The United Kingdom data protection regulator, the Information Commissioner's Office ("ICO"), has published its guidance on the lawful basis for processing special category data ("sensitive data") in compliance with the General Data Protection Regulation ("GDPR").
Under the GDPR, certain types of personal data are defined as sensitive or special category data: racial or ethnic origin; political opinions; religious or philosophic beliefs; trade union membership; genetic data; biometric data; health data; and sex life and sexual orientation data. As special category data, such data must be treated with greater care by controllers and processors, since use of this data could create significant risks to the individual's fundamental rights and freedoms.
According to the guidance, not all information related to the above-mentioned list of types of data, constitutes special category data. The first question that needs to be asked is whether such data is personal data that can be used to identify a natural person. For example, anonymized or aggregated partial genetic sequence might not be considered as personal data, and hence would not be considered as special category data.
The ICO emphasizes that personal data as to criminal allegations, criminal proceedings or convictions, is not considered as special category data under the GDPR. However, there are similar rules and safeguards to protect personal data relating to a person's criminal history.
As the guidance explains, special category data may also include information that enables an inference to be drawn or personal data to be guessed, which falls within the definition of special category data, if such inference can be made with a reasonable degree of certainty. For example, names or images can be sometimes used to infer the individual's religion or ethnicity. When used to indicate ethnicity or religion, such data may be considered as special category data. However, merely "educated guesses" or possible inferences are not special category data, even if the guess turns out to be correct.
Article 9 of the GDPR prohibits the processing of special category data, with ten exceptions, including, but not limited to, explicit consent, substantial public interest, public health, processing by not-for-profit bodies and processing for securing the vital interests of the data subject. Some of the conditions for processing special category data require a justification as to why explicit consent cannot be obtained. The conditions are narrowly drawn and often require detailed criteria to be met. If the purpose of processing is not covered by any of the conditions, then the special category data cannot be processed. The only potential exemption from the conditions set out in Article 9, is the public interest exemption for journalism, academia or literature.
It is worth mentioning that the conditions detailed in Article 9 do not replace the usual rules on having a lawful basis for processing, but rather, operate as an additional layer of conditions. The processing of special category data still requires the controller to identify a lawful basis for processing in accordance with Article 6 of the GDPR. The choice of a legal basis under Article 6 does not dictate the conditions to be used under Article 9. For example, one can use legitimate interests as the lawful basis for processing, whilst using the vital interests condition for the processing of special category data.
Due to the relatively high risk associated with the processing of special category data, controllers and processor of such data may be required to conduct a Data Protection Impact Assessment ("DPIA"). Conducting a DPIA will be required, in particular, where processing is made on a large scale, where it includes genetic or biometric data and if processing is used to determine access to a product or service.