Information watchdog updates guidance for data controllers on protecting ‘special category data’
The ICO has issued updated guidance on special category data, to which data controllers must give extra protection under the GDPR.
Special category data is information concerning a person’s:
- health;
- sex life or their sexual orientation;
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs; or
- membership to a trade union.
The updated guidance can be viewed here.
Writing on the ICO blog, Ian Hulme, the watchdog’s Director for Regulatory Assurance, said: “Imagine if your medical records, information about your sex life or your political opinions were put into the public domain so anyone could see them.
“When personal data is shared by mistake the effects can be extremely damaging.”
Hulme added: “Special category data under the GDPR is broadly similar to sensitive personal data under the Data Protection Act 1998. However, special category data also relates to genetic and biometric identification data.
“Special category data is the most sensitive personal data a controller can process. The misuse of this data is likely to interfere with an individual’s fundamental rights and freedoms and could cause real harm and damage.”
Hulme outlined what the ICO’s new guidance says about how organisations should approach processing special category data. “Firstly, as always, you must have a GDPR lawful basis to process data under Article 6. However, when processing special category data you also need an Article 9 condition for processing and potentially an associated DPA 2018 Schedule 1 condition.”
He added: “Many of the DPA 2018 conditions require you to have an appropriate policy document in place. This is a short document that should outline your compliance measures and retention policies with respect to the data you are processing.”
The ICO has a template appropriate policy document in its guidance to help organisations
“There is more to do when processing special category data, but the provisions are in place to help you protect the data of those whose information you hold, and increase their confidence in you. It’s worth taking the time to get it right,” Hulme said.