The GDPR designates certain categories of personal data as “special” because misuse is more likely to result in discrimination (for example, information about a person’s health, religion, ethnicity or sexual orientation). For the first time, the ICO has issued detailed guidance on special category personal data (“SCPD”). There are important points for controllers to note.
Broad interpretation of SCPD
The ICO’s interpretation of what constitutes SCPD can be broad. In certain circumstances, inferences and educated guesses can amount to SCPD. For example, an organisation profiling an individual’s pharmaceutical purchases for targeted advertising purposes may be taken to process SCPD if an individual has purchased the same product on repeat occasions (i.e. because a reasonable inference can be made that they have a particular health condition).
This is not limitless: there needs to be some degree of certainty. For example, just because somebody works for a Christian organisation, it does not automatically follow that they are Christian.
What constitutes genetic data?
Certain sectors – in particular pharmaceutical, medical and tech – were concerned about the potential breadth of the genetic data category. One could argue that someone’s appearance itself amounts to genetic data, given that it stems from a unique DNA pattern. The ICO has placed a sensible limit on the definition: genetic data only constitutes SCPD when you analyse some form of genetic sample to produce information, and that resulting information can be linked back to an identifiable individual (such as blood test results).
Non-SCPD can still be sensitive
Information which does not constitute SCPD can still be “sensitive” in the traditional sense of the word either due to its inherent nature or the circumstances of use, such as financial information, information about family members or privately expressed opinions. The ICO expects you to handle it with enhanced caution (for example, separate and encrypted storage).
You cannot process SCPD unless you can satisfy one of the 10 conditions in Article 9 GDPR , some of which only work in combination with a condition in Schedule 1 of the Data Protection Act 2018 (“DPA”). The ICO has provided useful guidance for some common conditions:
–Explicit consent: consent requests must not only satisfy the GDPR requirements for consent , but must also (i) be confirmed by a written or oral statement (affirmative conduct is insufficient), (ii) specify the type of SCPD you want to use and why and (iii) must be separate from other consent requests.
–Manifestly made public by individual: the individual in question must have taken deliberate action to make the SCPD public (i.e. not just assented to it being made public, or if it is generally available to the public already). Think in particular about social media posts: has somebody made content containing SCPD (for example a political opinion) knowing it can be viewed by the general public, or intending it for family and friends but default audience settings make it public? A closed audience does not qualify.
–Legal claims: not only can this condition be used where you process SCPD to establish, exercise or defend legal claims (including prospective proceedings), but also where necessary to obtain legal advice.
Narrow interpretation of “necessity”
In most instances, you can only rely on a condition where your use of SCPD is necessary to achieve the purpose set out in the condition. For use to be necessary, it does not have to be absolutely essential, but if you can achieve the same purposes by less intrusive means (i.e. by processing less, or no, SCPD), then use is not necessary. Using SCPD merely because it is useful, habitual or convenient is not enough.
Appropriate policy document
-each category of SCPD you use;
-for each category, the reason why use is necessary;
-for each category, the relevant condition under Article 9 GDPR (and, where applicable, Schedule 1 DPA) you rely on;
-an explanation why you consider that condition can be relied on;
-an explanation why you cannot rely on explicit consent (if this is not the relevant condition);
organisational training and compliance assessments; data privacy governance structure; impact assessments and internal audits and relevant technical and organisational security measures); and
-your retention policy for SCPD (this can be done via a link to your overall retention policy, provided it contains sufficient details about SCPD).