On 14 November, the Information Commissioner’s Office published guidance on how special category data should be managed under the EU General Data Protection Regulation (GDPR).
As we have moved into the digital age, legislators and society in general have viewed data protection as a matter of increasing importance. The GDPR was a key step in the direction of requiring that personal information be protected. These regulations require organisations that collect or process such information to put in place practices that ensure they only use it in a manner that is compatible with the rights of individuals.
GDPR recognises that, even within the delicate area of personal data, certain types of such data are particularly sensitive. This type of information is now referred to as “special category data” and those holding it are required to take extra precautions when handling it. Special category data includes information relating to an individual’s health, sexual orientation, ethnicity, religious or philosophical beliefs and trade union membership. It also includes biometric and genetic data.
The new ICO guidance provides controllers with advice on how to manage special category data properly. The guidance reiterates that controllers must have a legal basis for processing data (article 6 of the GDPR). It goes on to make clear that, in circumstances where a controller is processing special category data, they must only do so if they have a justification (under article 9). Examples of justification would be if the individual had explicitly consented to the data being processed or if processing is necessary for the establishment, exercise or defence of legal claims.
The guidance also states that in such circumstances a controller may also be required to satisfy one of the conditions necessary for processing the data under the Data Protection Act 2018 Schedule 1 (e.g. it is necessary for reasons of public interest in the area of public health).
A number of these Schedule 1 conditions require organisations to have a policy document that sets out the organisation’s compliance measures and retention policies in respect of the data they are processing. Helpfully, the ICO guidance has provided a template policy document to assist organisations in satisfying this requirement.
Given the potential damage that could be caused as a result of failing to handle special category data properly, it is vital that organisations follow the ICO’s guidance. The guidance and template policy document can be accessed here.
Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.