Special category data: getting the processing right

ICO provides further detailed guidance for data protection officers on special categories of personal data

The Information Commissioner’s Office last month published new detailed guidance on processing special category data. So, if you need a “deeper” understanding of the conditions for processing special category data – then, this guide is for you. But as a starter for 10, it would be worth reading the ‘in brief’ page on special category data in the Guide to Data Protection. It sets out the need to know points and practical checklists to help you comply with your duties.

The guidance is clearly set out and covers the following:

• What is special category data? This section looks at the special categories of personal data from health data to genetic, biometric and sexual orientation, for example – and explains, why this data is special.
• What are the rules on special category data? Processing of special category data is prohibited unless you fulfil one of the 10 exceptions to this general prohibition.
• What are the conditions for processing special category data? All 10 exceptions are discussed with supporting examples.
• What are the substantial public interest conditions? The guidance looks at all 23 conditions and reminds DPOs that you should identify which of the conditions appears to most closely reflect your purpose.

For DPOs working in health and care organisations, the section on the conditions for processing special category data and specifically, health data will be of interest. DPOs are reminded of the relevant basis for processing is set out in the Data Protection Act 2018, Schedule 1, condition 2.

Condition 2 covers the following purposes:

• preventive or occupational medicine;
• the assessment of an employee’s working capacity;
• medical diagnosis;
• the provision of social care (this is likely to include social work, personal care and social support services); or
• the management of health care systems or services or social care systems or services.

There is another reminder too: that you must be able to justify why processing of this specific data is ‘necessary’ – “it must be reasonable and proportionate way of achieving one of the purposes – you must not have more data than you need” says the guidance.

So, do be clear why you need the special category data before you identify the relevant condition. Remember: you could obtain explicit consent for your processing. If this doesn’t work then, look at the five processing conditions.

But what about vital interests.

Can you rely on vital interest as your lawful basis ? Yes – in short, if you need to process the personal data to protect someone’s life but the processing must be necessary; if you can “reasonably protect the person’s vital interests in another less intrusive way, this basis will not apply”. The ICO says that you “cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent.” If you do decide to rely on this basis, you will need to document the circumstances where it will be relevant and ensure you can justify your reasoning. Here's a link to the section on the ICO's website. 

Do get in touch if you require support or training – we have a friendly and expert team ready to help.