Under the GDPR, ‘personal data’ means “any information relating to an identified or identifiable natural person”. But there’s another type of personal data, called ‘special category’ data (sometimes called ‘sensitive’ personal data), in relation to which extra care must be taken.
Definition under the GDPR
Personal data is ‘special category’ if it relates to:
- racial or ethnic origin
- political beliefs
- religious or philosophical beliefs
- trade union membership
- genetic or biometric data
- physical or mental health
- sex life or sexual orientation
What does the GDPR definition really mean?
Special category data is broadly similar to the previously titled ‘sensitive’ personal data under the old Data Protection Act 1998 but now includes genetic and biometric data and excludes criminal conviction data (which is now a category in its own right).
Lawful grounds for processing special category data
As well as applying additional safeguards, you will also need to identify additional grounds for the processing of special category data. You will need to identify a lawful basis under Article 6 AND under Article 9. The two do not need to be linked, but often are. Article 9 grounds include:
- The data subject has given their explicit consent;
- The processing is carried out in pursuance of its legitimate activities by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union;
- The processing relates to personal data which has been manifestly made public by the data subject;
- The processing is necessary:
o for the purposes of carrying out the obligations and exercising specific rights of either controller or data subject in the field of employment, social security or social protection law in so far as it is authorised by member state law;
o to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
o for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
o for reasons of substantial public interest;
o for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;
o for reasons of public interest in the area of public health;
o for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
All my employees have the right to join a trade union – does that mean this applies to me?
Yes. The fact that you record your employees’ trade union membership in a filing system (eg. personnel files, or a database) means that you will be processing special category personal data and, in relation to that information, you will need to ensure that you are applying adequate safeguards to that data and that you have a valid Article 6 and Article 9 ground for the processing.
To ensure we comply with diversity requirements, I ask all my employees to indicate their ethnic status on job application forms – do I need to do anything with that?
Yes, racial or ethnic origin is considered to be special category personal data so you will need to apply additional safeguards to that data.
Can I deliberately try not to collect any special category personal data from my employees?
If your business can properly function without you holding any special category data, then yes, that would be one way to avoid having to comply with those additional requirements. However, many businesses would find it hard to properly look after their employees without recording at least one of those categories of special category data (e.g. allergies or known medical issues).
So if an employee tells me that she’s allergic to penicillin, and I note that in their personnel file, that’s special category data?
Yes, as it relates to physical health.
But surely if my employee agrees that I can retain this information, that’s ok?
Yes, provided you have explained to the employee why you will retain the information, and the employee has given explicit consent, then you need do nothing more to satisfy the requirements of the GDPR.
This briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.