What does the GDPR say?
Article 9 prohibits the processing of special category data. There are 10 exceptions to this general prohibition, usually referred to as ‘conditions for processing special category data’:
(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
(j) Archiving, research and statistics (with a basis in law)
Five of the conditions only apply if your processing has an authorisation or basis in EU or member state law. In the UK, this authorisation or basis in law is set out in the DPA 2018.
The GDPR also says that member states can add further specific conditions for genetic, biometric or health data (although the UK has not done so).
Article 22(4) says that you cannot use special category data for solely automated decision-making (including profiling) that has legal or similarly significant effects, unless you have explicit consent or meet the substantial public interest condition. You also need suitable measures in place to safeguard the data subject’s rights, freedoms and legitimate interests.
Use of special category data, particularly on a large scale, can also affect your other obligations and in particular the need for documentation, DPIAs, DPOs and EU representatives. See below for what else you need to do.
What does the DPA 2018 say?
The DPA 2018 supplements and tailors the GDPR conditions for processing special category data.
Section 10 says that if you are relying on a GDPR condition which requires authorisation by law or a basis in law, you must meet one of the additional conditions in Schedule 1.
Section 11(1) applies to the health or social care condition, and clarifies when the requirement for a professional obligation of secrecy will be met under UK law.
Schedule 1 Part 1 contains the first four conditions, which give a specific basis in UK law for relying on specific Article 9 conditions:
1. employment, social security and social protection - Article 9(2)(b);
2. health or social care - Article 9(2)(h);
3. public health - Article 9(2)(i); and
4. archiving, research or statistics - Article 9(2)(j).
Schedule 1 Part 2 then specifies a further 23 potential ‘substantial public interest’ conditions for the purposes of Article 9(2)(g).
Schedule 1 (at paragraphs 5 and 38 to 41) also includes additional requirements for you to keep an appropriate policy document and records of processing in relation to special category data.
The DPA 2018 does not add any more specific conditions for genetic, biometric or health data, although there is the power for the Secretary of State to make regulations to add or amend conditions.
What is the combined effect of these rules?
You must always ensure that your processing is generally lawful, fair and transparent, and complies with all of the other principles and requirements of the GDPR.
Remember that in order for your processing to be lawful, you always need to identify an Article 6 basis for processing.
In addition, you can only process special category data if you can meet one of the conditions in Article 9 of the GDPR, together with any associated DPA Schedule 1 conditions where required. This table summarises when you need a Schedule 1 condition:
||DPA Schedule 1 conditions
|(a) explicit consent
|(b) employment, social security and social protection
||+ condition 1
|(c) vital interests
|(d) not-for-profit bodies
|(e) manifestly made public
|(f) legal claims or judicial acts
|(g) substantial public interest
||+ one of conditions 6 - 28
|(h) health or social care
||+ condition 2
|(i) public health
||+ condition 3
|(j) archiving, research or archiving
||+ condition 4
You need to be able to demonstrate that your processing meets the specific requirements of the relevant conditions. For more detail on each condition, see What are the conditions for processing?
If you plan to make solely automated decisions (including profiling) on the basis of special category data, the rules are stricter. If this might have a significant effect on the individual, you can only go ahead with either explicit consent, or a substantial public interest condition. You should also read our separate guidance on rights related to automated processing.
How do the conditions work?
First you need to be clear about why you need special category data, as most of the conditions are based on the specific purpose for the processing. You can then identify the most relevant condition.
Given the potential risks to individuals’ rights, the conditions are narrowly drawn and often require you to meet detailed criteria and put in place specific safeguards and accountability measures. Some conditions are also limited to specific types of controllers, and some only apply to particular types of special category data.
For some of the conditions, you need to justify why you cannot give individuals a choice and get explicit consent for your processing. This is different to the separate rules on having a lawful basis for processing personal data, where there is no preference for consent. Given the risks to individuals, there is more emphasis on explicit consent for special category data. However, this justification is not required for all conditions, and even where it is required the law acknowledges there may be good reasons why you can’t get valid consent in some cases.
If you’re not sure which condition is appropriate, it can be useful to start by considering whether you could reasonably get explicit consent for your processing. However, consent won’t always be appropriate, particularly in the public sector. If there are good reasons why consent won’t work, you can then consider the other Article 9 conditions. You should focus on your purpose for processing, ensuring that the special category data is actually necessary for that purpose. If the only relevant condition is substantial public interest, you should go on to consider the specific substantial public interest conditions in the DPA 2018.
If your purpose is not covered by any of the conditions, and you cannot obtain valid explicit consent, you cannot process the special category data. It doesn’t matter how good your reason for processing might be. In practice, you need to change your plans to either avoid using special category data, or else obtain valid explicit consent.
The only potential exemption from Article 9 is the public interest exemption for journalism, academia, art or literature. There are no other exemptions from Article 9.
The ICO cannot authorise the use of special category data in the absence of a condition. Adding further conditions is a matter for government and would require new legislation.
What does ‘necessary’ mean?
Most of the conditions depend on you being able to demonstrate that the processing is ‘necessary’ for a specific purpose. This does not mean that processing has to be absolutely essential. However, it must be more than just useful or habitual. It must be a targeted and proportionate way of achieving that purpose.
The condition does not apply if you can reasonably achieve the same purpose by some other less intrusive means – and in particular if you could do so by using non-special category data. There is a link here to the data minimisation principle, which you should consider carefully for special category data.
It is not enough to argue that processing is necessary because it is part of your particular business model, processes or procedures, or because it is standard practice. The question is whether the processing of the special category data is a targeted and proportionate way of achieving the purpose described in the condition.
How does this affect our lawful basis?
It doesn’t. These conditions do not replace or override the usual rules on having a lawful basis for processing. Instead, they operate as an additional layer of conditions on top of the usual rules.
If you are processing special category data this means you must still identify a lawful basis for your processing, in exactly the same way as for any other personal data. In other words, you must identify both a lawful basis under Article 6 and a condition for processing special category data under Article 9.
However, if you are relying on legitimate interests as your lawful basis, you need to take into account the particular risks associated with special category data in your legitimate interests assessment. You may need to put in place more robust safeguards to mitigate any impact or risks to the individual to demonstrate that the legitimate interests basis applies.
Your choice of lawful basis under Article 6 does not dictate which condition you must apply, and vice versa. You can choose whichever condition best fits the circumstances, irrespective of your lawful basis.
Of course, in some cases there may be an obvious link between the lawful basis and a particular condition. For example if your lawful basis is vital interests, the special category condition for vital interests may well also be appropriate. And if your lawful basis is consent, it is likely to make sense to use explicit consent for special category data.
However, some of the lawful bases do not have a direct link with a particular condition, for example, contract or legitimate interests. This is because the conditions for special category data are designed to be more restrictive and specific. This does not mean that you will never have a condition – just that you need to look at all of them to see if you can identify one that fits the circumstances and justifies that element of your processing.
In particular, even if you are not using consent as your lawful basis for all the data, you can still consider explicit consent as your condition for processing any special category data.
Do we need to do a DPIA?
You must do a data protection impact assessment (DPIA) for any type of processing which is likely to be high risk. This means you are more likely to need to do a DPIA for special category data, and be aware of the likely risks.
In particular, you must carry out a DPIA if you plan to process special category data:
• on a large scale;
• to determine access to a product, service, opportunity or benefit; or
• which includes genetic or biometric data (if in combination with any other criteria in European DPIA guidelines).
If in doubt, we recommend you carry out a DPIA. This will make it easier to ensure you have appropriate safeguards in place and can demonstrate your compliance.
What else do we need to do?
You must always ensure that your processing is generally lawful, fair and transparent, and complies with all the other principles and requirements of the GDPR. Be aware that the particular risks associated with special category data might affect what is considered fair, or what you need to do to comply.
In particular, you may need to consider:
- Data minimisation: it is particularly important to make sure you collect and retain only the minimum amount of special category data - and can justify why you need this specific type of data.
- Security measures: one of the considerations for determining the appropriate level of security is the sensitivity of the personal data. You may need to consider whether you need additional security measures for special category data.
- Transparency: you need to include information about categories of data in your privacy notice and other privacy information for individuals. If you are processing special category data, you should make this clear and specify which categories of data. You don’t have to say which condition you are relying on.
- Rights related to automated decision-making: if you are carrying out automated decision-making (including profiling) using special category data and this might have a ‘legal or similarly significant effect’ on the individual, you can only go ahead if you get the individual’s explicit consent, or if you identify a substantial public interest condition.
- Documentation: if you process special category data you must keep records, including documenting the categories of data. You must also identify whether you need an ‘appropriate policy document’ under the DPA 2018. If so, your general documentation must include your condition for processing the data, how you satisfy a lawful basis for that processing, and specific details about whether you have followed your retention and deletion policies – and if not, why not.
- Data Protection Officer (DPO): you must appoint a DPO if your core activities (in other words, your primary business objectives) require large scale processing of special category data.
- EU representative: if you are not established in the EU but you offer services to, or monitor, individuals in the UK or other EU member states, and you process special category data on a large scale, you need to designate a representative in the EU. You may need a representative even for occasional small-scale processing of special category data, unless you can show that it is low risk. You may also need to seek your own legal advice on the law in other relevant member states.