Special category data
Special category data is personal data that needs more protection because it is sensitive.In order to lawfully process special category data, you must identify both a lawful basis under Article 6 of the UK GDPR and a separate condition for processing under Article 9. These do not have to be linked.You need to complete a data protection impact assessment (DPIA) for any type of processing which is likely to be high risk. You must therefore be aware of the risks of processing the special category data.
What is special category data?
The UK GDPR defines special category data as:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning health;
- data concerning a person’s sex life; and
- data concerning a person’s sexual orientation.
This does not include personal data about criminal allegations, proceedings or convictions, as separate rules apply. For further information, please see our separate guidance on criminal offence data.
Special category data includes personal data revealing or concerning the above types of data. Therefore, if you have inferred or guessed details about someone which fall into one of the above categories, this data may count as special category data. It depends on how certain that inference is, and whether you are deliberately drawing that inference.
What are the rules for special category data?
You must always ensure that your processing is generally lawful, fair and transparent and complies with all the other principles and requirements of the UK GDPR. To ensure that your processing is lawful, you need to identify an Article 6 basis for processing.
In addition, you can only process special category data if you can meet one of the specific conditions in Article 9 of the UK GDPR. You need to consider the purposes of your processing and identify which of these conditions are relevant.
Five of the conditions for processing are provided solely in Article 9 of the UK GDPR. The other five require authorisation or a basis in UK law, which means you need to meet additional conditions set out in the DPA 2018.
You must also identify whether you need an ‘appropriate policy document’ under the DPA 2018. Our template appropriate policy document shows the kind of information this should contain.
You must do a DPIA for any type of processing that is likely to be high risk. This means that you are more likely to need to do a DPIA for processing special category data. For further information, please see our guidance on DPIAs.
If you process special category data you must keep records, including documenting the categories of data. You may also need to consider how the risks associated with special category data affect your other obligations – in particular, obligations around data minimisation, security, transparency, DPOs and rights related to automated decision-making.
What are the conditions for processing special category data?
Article 9 lists the conditions for processing special category data:
(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
(j) Archiving, research and statistics (with a basis in law)
Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
Zlatko, Adam, Hristina, Marin.
As your Article 27 Representative we will always help if you receive a SAR, RTE, or other data prot
We have said this previously but we are still seeing a huge number of Subject Access Requests [
Summary: The Right to Be Forgotten is one of the fundamental rights defined in GDPR. Also