We recently discussed what is considered personal data under the GDPR (General Data Protection Regulation). However, we didn’t cover sensitive personal data.
Before we get into what that entails, let’s recap the GDPR’s definition of personal data:
‘[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’).
In other words, any information that is clearly about a particular person. In certain circumstances, this could include anything from someone’s name to their physical appearance.
Sensitive personal data is a specific set of “special categories” that must be treated with extra security. These categories are:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data; and
- Biometric data (where processed to uniquely identify someone).
Discover more about the GDPR in our free green paper, EU General Data Protection Regulation – A Compliance Guide
Sensitive personal data should be held separately from other personal data, preferably in a locked drawer or filing cabinet.
As with personal data generally, it should only be kept on laptops or portable devices if the file has been encrypted and/or pseudonymised.
Pseudonymisation masks data by replacing identifying information with artificial identifiers. Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption.
Encryption also obscures information by replacing identifiers with something else. But whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.
Pseudonymisation and encryption can be used simultaneously or separately.
The rules of processing sensitive personal data
As you might expect, there are extra rules when processing sensitive personal data. Not only must you document a lawful basis for processing under Article 6 of the GDPR, you must also document a lawful basis under Article 9.
Article 6 states that organisations must invoke one of the following lawful bases:
- A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract.
- Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
- Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
- A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.
- Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.
- Consent: when the data subject agrees to the processing when presented with a clear explanation of the personal data that will be collected and what it will be used for.
Article 9 states that organisations must only process sensitive personal data if the organisation:
- Requires the information to carry out tasks and exercise specific rights of the data subject in the field of employment and social security and social protection law.
- Has gained explicit consent, a more rigorous form of consent in which organisations provide additional information, and make it clearer how the data will be used.
- Requires the information to protect vital interests (as in Article 6).
- Has a legitimate interest for processing the information (as in Article 6).
- Is using information that is manifestly made public by the data subject
- Requires the information to establish, exercise or defend legal claims.
- Requires the information to complete a public task (as in Article 6).
- Is using the information for the purposes of preventive or occupational medicine, health of social care or to carry out a medical diagnosis/assessment of an employee’s working capacity.
- Requires the information to complete tasks in public interest in the area of health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare.
- Requires the information for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Should I use consent?
A common misconception about the GDPR is that all organisations need to seek consent to process personal data. As the list above shows, consent is only one option, and the strict rules regarding the way you obtain and maintain it mean it’s generally the least preferable option.
There are also legal complications when you rely on consent. For example, say you needed someone’s personal data to fulfil a contract, but you used consent instead of the contractual obligation provision.
If the individual withdraws consent, you are legally required to remove their records from your database. However, you can’t complete your contractual requirements without their information, forcing you into an impossible situation.
Nuances like this are common throughout the GDPR, and any organisation that hasn’t taken the time to study its compliance requirements thoroughly is liable to be tripped up. This could lead to lasting damage, from enforcement action and regulatory fines to bad press and loss of customers.
Want to know more about the GDPR?
You can avoid the pitfalls of non-compliance by reading EU GDPR – A Pocket Guide. Written by Alan Calder, IT Governance’s founder and executive chairman, this book will help you gain a clear understanding of the GDPR, explaining:
- The terms and definitions used in the Regulation;
- The most important compliance requirements; and
- How organisations can comply with the GDPR.