The ICO exists to empower you through information.

Latest updates - last published 18 December 2023

18 December 2023 - We have amended the example given in the section on the vital interests condition for processing based on feedback received from stakeholders to help clarify when this condition is likely applicable.

26 October 2023 - It was identified that care provided by staff may not constitute medical treatments but may involve regular care, such as bathing and other support, which wouldn’t be a medical treatment but could also require staff to be aware of the medical information of the resident. Thus the reference in the care home’s example was changed from medical treatment to personal care as this broader range includes medical treatment and regular care. 

18 August 2023 - We have added a case study about the processing of residents’ special category data by staff within care homes. This is to support the understanding of when processing under Article 9(2)(h), Health or social care, can be appropriate.

In detail

(a) Explicit consent

Article 9(2)(a) permits you to process special category if:

“the data subject has given explicit consent to the processing of those personal data for one or more specified purposes”.

‘Explicit consent’ is not defined in the UK GDPR, but must meet the usual UK GDPR standard for consent. In particular, it must be freely given, specific, affirmative (opt-in) and unambiguous, and able to be withdrawn at any time. In practice, the extra requirements for consent to be ‘explicit’ are likely to be:

  • explicit consent must be confirmed in a clear statement (whether oral or written), rather than by any other type of affirmative action;
  • it must specify the nature of the special category data; and
  • it should be separate from any other consents you are seeking.

Explicit consent is the only condition that can apply to a wide range of circumstances, and in some cases may be your only option. If so, you need to make sure that you offer people genuine choice over whether and how you use their data.

You need to be particularly careful if you ask for consent as a condition of your services, or if you are in a position of power over the individual, for example, if you are a public authority or their employer.

If you need to process special category data to provide a service to the individual, explicit consent may be available as your condition for processing that data even if it is a condition of service. However, you must be confident that you can demonstrate consent is still freely given. In particular, that the processing is actually objectively necessary to perform the contractual service, and not just included in your terms for broader business purposes.

Example

A gym introduces a facial recognition system to allow members access to the facilities. It requires all members to agree to facial recognition as a condition of entry – there is no other way to access the gym. This is not valid consent as the members are not being given a real choice – if they do not consent, they cannot access the gym. Although facial recognition might have some security and convenience benefits, it is not objectively necessary in order to provide access to gym facilities, so consent is not freely given.

However, if the gym provides an alternative, such as a choice between access via facial recognition and access via a membership card, consent could be considered freely given. The gym could rely on explicit consent for processing the biometric facial scans of the members who indicate that they prefer that option.

We have produced separate detailed guidance on how to obtain, record and manage valid consent, including explicit consent.

Further reading – ICO guidance

Consent

(b) Employment, social security and social protection law

Article 9(2)(b) permits you to process special category data if:

“processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Domestic Law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject”.

The relevant legal authorisation is set out in the DPA 2018, in Schedule 1 condition 1. This condition also requires you to have an appropriate policy document in place.

This condition is particularly relevant for employers, for example where you are:

  • checking if individuals are entitled to work in the UK;
  • ensuring health, safety and welfare of employees;
  • maintaining records of statutory sick pay and maternity pay; or
  • deducting trade union subscriptions from payroll.

It also applies to public authorities involved in providing social services and benefits. Social security and social protection covers benefits, social support or other interventions designed to assist individuals with:

  • sickness;
  • maternity and paternity;
  • invalidity or disability;
  • old-age;
  • death and survivorship;
  • accidents at work or occupational diseases;
  • unemployment;
  • housing;
  • family life and children; or
  • other forms of social exclusion.

Your purpose must be to comply with employment law, or social security and social protection law. You need to be able to identify the legal obligation or right in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, you can refer to a government website or to industry guidance that explains generally applicable employment obligations or rights.

If you are providing social care, or managing social care services, you may find that the condition for health or social care is more appropriate.

This condition does not cover processing to meet purely contractual employment rights or obligations.

You must be able to justify why processing of this specific data is ‘necessary’ - it must be a reasonable and proportionate way of meeting specific rights or obligations, and you must not have more data than you need.

Example

A coach company wants to undertake random drug and alcohol testing of its drivers. As an employer, it has a health and safety obligation to ensure that its drivers are not under the influence of alcohol or drugs while working. It relies on the employment, social security and social protection condition for this processing.

If the company widens the test to include those staff that don’t have a safety-critical role, it will not be able to justify that the processing of these individuals’ data is necessary.

(c) Vital interests

Article 9(2)(c) permits you to process special category data if:

“processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”.

You don’t need a DPA Schedule 1 condition to rely on vital interests or an appropriate policy document.

Recital 46 provides some further guidance:

“The processing of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person…”

Vital interests are intended to cover only interests that are essential for someone’s life. So this condition is very limited in its scope, and generally only applies to matters of life and death.

This condition only applies if the individual is physically or legally incapable of giving consent. This means you should ask for explicit consent if possible. If a data subject refuses consent, you cannot rely on vital interests as a fallback condition, unless they are not legally competent to make that decision.

This condition is likely to be most relevant where there is an urgent need to use a person’ personal data for medical care, but they are unconscious or otherwise incapable of giving consent. 

Example

A member of staff has experienced an accident at work, sustained serious injuries and is unconscious. Their employer has called for an ambulance. However, they also know that their employee is allergic to certain medications. The employer cannot obtain their employee’s consent to provide details of their allergies to the ambulance crew, and so rely on the vital interests condition for the processing.

Further reading – ICO guidance

Lawful basis - vital interests

(d) Not-for-profit bodies

Article 9(2)(d) permits you to process special category data if:

“processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects”.

You don’t need a DPA Schedule 1 condition to rely on this condition or an appropriate policy document.

This condition is one of the few that is not purpose-based. Instead, it applies to some specified activities of not-for-profit bodies. Because it is not purpose-based, there is no necessity test. However, this does not mean it is a blanket condition for all processing by not-for-profit bodies. You must still demonstrate how you meet the specific requirements of the condition, and you must still consider your data minimisation obligations.

You can only rely on this condition if you:

  • are a not-for-profit body, for example charities, clubs, political parties, churches, trade unions and other associations if they have a political, philosophical, or religious aim;
  • are processing special category data as part of your legitimate activities. This is fairly broad, and covers most of what you do, as long as it does not stray outside the purposes and powers set out in your constitution or governing documents, and is not unlawful or unethical in any way;
  • are only processing the data of members, former members, or other individuals in regular contact with you ‘in connection with your purposes’, eg partners, supporters or beneficiaries. This condition does not therefore apply to processing employee data, or to prospective members or other individuals who have not had any prior contact with your organisation;
  • have appropriate safeguards in place, for example restricting access to the data, applying shorter retention periods, or providing individuals with an opt-out; and
  • do not disclose this data to a third party without the individual’s consent. You must get explicit consent for any disclosures. If you need to disclose the data to a third party without consent, you need to rely on a different condition for the disclosure.

Example

A church processes personal data of its members and supporters in order to run church activities and provide pastoral care. The church can rely on the not-for-profit condition to process the data which reveals their religious belief.

The church publishes an annual report which is available to third parties. The church must seek explicit consent before naming any of its members in the annual report.

You may find it useful to conduct a legitimate interests assessment (LIA) to assess appropriate safeguards and document your reliance on this basis. There is no requirement to do so, but it can help you demonstrate your compliance in line with the accountability principle. More information on how to conduct an LIA is set out in our legitimate interests guidance.

(e) Made public by the data subject

Article 9(2)(e) permits you to process special category data if:

“processing relates to personal data which are manifestly made public by the data subject”.

You don’t need a DPA Schedule 1 condition to rely on this condition or an appropriate policy document.

This condition does not cover all special category data in the public domain. It only covers personal data that the individual themselves has made public.

The term ‘manifestly made public’ is not defined by the UK GDPR. But it clearly assumes a deliberate act by the individual. It’s not enough that it’s already in the public domain – it must be the person concerned who took the steps that made it public.

Example

A security breach means that information about an individual’s health condition is publicly available from an organisation’s website. Clearly, making their special category data public was not a deliberate act on the part of the individual. Therefore this condition would not apply to any processing of health data obtained from the website.

Example

The political affiliations of a member of parliament are technically special category data (these are ‘political beliefs’). However these are clearly a matter of public knowledge and the individual has actively chosen to make these public by standing for election as a member of parliament.

You need to be confident that it was the individual themselves who actively chose to make their special category data public and that this was unmistakably a deliberate act on their part. There is a difference between assenting to or being aware of publication, and an individual actively making information available. For example, by blogging about their health condition or political views. You might also find it hard to show that someone has manifestly made information public if, for example, they made a social media post for family and friends but default audience settings made this public. You should therefore be very cautious about using this condition to justify your use of special category data obtained from social media posts.

To be manifestly made public, the data must also be realistically accessible to a member of the general public. The question is not whether it is theoretically in the public domain (eg in a publication in a specialist library, or mentioned in court), but whether it is actually publicly available in practice. Disclosures to a limited audience are not necessarily ‘manifestly public’ for these purposes. In particular, information is not necessarily public just because you have access to it. The question is whether any hypothetical interested member of the public could access this information.

You cannot use this condition to justify publication of previously unpublished data. It only applies to information which is already public.

So to use this condition, you should consider some specific questions:

  • Is the special category data already in the public domain – can a member of the public realistically access it in practice?
  • Who made the data public – was it the individual themselves or was it someone else? In what context was it made public – for example was it due to them giving an interview, standing for public office, or writing a book, blog or social media post?
  • Did the individual deliberately take the steps which made this special category data public, or was it accidental or unintentional? Did they make a clear decision? Is the individual likely to have understood that their action means that their special category data is in the public domain?

For accountability purposes, you should keep a record of the source of the data, to help you demonstrate it was manifestly made public by the individual.

It is important to remember that once you start processing this data, you become the controller for the data and this condition does not exempt you from your other obligations under the UK GDPR. You must always be able to demonstrate that your processing is more generally lawful, fair and transparent, and in particular that you have a valid lawful basis. You need to consider the individual’s reasonable expectations for further use of the data, in order to ensure your processing is fair.

You also need to respect the individual’s rights and ensure you tell individuals that you are processing their data. There is no automatic exemption from transparency obligations just because information is in the public domain.

Further reading – ICO guidance

More explanation on what counts as ‘in the public domain’ is available as part of our freedom of information guidance on Information in the public domain.

(f) Legal claims and judicial acts

Article 9(2)(f) permits you to process special category data if:

“processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity”.

You don’t need a DPA Schedule 1 condition to rely on this condition or an appropriate policy document.

Legal claims

You must show that the purpose of the processing is to establish, exercise or defend legal claims. ‘Legal claims’ in this context is not limited to current legal proceedings. It includes processing necessary for:

  • actual or prospective court proceedings;
  • obtaining legal advice; or
  • establishing, exercising or defending legal rights in any other way.

Example

An employer is being sued by one of its employees following an accident at work. The employer wants to pass the details of the accident to its solicitors to obtain legal advice on its position and potentially to defend the claim. The information about the accident includes details of the individual’s injuries, which qualify as health data. The purpose of the disclosure is to establish its legal position and to defend the claim.

Example

A professional trust and estate practitioner advises a client on setting up a trust to provide for a disabled family member. The adviser processes health data of the beneficiary for this purpose. Although there is no active legal claim before the courts, this is still for the purpose of establishing the legal claims of the trust beneficiary for the purposes of this condition.

Example

A hairdresser conducts a patch test on a client to check that they will not have an allergic reaction to a hair dye. The hairdresser records when the test was taken and the results. The hairdresser is therefore processing health data about the client’s allergies. Although there is no actual or expected court claim, the purpose is to establish that the hairdresser is fulfilling their duty of care to the client, and to defend against any potential personal injury claims in the event of an adverse reaction.

You must be able to justify why processing of this specific data is ‘necessary’ to establish, exercise or defend the legal claim. The use of this data must be relevant and proportionate, and you must not have more data than you need.

Judicial acts

This condition also applies whenever a court (or tribunal) is acting in its judicial capacity.

If you are a court then you can apply this condition whenever you are processing special category data in your judicial capacity. If the processing is not part of your judicial duties then this condition does not apply and you need to look for an alternative condition in order to be able to process special category data.

(g) Substantial public interest

Article 9(2)(g) permits you to process special category data if:

“processing is necessary for reasons of substantial public interest, on the basis of Domestic Law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”.

The relevant basis in UK law is set out in section 10(3) of the DPA 2018. This means that you need to meet one of the 23 specific substantial public interest conditions set out in Schedule 1 (at paragraphs 6 to 28). You must also have an ‘appropriate policy document’ in place for almost all of these conditions.

For more information, see What are the substantial public interest conditions?

(h) Health or social care

Article 9(2)(h) permits you to process special category data if:

“processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Domestic Law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3”.

The relevant basis in UK law is set out in the DPA 2018, in Schedule 1 condition 2. This condition covers the following purposes:

  • preventive or occupational medicine;
  • the assessment of an employee’s working capacity;
  • medical diagnosis;
  • the provision of health care or treatment;
  • the provision of social care (this is likely to include social work, personal care and social support services); or
  • the management of health care systems or services or social care systems or services.

You must be able to justify why processing of this specific data is ‘necessary’ - it must be a reasonable and proportionate way of achieving one of these purposes, and you must not have more data than you need.

Article 9(3) of the UK GDPR contains the additional safeguard that you can only rely on this condition if the personal data is being processed by (or under the responsibility of) a professional who is subject to an obligation of professional secrecy. Section 11 of the DPA 2018 makes it clear that in the UK this includes:

(a) a health professional or a social work professional; or
(b) another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

Section 204 of the DPA 2018 defines the terms “health professional” and “social work professional”. You should check the full details of section 204 where relevant, but as a guide this includes:

  • doctors;
  • nurses or midwives;
  • dentists;
  • opticians or optometrists;
  • osteopaths;
  • chiropractors;
  • arts therapists;
  • chiropodists;
  • clinical scientists;
  • dietitians;
  • medical laboratory technicians;
  • occupational therapists;
  • orthoptists;
  • paramedics; 
  • physiotherapists;
  • prosthetists or orthotists;
  • radiographers;
  • speech and language therapists;
  • pharmacists or pharmacy technicians;
  • child psychotherapists; and
  • social workers.

Example

A care home provides regular personal care to a number of its residents. To do so, it needs to process the health information of its residents. In order to provide appropriate levels of care there will be times where staff members who aren’t healthcare professionals need to handle this information.

In such circumstances the care home will be able to use the health and social care condition for processing, as long as its staff are health or social care professionals or are non-healthcare professionals with a duty of confidence to the residents.

A duty of confidence exists when personal information has been given with the understanding that it will be kept confidential. Any care home staff who are directly involved in providing care to an individual will have a legitimate relationship with that person, and it is therefore acceptable for them to view confidential information to support the provision of care.

Care homes should be able to demonstrate that their staff have a duty of confidence in place in a number of ways, including from health or social care statutory provisions, the provisions of any employment contracts with staff, or from the common law duty of confidence. Care home providers should ensure that staff have an understanding of their responsibility to keep the personal information they use confidential.

If you are not subject to a duty of confidentiality to the individual, but you are under a legal obligation in connection with the provision of social services, the condition for employment, social security and social protection law may be more appropriate.

You don’t need to have an appropriate policy document in place.

Where this condition applies, the individual does not have a right to erasure.

(i) Public health

Article 9(2)(i) permits you to process special category data if:

“processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Domestic Law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy”.

The relevant basis in UK law is set out in the DPA 2018, in Schedule 1 condition 3. In order to rely on this condition the processing must be carried out either:

  • by, or under the responsibility of, a health professional; or
  • by someone else who in the circumstances owes a legal duty of confidentiality.

Recital 54 of the UK GDPR gives more guidance on what is meant by ‘public health’:

“all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality.”

You must be able to demonstrate that the processing is necessary for reasons of public interest in the area of public health. The term ‘public interest’ is not defined, but you need to point to a benefit to the wider public or society as a whole, rather than to your own interests or the interests of the particular individual. In particular, recital 54 makes clear this condition should not enable processing for other purposes by employers, or by insurance or banking companies.

This condition may for example apply where the processing is necessary for:

  • public health monitoring and statistics;
  • NHS resource planning;
  • public vaccination programmes;
  • responding to new threats to public health (eg epidemics, pandemics or new research findings);
  • clinical trials of drugs or medical devices;
  • regulatory approval of drugs or medical devices; or
  • reviewing standards of clinical practice.

Example

A number of GP surgeries wish to use a workforce and workload planning tool for their practices. The tool requires the analysis of patients’ health data to supply information on current activity, and identifies opportunities to improve effectiveness and efficiency of health provision. The GP surgeries can justify that this is necessary for public interest reasons in the area of public health.

You don’t need to have an appropriate policy document in place.

Where this condition applies, the individual does not have a right to erasure.

(j) Archiving, research and statistics

Article 9(2)(j) permits you to process special category data if:

“processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Domestic Law which shall be proportionate to the aim pursued, respect the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”.

The relevant basis in UK law is set out in the DPA 2018, in Schedule 1 condition 4. This condition requires you to:

  • demonstrate that the processing is necessary for archiving, research or statistical purposes - it must be a reasonable and proportionate way of achieving one of these purposes, and you must not have more data than you need;
  • comply with the safeguards and restrictions set out in Article 89(1) of the UK GDPR and section 19 of the DPA 2018 (see below); and
  • demonstrate that the processing is in the public interest. The term ‘public interest’ is not defined, but you need to point to a benefit to the wider public or society as a whole, rather than to your own interests or the interests of the particular individual.

Not all research is covered by this condition. You need to demonstrate that your research is either scientific or historical in nature, and in the public interest. This applies to both public-sector and private-sector research. It can include, for example, technological development and demonstration, fundamental research, applied research and privately funded research. Commercial scientific research may therefore be covered, but you need to demonstrate that it uses rigorous scientific methods and furthers a general public interest. However, commercial market research is unlikely to be covered, unless you meet this requirement.

Article 89(1) says that you must have appropriate safeguards in place to protect individuals, and in particular technological and organisational measures to ensure data minimisation. Section 19 of the DPA 2018 contains further safeguards and restrictions. In particular, this means you must:

  • be able to demonstrate why you cannot use anonymised data;
  • consider whether you could use pseudonymisation to make it more difficult to link the personal data back to specific individuals;
  • be able to demonstrate that the processing is not likely to cause substantial damage or distress to individuals;
  • not use the data to take any action or make decisions in relation to the individuals concerned (unless you are carrying out approved medical research as defined in section 19(4) of the DPA 2018); and
  • consider other appropriate safeguards and security measures.

You don’t need to have an appropriate policy document in place.

Example

A hospital asks a number of patients for their informed consent to take part in a series of clinical trials for a new medication, in line with clinical trials regulations.

However, for the purposes of the UK GDPR, the hospital does not wish to rely upon explicit consent as its condition for processing the participants’ health data. The hospital needs to continue to process the research data already collected even if the patient withdraws their consent and drops out of the trial. It also considers that in the context of a clinical trial, consent does not match the ‘freely given’ standard of the UK GDPR, given the imbalance of power between the patient and the hospital clinicians.

Instead the hospital relies upon Article 9(2)(j) - processing for scientific research purposes - as its condition for processing the special category data of the participants. It ensures it has addressed the safeguards set out in Article 89(1) of the UK GDPR and in section 19 of the DPA 2018.

The hospital’s Article 6 basis for processing is Article 6(1)(e) - the performance of a task carried out in the public interest.

Further reading – European Data Protection Board (EDPB)

EDPB guidelines are no longer directly relevant to the UK regime and are l not binding under the UK regime. However, they may still provide helpful guidance on certain issues.

The EDPB has adopted an opinion on the interplay between the CTR and the GDPR.