On 14 November 2019, the Information Commissioner’s Office (ICO) published guidance (link here for organisations that process special category personal data (the Guidance). Previously, organisations tended to focus only on GDPR article 9 processing bases when processing special category personal data. Following this update from the ICO, organisations are reminded that they must have both GDPR article 6 and article 9 processing bases when they process special category personal data. Additionally, in some cases, the ICO will require organisations to: (i) prove they have carried out data protection impact assessments; and (ii) have an appropriate policy document (a template is provided by the Guidance) where they rely on GDPR article 9 to process special category personal data and meet their Data Protection Act 2018 (DPA 2018) obligations.
Special categories of personal data are set out at GDPR article 9(1) and clarified at recital 51. Special category personal data is more sensitive than ordinary personal data. As a result, GDPR affords special category personal data greater protection. Special category personal data concerns data subjects’ racial or ethnic origin, health information, trade union membership, religious beliefs, sexual history or preference, and so on. Genetic and biometric identification data is also included. There are “significant risks to the individual’s fundamental rights and freedoms” when processing such personal data. Organisations therefore need to ensure that greater care is taken when processing it.