This is a modified concept. The definition of personal data is modified and simplified, and the definition of sensitive personal data is retained and extended to cover genetic data and biometric data. While remaining largely the same, there are some changes to the conditions for processing personal data and sensitive personal data.
How does it differ compared to the current position?
Definition under the Data Protection Act 1998 (DPA): data which relate to a living individual who can be identified:
(a) from those data; or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller;
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Definition under the GDPR: any information relating to an identified or identifiable natural person.
While the definition looks to have been simplified, the effect is to make it more detailed by reference to a series of identifiers including name, online identifiers (such as an IP address) and location data.
Sensitive Personal Data
Definition under the DPA: personal data consisting of information as to:
(a) the racial or ethnic origin of the data subject;
(b) his political opinions;
(c) his religious beliefs or other beliefs of a similar nature;
(d) whether he is a member of a trade union;
(e) his physical or mental health or condition;
(f) his sexual life;
(g) the commission or alleged commission by him of any offence; or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Definition under the GDPR: data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
The inclusion of genetic and biometric data is new. The definition previously included information about criminal convictions – this is now treated separately and subject to even tighter controls.
Conditions for Processing
In addition to complying with all six data protection principles (please see our briefing on GDPR: Data Protection Principles), when processing personal data a data controller must also satisfy at least one processing condition. If the data controller is processing sensitive personal data, at least one sensitive personal data processing condition must also be satisfied. The processing conditions are:
The grounds for processing personal data under the GDPR broadly replicate those under the DPA. The processing of personal data will only be lawful if it satisfies at least one of the following conditions:
- Consent of the data subject – this is broadly the same as under the DPA but the GDPR has a narrower view of what constitutes consent meaning that it will become harder to obtain consent. In practice, this means that data controllers will have to fall back on other processing conditions.
- Necessary for the performance of a contract with the data subject or to take steps preparatory to such a contract – there is no change from the wording in the DPA.
- Necessary for compliance with a legal obligation – this is broadly the same as under the DPA. However, under the GDPR, the legal obligation must be an obligation of Member State or EU law to which the controller is subject. However, that law does not need to be statutory.
- Necessary to protect the vital interests of a data subject or another person where the data subject is incapable of giving consent – the processing is necessary to protect the vital interests of the data subject. This condition should only be relied upon when there is no other ground available, e.g. medical emergencies.
- Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller – this condition will apply when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. These functions must arise under Member State or EU law.
- Necessary for the purposes of legitimate interests – this condition can no longer be relied on by public authorities.
Sensitive Personal Data
The grounds for processing sensitive data under the GDPR broadly replicate those under the DPA, but have become slightly narrower. Any processing of personal data must satisfy at least one of the following conditions:
- Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law – there is no change from the wording in the DPA.
- Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement – this expands on the wording in the DPA by making reference to compliance with obligations under social security, social protection law and collective agreements.
- Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent – this is the equivalent of the wording in the DPA.
- Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent –this is the equivalent of the wording in the DPA.
- Data manifestly made public by the data subject – This is the equivalent of the wording in the DPA.
- Necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity – this is the same as under the DPA, but wording has been added regarding processing of data by courts acting in their judicial capacity.
- Necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures – this means that Member States can extend the circumstances where sensitive data can be processed in the public interest
- Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
- Necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices – both of these conditions expand the position under the DPA by providing legal justification for regulatory uses of health data in healthcare and sharing health data with providers of social care.
- Necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1) – this is a new condition under the GDPR and provides that sensitive data can be processed for the purposes of archiving, research and statistics.
What is the impact for organisations?
Although the definitions are broader than the equivalent definitions in the current DPA, for the most part they are simply codifying current guidance and case law on the meaning of 'personal data'.
It will however become much harder to process information about criminal records.
What action is required?
- Review existing data collected and processed and identify whether your organisation collects and processes data caught by the expanded definitions under the GDPR. Be aware of what can be included under ‘identifiable natural person’ as part of the definition of Personal Data.
- Review the conditions on which your organisation processes personal data and sensitive personal data. If you rely on consent, the consent mechanisms used should be reviewed to ensure they meet the higher threshold under the GDPR.
- Identify whether your organisations' conditions for processing have an effect on individuals' rights. We will be covering individuals' rights later in this series.
- If you process substantial amounts of genetic, biometric or health data, pay attention to national developments as Member States have a right to impose further conditions on the grounds set out in the GDPR.