Information Commissioner's Office
Blog: Why special category personal data needs to be handled even more carefully
Blog posted by: Ian Hulme, Director for Regulatory Assurance, 14 November 2019.
Imagine if your medical records, information about your sex life or your political opinions were put into the public domain so anyone could see them.
When personal data is shared by mistake the effects can be extremely damaging.
The General Data Protection Regulation (GDPR) recognises that some types of personal data are very sensitive and states that data controllers must give it extra protection.
This is known as special category data.
Special category data is information concerning a person’s:
- sex life or their sexual orientation;
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs; or
- membership to a trade union.
Special category data under the GDPR is broadly similar to sensitive personal data under the Data Protection Act 1998. However, special category data also relates to genetic and biometric identification data.
Special category data is the most sensitive personal data a controller can process. The misuse of this data is likely to interfere with an individual’s fundamental rights and freedoms and could cause real harm and damage.
Due to the possible risks, the ICO expects controllers to take all necessary precautions to protect this data and we have published new guidance to help you do this.
What does our new guidance say about how organisations should approach processing special category data?
Firstly, as always, you must have a GDPR lawful basis to process data under Article 6. However, when processing special category data you also need an Article 9 condition for processing and potentially an associated DPA 2018 Schedule 1 condition.
Many of the DPA 2018 conditions require you to have an appropriate policy document in place. This is a short document that should outline your compliance measures and retention policies with respect to the data you are processing.
We have a template appropriate policy document in our guidance to help organisations
There is more to do when processing special category data, but the provisions are in place to help you protect the data of those whose information you hold, and increase their confidence in you. It’s worth taking the time to get it right.
Ian Hulme is Director for Regulatory Assurance at the ICO.
Latest News from
Information Commissioner's Office
Blog: Community groups and COVID-19: what you need to know about data protection27/03/2020 13:20:00
A blog by Ian Hulme, Director for Regulatory Assurance at the ICO.
Council employee fined £400 for illegally deleted audio file16/03/2020 10:25:00
A council employee has been fined £400 for an offence under the Freedom of Information (FOI) regulations.
Data protection and coronavirus12/03/2020 15:25:00
We all share the same concerns about the spread of the COVID-19 virus. The need for public bodies and health practitioners to be able to communicate directly with people when dealing with this type of health emergency has never been greater.
Blog: Don’t get caught out when it comes to pupil photos10/03/2020 15:10:00
Blog posted by: Andrew Laing, ICO Head of Data Protection Complaints, 09 March 2020.
Combining privacy and innovation: ICO Sandbox six months on10/03/2020 12:25:00
It’s been an exciting, interesting and challenging first six months for the ICO Sandbox – both for those externally involved in the various projects and for the ICO staff working on the scheme. Ian Hulme discusses the progress so far.
The ICO and the Office of the Australian Information Commissioner sign Memorandum of Understanding06/03/2020 12:25:00
James Dipple-Johnstone (Deputy Commissioner) yesterday commented on the signing of the Memorandum of Understanding.
International airline fined £500,000 for failing to secure its customers’ personal data04/03/2020 13:05:00
The Information Commissioner’s Office (ICO) has fined Cathay Pacific Airways Limited £500,000 for failing to protect the security of its customers’ personal data.
Scottish company hit with maximum fine for making nearly 200 million nuisance calls03/03/2020 09:10:00
The Information Commissioner’s Office (ICO) has fined CRDNN Limited with the maximum £500,000 fine for making more than 193 million automated nuisance calls.