Information Commissioner's Office
Blog: Why special category personal data needs to be handled even more carefully
Blog posted by: Ian Hulme, Director for Regulatory Assurance, 14 November 2019.
Imagine if your medical records, information about your sex life or your political opinions were put into the public domain so anyone could see them.
When personal data is shared by mistake the effects can be extremely damaging.
The General Data Protection Regulation (GDPR) recognises that some types of personal data are very sensitive and states that data controllers must give it extra protection.
This is known as special category data.
Special category data is information concerning a person’s:
- sex life or their sexual orientation;
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs; or
- membership to a trade union.
Special category data under the GDPR is broadly similar to sensitive personal data under the Data Protection Act 1998. However, special category data also relates to genetic and biometric identification data.
Special category data is the most sensitive personal data a controller can process. The misuse of this data is likely to interfere with an individual’s fundamental rights and freedoms and could cause real harm and damage.
Due to the possible risks, the ICO expects controllers to take all necessary precautions to protect this data and we have published new guidance to help you do this.
What does our new guidance say about how organisations should approach processing special category data?
Firstly, as always, you must have a GDPR lawful basis to process data under Article 6. However, when processing special category data you also need an Article 9 condition for processing and potentially an associated DPA 2018 Schedule 1 condition.
Many of the DPA 2018 conditions require you to have an appropriate policy document in place. This is a short document that should outline your compliance measures and retention policies with respect to the data you are processing.
We have a template appropriate policy document in our guidance to help organisations
There is more to do when processing special category data, but the provisions are in place to help you protect the data of those whose information you hold, and increase their confidence in you. It’s worth taking the time to get it right.
Ian Hulme is Director for Regulatory Assurance at the ICO.
Latest News from
Information Commissioner's Office
Blog: The Data Protection Fee: does your company need to pay?04/12/2019 10:10:10
Blog posted by: Paul Arnold, Deputy Chief Executive Officer/Executive Officer, 03 December 2019.
Blog: ICO and The Alan Turing Institute open consultation on first piece of AI guidance03/12/2019 09:10:00
A blog aimed at data scientists, app developers, business owners, CEOs or data protection practitioners, whose organisations are using, or thinking about using, artificial intelligence (AI) to support, or to make, decisions about individuals, by Simon McDougall, Executive Director Technology and Innovation (02 December 2019).
ICO Deputy Commissioner appointed OECD working party chair28/11/2019 09:10:00
The ICO’s Steve Wood has been appointed as chair of the OECD’s Working Party on Data Governance and Privacy.
ICO submits Age Appropriate Design Code of Practice to government22/11/2019 15:25:00
The Information Commissioner has today (Friday 22 November) submitted the final version of the Age Appropriate Design Code of Practice to the Secretary of State in accordance with the statutory deadline.
Blog: Data ethics and the digital economy19/11/2019 09:10:00
Blog posted by: Simon McDougall, Executive Director – Technology Policy and Innovation, ICO, 18 November 2019.
ICO call for views on the application for powers under the Proceeds of Crime Act11/11/2019 09:10:00
The Information Commissioner invites views on her office being granted access to investigation and other associated powers under the Proceeds of Crime Act 2002 (POCA).
Information Commissioner reminds political parties they must comply with the law ahead of General Election06/11/2019 09:10:00
The Information Commissioner has sent the following letter to the political parties in relation to the use of data in political campaigning.
Blog: Live facial recognition technology – police forces need to slow down and justify its use31/10/2019 13:10:00
Blog posted by: Elizabeth Denham, Information Commissioner, 31 October 2019.