What is Special Category Data?

 

What is Special category data? 

Special category data is data that is going to need more protection due to the sensitivity of it.  There are guidelines around this and if you wish to look further into it we recommend to read the ICO’s website here: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/a-guide-to-lawful-basis/lawful-basis-for-processing/special-category-data/ 

But the main thing to understand when it comes to deciding what is or isn’t Special category data is the following list: 

• personal data revealing racial or ethnic origin; 
• personal data revealing political opinions; 
• personal data revealing religious or philosophical beliefs; 
• personal data revealing trade union membership; 
• genetic data; 
• biometric data (where used for identification purposes); 
• data concerning health; 
• data concerning a person’s sex life; and 
• data concerning a person’s sexual orientation. 

Please also keep in mind that the rule of direct and indirect data will apply here, you may not state the data exactly, but if it is “inferred” then according to the ICO depending on the how it is inferred then it could still count. 

 

What do we have to do with them? 

With regular personal data we always need to have a lawful basis, as per the requirements of the UK GDPR.  But with special category data we need to go a bit further than just the lawful basis, we need to decide which, if any, of the conditions of processing special category data is the best option.  Below we have listed all the different conditions for processing special category data, but, please note these are not extensive lists, make sure you fully research the condition before relying on it.  

 

The list is as follows: 

Explicit consent 

Although it is referred too as ‘explicit consent’ we should treat this like any normal consent. i.e. it must be; Opt-in only, Clear confirmation, Clearly states the data being processed, separate to any other consent request and must clearly state how consent can be withdrawn. 

 
Employment, social security and social protection (if authorised by law)*1 

This condition is for when the “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Domestic Law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject”. 

On the ICO’s website they have provided lists where this is applicable, https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/special-category-data/what-are-the-conditions-for-processing/#conditions3 

But really we need to focus on a couple of points, such as, there has to be an appropriate legal obligation to process them, such as the processing must comply with Employment law/social security and Social protection law.  

 
Vital interests 

This will only cover if the processing is a matter of life and death.  The ICO’s guidance on this actually sums up it all quite well with the following:  

This condition is likely to be most relevant for emergency medical care, when you need to process personal data for medical purposes but the individual is unconscious or otherwise incapable of giving consent.  

 
Not-for-profit bodies 

Firstly, this will only applicable to rely on if your school is a not-for-profit organisation and the data that you process is only that of current and former members or any other individual who has regular contact such as; partners, supporters or beneficiaries.  It is also specified that the information you process under this condition is a part of the organisations legitimate activities, you have appropriate safe guards.  

 
Made public by the data subject 

This condition is in essence saying, “Well the information is in the public already so it should be Ok to process it”.  But you still have to meet some of the criteria for this condition for processing; for example, the data must be originally made public by the data subject and you as a school should be confident that the data subject knew what they were doing and deliberately made the information accessible to the public.  It is a good idea to document where it was made public, just in case.  

 
Legal claims or judicial acts 

We can separate this into 2 sections 

Legal claims: 

You must show that the purpose of the processing is to establish, exercise or defend legal claims. ‘Legal claims’ in this context is not limited to current legal proceedings. It includes processing necessary for: 

 

    actual or prospective court proceedings; 

    obtaining legal advice; or 

    establishing, exercising or defending legal rights in any other way. 

 

Judicial Claims: 

This is something you do not need to worry about as a school, the exact wording is “If you are a court then you can apply this condition whenever you are processing special category data in your judicial capacity.” 

 
Reasons of substantial public interest (with a basis in law) 

In order for you as a school to use this condition for processing you will need to also select one of the 23 specific substantial public interest conditions, as well as an appropriate policy document in place.  Further information about these can be found here https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/special-category-data/what-are-the-substantial-public-interest-conditions/ 

 

 
Health or social care (with a basis in law) 

Firstly, this condition can only be used for: 

• a health professional or a social work professional; or 
• another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law. 

This condition will only apply when the following is taking place:  

• preventive or occupational medicine; 
• the assessment of an employee’s working capacity; 
• medical diagnosis; 
• the provision of health care or treatment; 
• the provision of social care (this is likely to include social work, personal care and social support services); or 
• the management of health care systems or services or social care systems or services. 

Like with a lot of processing it is very important to remember the following, the data and the processing must be; Necessary, reasonable and proportionate.  

 

Public health (with a basis in law) 

I do not believe that this will come up in schools as the conditions for using it are very medical based.  The examples provided for this one are as follows: 

 

• public health monitoring and statistics; 
• NHS resource planning; 
• public vaccination programmes; 
• responding to new threats to public health (eg epidemics, pandemics or new research findings); 
• clinical trials of drugs or medical devices; 
• regulatory approval of drugs or medical devices; or 
• reviewing standards of clinical practice. 

 

Archiving, research and statistics (with a basis in law) 

 

Like the previous conditions, there is a set of guidance around this condition, those being that you can only rely on this condition you must do the following: 

• demonstrate that the processing is necessary for archiving, research or statistical purposes - it must be a reasonable and proportionate way of achieving one of these purposes, and you must not have more data than you need; 
• comply with the safeguards and restrictions set out in Article 89(1) of the UK GDPR and section 19 of the DPA 2018 (see below); and 
• demonstrate that the processing is in the public interest. The term ‘public interest’ is not defined, but you need to point to a benefit to the wider public or society as a whole, rather than to your own interests or the interests of the particular individual. 

There are further safeguards in place as well as further clarification, for example the research must be either scientific or historical in nature, and in the public interest.