. Both the picture and the caption, therefore, would be special category personal data.
Processing special category personal data
There are additional obligations on data controllers to lawfully process special category personal data.
As these obligations are on top of what data controllers must do to lawfully process personal data, it is useful to start by setting out the basics.
Lawful basis
To lawfully process personal data, a data controller must have a lawful basis to do so. There are six lawful bases:
1. Consent – where the data subject gives a data controller their consent for the data controller to process their personal data for a specific purpose or purposes.
2. Contract – a controller will have a lawful basis to process personal data if it is necessary to perform a contract the controller has with the data subject (or to take the necessary steps to enter into a contract).
3. Legal obligation – where the controller must process personal data to comply with a legal obligation (e.g. when the court asks the controller to provide information to it about a data subject), then that processing will have a lawful basis.
4. Vital interests – where the processing is necessary to protect vital interests of a data subject or another individual (e.g. to render medical treatment).
5. Public interest – this lawful basis essentially comprises the activity of government authorities or private organisations carrying out statutory functions.
6. Legitimate interests – a data controller will have a lawful basis to process personal data if it has a legitimate interest in doing so (which can include the interests of third parties), provided that the interest(s) do not outweigh the rights of the data subject.
Whether a controller is processing special category personal data, or just personal data, it will need a lawful basis to do so. There are a number of related obligations to comply with as well. For example, controllers must inform data subjects what lawful bases they rely on.
Special conditions
What the processing of special category personal data requires, in addition to a lawful basis for processing, is that the data controller must have relied on one of ten ‘special conditions’ to do so. If no special condition is available, then the controller cannot process special category personal data.
The special conditions are as follows:
1. Explicit consent – explicit consent is a higher standard of consent than the standard required for consent as a lawful basis. The consent itself must be confirmed in words (written or spoken) and relate specifically to a limited processing activity.
2. Employment, social security and social protection – this condition is typically used by employers to carry out certain checks for the purposes of employment.
3. Vital interests – very similar to the vital interests lawful basis as set out above.
4. Not-for-profit bodies – this condition would be relevant in the context of charitable activity carried out by registered charities.
5. Made public by the data subject – this condition applies to scenarios where the data subject has previously made the special category personal data freely available to the public. This would apply to a scenario where someone has posted about their health online.
6. Legal claims or judicial acts – applies where lawyers or courts process special category personal data in the context of establishing, exercising or defending legal claims.
7. Reasons of substantial public interest – there are specific public interests defined elsewhere for this condition to apply (see below).
8. Health and social care – this condition will apply where doctors or social workers are processing special category personal data for the purpose of diagnosis or other forms or care. As a result, it would not apply to personal data processed by administrative staff in a hospital.
9. Public health – this condition applies when organisations process special category personal data to improve public health (e.g. in the event of a pandemic).
10. Archiving, research or statistics – both public and private sector organisations can carry out not-for-profit research and rely on this condition to process special category personal data, provided that that research is in the public interest.
Again, it is important to note that these special conditions apply on top of the lawful basis for processing personal data as set out above – for special category personal data you need to have both.
Accordingly, some special conditions will pair well with some lawful bases (e.g. consent, vital interests) but not others. Indeed, a common misconception is that a data controller cannot rely on legitimate interests to process personal data. It can but it would also need to identify a special condition to process that special category personal data. So, for example, if an organisation considers that legitimate interests and explicit consent are the lawful bases and special condition is applicable, it may make more sense to rely on consent and explicit consent. But that is not a hard rule – organisations must decide for themselves what the most appropriate approach is.
Schedule 1 Conditions
Where an organisation utilises certain special conditions, it must meet additional conditions set out in Schedule 1 to the Data Protection Act 2018.
The special conditions to which this applies are the following:
- Employment, social security and social protection
- Substantial public interests
- Health or social care
- Public health
- Archiving, research or statistics
The Schedule 1 conditions essentially set out requirements that apply to the special conditions.
For example, the Schedule 1 condition in respect of health or social care states as follows:
‘This condition is met if the processing is necessary for health or social care purposes.
‘(2)In this paragraph “health or social care purposes” means the purposes of—
‘(a)preventive or occupational medicine,
‘(b)the assessment of the working capacity of an employee,
‘(c)medical diagnosis,
‘(d)the provision of health care or treatment,
‘(e)the provision of social care, or
‘(f)the management of health care systems or services or social care systems or services.’
Data controllers, therefore, in some circumstances need to refer to an extensive set of conditions and legal grounds to process special category personal data.
Considerations when processing special category personal data
The day to day considerations for special category personal data are not dramatically different under the UK GDPR. The UK GDPR applies almost evenly in respect of special category personal data and ordinary personal data.
However, because special category personal data will be more important to data subjects (and, therefore, there are more significant risks associated with the unlawful, accidental or unauthorised processing of special category personal data), the UK GDPR can modify and enhance the existing obligations on data controllers to protect personal data.
Set out below are a few examples of the aspects of the UK GDPR data controllers will want to consider when they process special category personal data:
Enhanced technical and organisational measures
The UK GDPR requires that data controllers put in place technical and organisational measures to protect personal data. These measures must be adequate in view of the type(s) personal data being processed. If a data controller is processing special category personal data, it might be more risky. Therefore the security measures should meet the level of risk involved.
This is not a binary – some forms of special category personal data will inherently be less risky than others.
DPO
One of the triggers that require data controllers (or processors) to appoint a Data Protection Officer (DPO) is where the organisation’s core activities consist of large scale processing of special category personal data.
A core activity is not necessarily what the purpose of the organisation is, but whether processing special category personal data is part of its activities.
DPIAs
Data controllers are required to carry out Data Protection Impact Assessments (DPIAs) if any of their processing of personal data is likely to result in a high risk to data subjects.
As above, because special category personal data is likely to carry more risk than ordinary personal data, it may be more likely that a DPIA will be required prior to the processing of special category personal data.
Enhanced rights and interests of data subjects
Data subjects have a number of rights under the UK GDPR and, especially in the context of the legitimate interest lawful basis, and interests in the processing of their personal data.
In many circumstances, the UK GDPR requires data controllers to balance their interests against those of the data subjects. A data controller’s interests are likely to be harder to override the interests of a data subject when data subject rights are exercised in respect of special category personal data or where a data controller seeks to rely on the lawful basis of legitimate interests.
Conclusion
Processing special category personal data carries additional burdens and considerations under the UK GDPR. This is necessary in view of the harm that could be caused if something was to go wrong – everyone would suffer significant harm if their medical records were leaked online, for example.
At EM Law we are experts in data protection. If you need assistance with your processing of special category personal data and complying with the UK GDPR more generally, please do not hesitate to contact Neil Williamson, Colin Lambertus or EM Law directly here.
Further Reading
Dutch DPA Fines Uber €290 Million for Unlawful International Personal Data Transfers
August 30, 2024
Personal Data Breach – Complying With UK GDPR
November 28, 2022