The Information Commissioner’s Office (ICO) has published new guidance on how and why special category data needs to be handled more carefully.
Some types of personal data are extremely sensitive , and therefore, data controllers must take extra measures to ensure their protection. This is known as special category data and it relates to data that:
- reveals racial or ethnic origin;
- reveals political opinions;
- reveals religious or philosophical beliefs;
- reveals trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- data concerning an individual’s health;
- data concerning a person’s sex life; or
- their sexual orientation.
Leaks of this type of personal data can be extremely damaging and dangerous, just imagine if your medical records, information about your sex life or your political opinions were put into the public domain so anyone could see them.
This has led the ICO to publish new guidance to support organisations in ensuring they stay GDPR compliant and protect the data they control.
What does the new guidance say about how organisations should approach processing special category data?
Firstly, as always, you must have a GDPR lawful basis to process data under Article 6. However, when processing special category data you also need an Article 9 condition for the processing and potentially an associated DPA 2018 Schedule 1 condition. Many of the DPA 2018 conditions require you to have an appropriate policy document in place. This is a short document that should outline your compliance measures and retention policies with respect to the data you are processing.
There is more to do when processing special category data, but the provisions are in place to help you protect the data of those whose information you hold, and increase your customers’ confidence in you.
Data protection obligations got you in a muddle? Get on top of them quickly and easily with the CyberSmart Privacy Toolbox.