On 14 November, the Information Commissioner’s Office published guidance on how special category data should be managed under the EU General Data Protection Regulation (GDPR).
As we have moved into the digital age, legislators and society in general have viewed data protection as a matter of increasing importance. The GDPR was a key step in the direction of requiring that personal information be protected. These regulations require organisations that collect or process such information to put in place practices that ensure they only use it in a manner that is compatible with the rights of individuals.
GDPR recognises that, even within the delicate area of personal data, certain types of such data are particularly sensitive. This type of information is now referred to as “special category data” and those holding it are required to take extra precautions when handling it. Special category data includes information relating to an individual’s health, sexual orientation, ethnicity, religious or philosophical beliefs and trade union membership. It also includes biometric and genetic data.
The new ICO guidance provides controllers with advice on how to manage special category data properly. The guidance reiterates that controllers must have a legal basis for processing data (article 6 of the GDPR). It goes on to make clear that, in circumstances where a controller is processing special category data, they must only do so if they have a justification (under article 9). Examples of justification would be if the individual had explicitly consented to the data being processed or if processing is necessary for the establishment, exercise or defence of legal claims.
The guidance also states that in such circumstances a controller may also be required to satisfy one of the conditions necessary for processing the data under the Data Protection Act 2018 Schedule 1 (e.g. it is necessary for reasons of public interest in the area of public health).
A number of these Schedule 1 conditions require organisations to have a policy document that sets out the organisation’s compliance measures and retention policies in respect of the data they are processing. Helpfully, the ICO guidance has provided a template policy document to assist organisations in satisfying this requirement.
Given the potential damage that could be caused as a result of failing to handle special category data properly, it is vital that organisations follow the ICO’s guidance. The guidance and template policy document can be accessed here.