What are the ‘special categories of personal data’?
The GDPR singles out some types of personal data as likely to be more sensitive, and gives them extra protection:
personal data revealing racial or ethnic origin;
personal data revealing political opinions;
personal data revealing religious or philosophical beliefs;
personal data revealing trade union membership;
biometric data (where used for identification purposes);
data concerning health;
data concerning a person’s sex life; and
data concerning a person’s sexual orientation.
In this guidance we refer to this as ‘special category data’.
The majority of the special categories are not defined and are fairly self-explanatory. However specific definitions are provided for genetic data, biometric data and health data.
Why is this data special?
It’s not just that this type of information might be seen as more sensitive or ‘private’. The recitals to the GDPR explain that these types of personal data merit specific protection. This is because use of this data could create significant risks to the individual’s fundamental rights and freedoms. For example, the various categories are closely linked with:
freedom of thought, conscience and religion;
freedom of expression;
freedom of assembly and association;
the right to bodily integrity;
the right to respect for private and family life; or
freedom from discrimination.
The presumption is that this type of data needs to be treated with greater care because collecting and using it is more likely to interfere with these fundamental rights or open someone up to discrimination. This is part of the risk-based approach of the GDPR.
Whilst other data may also be sensitive, such as an individual’s financial data, this does not raise the same fundamental issues and so does not constitute special category data for the purposes of the GDPR. And while data about criminal allegations or convictions may raise some similar issues, it does not constitute special category data as it is covered by separate rules. However, you always need to ensure that when you are processing other types of data, it is fair and meets other GDPR requirements (including the separate rules on criminal offence data).
These special categories of personal data are framed broadly and may also catch information that is not seen as particularly sensitive. For example, details about an individual’s mental health are likely to be much more sensitive than whether they have a broken leg – but both are data concerning health. Given the potential risks to fundamental rights, it is important that you identify any special category data and approach it carefully, even if you don’t think it is particularly sensitive.
What is genetic data?
The GDPR defines genetic data in Article 4(13):
“‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question”.
Recital 34 says this includes chromosomal, DNA or RNA analysis, or any other type of analysis that enables you to obtain equivalent information. (Ribonucleic acid (RNA) plays an essential part in the coding, decoding, regulation and expression of genes).
Not all genetic information constitutes genetic data. The first question is always whether the genetic information is personal data. A genetic sample itself is not personal data until you analyse it to produce some data. And genetic analysis data is only personal data (and so genetic data) if you can link it back to an identifiable individual.
In most cases, you process genetic information to learn something about a specific identified individual and to inform you about taking some action in relation to them. This is clearly personal data – and special category genetic data - for the purposes of the GDPR.
However, the definition of personal data also includes identification by reference to “one or more factors specific to the genetic identity of that natural person”, even without their name or other identifier. So, in practice, genetic analysis which includes enough genetic markers to be unique to an individual is personal data and special category genetic data, even if you have removed other names or identifiers. And any genetic test results which are linked to a specific biological sample are usually personal data, even if the results themselves are not unique to the individual, because the sample is by its nature specific to an individual and provides the link back to their specific genetic identity.
However, there are cases where genetic information is not identifiable personal data. For example, where you have anonymised or aggregated partial genetic sequences or genetic test results (eg for statistical or research purposes), and they can no longer be linked back to a specific genetic identity, sample or profile; a patient record; or to any other identifier.
Article 9(1) includes in the list of special categories of data:
“biometric data for the purpose of uniquely identifying a natural person”.
The GDPR defines biometric data in Article 4(14):
“‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data”.
The term ‘dactyloscopic data’ means fingerprint data.
A gym introduces an electronic fingerprint scanning system. Members scan their fingerprint in order to get through the entrance turnstiles. This system is processing biometric data to identify individual members, so the gym needs a valid condition for processing that special category data.
A school introduces an electronic fingerprint scanning system to charge students for their school meals. This system is processing biometric data to identify the individual students, so the school needs a valid condition for processing that special category data.
Facial imaging and fingerprint data are just two examples, but these are not exhaustive. Many other types of physical, physiological or behavioural ‘fingerprinting’ fall within the definition.
Examples of physical or physiological biometric identification techniques:
voice recognition; and
ear shape recognition.
Examples of behavioural biometric identification techniques:
handwritten signature analysis;
gait analysis; and
gaze analysis (eye tracking).
If you process digital photographs of individuals, this is not automatically biometric data even if you use it for identification purposes. Although a digital image may allow for identification using physical characteristics, it only becomes biometric data if you carry out “specific technical processing”. Usually this involves using the image data to create an individual digital template or profile, which in turn you use for automated image matching and identification.
All biometric data is personal data, as it allows or confirms the identification of an individual. Biometric data is also special category data whenever you process it “for the purpose of uniquely identifying a natural person”. This means that biometric data will be special category data in the vast majority of cases. If you use biometrics to learn something about an individual, authenticate their identity, control their access, make a decision about them, or treat them differently in any way, you need to comply with Article 9.
In more detail
We are planning to produce more detailed ICO guidance on processing biometric data.
“‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
Health data can be about an individual’s past, current or future health status. It not only covers specific details of medical conditions, tests or treatment, but includes any related data which reveals anything about the state of someone’s health.
Health data can therefore include a wide range of personal data, for example:
any information on injury, disease, disability or disease risk, including medical history, medical opinions, diagnosis and clinical treatment;
medical examination data, test results, data from medical devices, or data from fitness trackers;
information collected from the individual when they register for health services or access treatment;
appointment details, reminders and invoices which tell you something about the health of the individual. These fall under ‘the provision of health care services’ but must reveal something about a person’s health status. For example, a GP or hospital appointment in isolation will not tell you anything about a person’s health as it may be a check-up or screening appointment. However, you could reasonably infer health data from an individual’s list of appointments at an osteopath clinic or from an invoice for a series of physiotherapy sessions; and
a number, symbol or other identifier assigned to an individual to uniquely identify them for health purposes (eg an NHS number, or Community Health Index (CHI) number in Scotland), if combined with information revealing something about the state of their health.
What about criminal offence data?
Personal data about criminal allegations, proceedings or convictions is not special category data. However, there are similar rules and safeguards for processing this type of data, to deal with the particular risks associated with it. For more information, see our separate guidance on criminal offence data.
What about inferences and educated guesses?
The GDPR is clear that special category data includes not only personal data that specifies relevant details, but also personal data revealing or concerning these details.
It may be possible to infer or guess details about someone which fall within the special categories of data. Whether or not this counts as special category data and triggers Article 9 depends on how certain that inference is, and whether you are deliberately drawing that inference.
If you can infer relevant information with a reasonable degree of certainty then it’s likely to be special category data even if it’s not a cast-iron certainty. But if it is just a possible inference or an ‘educated guess’, it is not special category data (unless you are specifically processing to treat someone differently on the basis of that inference) - even if that guess turns out to be right.
A job applicant lists on their CV that they are a trustee of a charity that supports deaf people. Other individuals associated with the charity are themselves deaf – but being a trustee does not necessarily mean that the individual is deaf. The company processing personal data contained in the CV would not need a special category condition to process that data, even if the individual in fact is deaf or hard of hearing.
However, if the company has other information which confirms that the individual is deaf, it will then need a condition to process this special category data.
You can often infer an individual’s religion or ethnicity with varying degrees of certainty from names or images. For example, many surnames are associated with a particular ethnicity or religion. However, it is inappropriate to treat all such names as special category data in every instance, as this would mean you need a special category condition just to hold such names on a customer database, which is not the case.
However, if you process such names specifically because they indicate ethnicity or religion, for example to target services on this basis, then you are processing special category data.
This is likely to be a particular issue if you undertake any form of profiling which infers, for example, ethnicity, beliefs, politics, health risks, sexual orientation or relationship status. If you intend to create such inferences, you are processing special category data irrespective of the level of statistical confidence. The key question here is not whether the inferences are correct, but whether you are using an inference linked to one of the special categories to influence your activities in any way.
You must also take extra care to ensure you are not processing inaccurate, inadequate or irrelevant personal data (in line with the accuracy principle), and that you only draw such inferences where they are directly relevant and necessary for your purpose (in line with the data minimisation principle).
If you are concerned that someone might be able to infer special category data even if it is not relevant to your purpose, you may want to identify a condition to cover that possibility, to minimise the privacy risks. However, there is nothing in the GDPR that says a condition for processing is required, just in case it turns out that an unintended potential inference is in fact correct.
If you think the data carries a risk of inferences that might be considered sensitive or private, even if this falls short of revealing something about one of the special categories with any level of certainty, then you should also carefully consider fairness issues and whether there is anything more you can do to minimise privacy risks.