On 14 November 2019, the Information Commissioner’s Office (ICO) published guidance (link here for organisations that process special category personal data (the Guidance). Previously, organisations tended to focus only on GDPR article 9 processing bases when processing special category personal data. Following this update from the ICO, organisations are reminded that they must have both GDPR article 6 and article 9 processing bases when they process special category personal data. Additionally, in some cases, the ICO will require organisations to: (i) prove they have carried out data protection impact assessments; and (ii) have an appropriate policy document (a template is provided by the Guidance) where they rely on GDPR article 9 to process special category personal data and meet their Data Protection Act 2018 (DPA 2018) obligations.


Special categories of personal data are set out at GDPR article 9(1) and clarified at recital 51. Special category personal data is more sensitive than ordinary personal data. As a result, GDPR affords special category personal data greater protection. Special category personal data concerns data subjects’ racial or ethnic origin, health information, trade union membership, religious beliefs, sexual history or preference, and so on. Genetic and biometric identification data is also included. There are “significant risks to the individual’s fundamental rights and freedoms” when processing such personal data. Organisations therefore need to ensure that greater care is taken when processing it.Continue Reading Updated ICO guidance on handling special category data

The UK’s Information Commissioner (ICO) has published draft GDPR guidance on contracts and liabilities between controllers and processors. The draft guidance is currently open for consultation, with responses due by 10 October 2017.

The purpose of the guidance is to help organisations understand what needs to be included in written contracts between controllers and processors under the General Data Protection Regulation (GDPR). It also looks at the responsibilities and liabilities of controllers and processors.

Written contracts

Under the GDPR, a written contract must be in place when a controller uses a processor to process personal data. This is not a new concept, as data processing agreements are already used to satisfy the security requirements under the Data Protection Directive (95/46/EC). The GDPR, however, is wider in scope and now sets out specific terms that must be included in such contracts; for example, the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data to be processed, the categories of data subjects, and the obligations and rights of the controller. See Article 28.3 of the GDPR and page 12 of the draft guidance for further details.

The GDPR also allows for the use of standard contractual clauses issued by the European Commission or supervisory authority (such as the ICO), and approved codes of conduct or certification schemes which processors can sign up to; however, these are not available yet.
Continue Reading ICO publishes draft guidance on contracts and liabilities under the GDPR