Since the pandemic, the collection of sensitive personal data has become a necessity for businesses. We explain what special category data is and how to stay GDPR compliant.
What is sensitive personal data?
Personal data is information that relates to an identifiable individual or data subject. Sensitive personal data is that falling into special categories as defined by the GDPR.
Special category data includes gathered, inferred or guessed details about someone which fall into one of the categories below. It depends on how certain that inference is, and whether you are deliberately drawing that inference.
The GDPR defines special category data as:
- Personal data relating to racial or ethnic origin;
- Personal data relating to political opinions;
- Personal data relating to religious or philosophical beliefs;
- Personal data relating to trade union membership;
- Genetic data;
- Biometric data (where it is used for identification purposes);
- Data relating to health;
- Data about a person's sex life;
- Data about a person's sexual orientation.
Special category data is now an issue for every business
As part of any risk assessment of any workplace post-COVID you must now.
- Identify what work activity or situations might cause transmission of Coronavirus
- Think about who could be at risk
- Decide how likely it is that someone could be exposed
- Act to remove the activity or situation, or if this isn’t possible, control the risk
This means that all employers are now obliged to collect sensitive personal data that they may never have dreamed of collecting in the past.
And for those in public facing businesses, the obligation may extend even further. In all these cases, you may unknowingly be collecting, processing and storing special category data.
Consequences of special category data misuse
In France, Facebook was fined €150k by CNIL, the data protection regulator, for collecting user data without their consent or without a legal basis.
Whilst the Dutch data regulator also found evidence that Facebook had used sensitive personal data on sexual preferences to target adverts but chose not to impose any financial penalty.
Tips to stay compliant when using sensitive personal data
- Make sure you're clear about what is classed as sensitive personal data (special category data) - Broadly, as previously under the Data Protection Act, it includes any data relating to race or ethnic origin, religious or political beliefs (including trade union membership), data on health, sex life or sexual orientation. However, under GDPR, it also includes genetic and biometric data (see Article 9).
- Gather information - Find out what special category personal data is currently collected and processed by your firm. Is it legitimate and lawful?
- Be clear about the legal basis for processing - For example, whether you have explicit consent, whether it is required for the performance of specific contracts, or for other specific purposes (such as the public interest or the vital interests of an individual).
- Conduct a Data Protection or Privacy Impact Assessment - We all have a duty to do so where there is a high risk to the rights or freedoms of data subjects. Remember, individual consent may not be enough and you may also need processing to be sanctioned by the data protection authority where risks are high.
- Take extra care with health data - The definition is broad under GDPR and includes past, present or future physical or mental health, information from testing or examination of a body part or bodily substance, genetic and biological samples, information on diseases or risk, disability, medical history, clinical treatment, and so on. Be aware that different Member States may also have separate regimes.
- Check the rules on criminal convictions and offences - These are dealt with separately under GDPR (see Article 10) and this type of data is now subject to greater restrictions.
Want to know more about GDPR?
We have created a glossary of GDPR definitions to help you navigate GDPR and DPA 2018 compliance. And we also have 50+ free compliance training aids as well as regularly publishing informative GDPR blogs including a regularly updated GDPR fines tracker for 2020.
If you're looking for comprehensive compliance training, why not visit our GDPR course library.
If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!