New guidance published on processing special category data under GDPR
The Information Commissioner’s Office (ICO) has published new guidance for data controllers on processing special category data under the General Data Protection Regulation (GDPR).
Speaking about the guidance in a blog, Ian Hulme, Director for Regulatory Assurance at the ICO, advises that the GDPR recognises that some types of personal data are very sensitive and states that data controllers must give it extra protection. This is known as special category data.
Special category data concerns a person’s:
- sex life or sexual orientation;
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs; or
- membership of a trade union.
Article 9 of the GDPR prohibits the processing of special category data. However, there are 10 exceptions to this general prohibition, usually referred to as ‘conditions for processing special category data’. These are:
- Explicit consent;
- Employment, social security and social protection (if authorised by law);
- Vital interests;
- Not-for-profit bodies;
- Made public by the data subject;
- Legal claims or judicial acts;
- Reasons of substantial public interest (with a basis in law);
- Health or social care (with a basis in law);
- Public health (with a basis in law); and
- Archiving, research and statistics (with a basis in law).
“Special category data is the most sensitive personal data a controller can process. The misuse of this data is likely to interfere with an individual’s fundamental rights and freedoms and could cause real harm and damage.
“Imagine if your medical records, information about your sex life or your political opinions were put into the public domain so anyone could see them. When personal data is shared by mistake the effects can be extremely damaging.”
Due to the possible risks, data controllers must take all necessary precautions to protect this data and the guidance is designed to help them to do this.