On 14 November 2019, the Information Commissioner’s Office (ICO) published guidance (link here for organisations that process special category personal data (the Guidance). Previously, organisations tended to focus only on GDPR article 9 processing bases when processing special category personal data. Following this update from the ICO, organisations are reminded that they must have both GDPR article 6 and article 9 processing bases when they process special category personal data. Additionally, in some cases, the ICO will require organisations to: (i) prove they have carried out data protection impact assessments; and (ii) have an appropriate policy document (a template is provided by the Guidance) where they rely on GDPR article 9 to process special category personal data and meet their Data Protection Act 2018 (DPA 2018) obligations.
Special categories of personal data are set out at GDPR article 9(1) and clarified at recital 51. Special category personal data is more sensitive than ordinary personal data. As a result, GDPR affords special category personal data greater protection. Special category personal data concerns data subjects’ racial or ethnic origin, health information, trade union membership, religious beliefs, sexual history or preference, and so on. Genetic and biometric identification data is also included. There are “significant risks to the individual’s fundamental rights and freedoms” when processing such personal data. Organisations therefore need to ensure that greater care is taken when processing it.
Highlights from the Guidance
- The Guidance clarifies what constitutes genetic or biometric data. Explanations of GDPR’s ambiguous definitions for health data and criminal offences data are also included. Additionally, the ICO emphasises that when identifying special category personal data, the data does not have to be only personal data specifying relevant details. Organisations should consider scenarios where it is possible “to infer or guess details about someone”. Where such inference is possible with a reasonable degree of certainty, it is likely to be special category personal data.
- For processing to be lawful, organisations must identify a GDPR article 6 lawful basis for processing. In addition, special category personal data can only be processed when one of the legal bases in GDPR article 9 applies (together with any associated DPA 2018 Schedule 1 conditions, where required). For example, stricter rules apply to automated decisions (and profiling) relating to special category personal data, requiring either explicit consent or a substantial public interest condition. If organisations are unsure, the ICO recommends obtaining explicit consent as a starting point, before considering other article 9 processing bases.
- A data protection impact assessment (DPIA) is likely to be needed for special category personal data where processing: (i) is on a large scale; (ii) is used to determine access to products, services, opportunities or benefits; or (iii) includes genetic or biometric data. When in doubt, the ICO recommends carrying out a DPIA.
- An “appropriate policy document” must be in place for most of the GDPR article 9 processing bases. This is a short document outlining the DPA 2018 Schedule 1 conditions that companies rely on to process special categories of personal data. This document must also include procedures for complying with each principle and the details of data retention periods and deletion policies. The ICO has provided a template document (link here). The appropriate policy document must be retained until six months after the date that the relevant processing stops. Organisations should be prepared to submit this document to the ICO when asked.
The biggest change to the Guidance is the obligation for organisations processing special category personal data to have processing bases under GDPR articles 6 and 9. Article 9 processing bases are not replacement processing bases for those at article 6. Rather, article 9 processing bases serve as an additional layer of protection when processing special category personal data. This clarification may mean that your company has to identify and publicise its GDPR article 6 processing bases for special categories of personal data. You may also need to complete an appropriate policy document that justifies your reliance on certain GDPR article 9 processing bases. These are two issues that the ICO has clarified in the Guidance and which it will expect all companies to comply with.