On November 14, 2019, the UK Information Commissioner’s Office (“ICO”) published detailed guidance on the processing of special category data. The guidance sets out (i) what are the special categories of data, (ii) the rules that apply to the processing of special category data under the General Data Protection Regulation (“GDPR”) and UK Data Protection Act 2018 (“DPA); (iii) the conditions for processing special category data; and (iv) additional guidance on the substantial public interest condition, including what is an “appropriate policy document”.
Under the GDPR, stricter rules apply to the processing of special category data, which includes genetic and biometric data as well as information about a person’s health, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade union membership. As noted in the guidance, there is a presumption that “this type of data needs to be treated with greater care” because the “use of this data could create significant risks to the individual’s fundamental rights and freedoms”. This blog post provides a summary of the key takeaways from the ICO’s guidance.
What are the special categories of data?
The guidance provides the following key points with respect to certain special data categories:
- Genetic Data. A genetic sample is not itself personal data unless you analyse it to produce data. However, the results of genetic analysis will be personal data where it includes “enough genetic markers to be unique to an individual….even if you have removed other names or identifiers”. According to the guidance, genetic test results which are linked to a specific biological sample “are usually personal data”.
- Biometric Data. Biometric data is personal data, however, it is only classified as special category data where you use it to uniquely identify a natural person. The ICO admits that this therefore means “biometric data will be special category data in the vast majority of cases”. Biometric data includes physical or physiological biometric identification techniques (such as fingerprint verification, facial and voice recognition) and behavioural biometric identification techniques (such as keystroke, signature, gait and gaze analysis).
- Health data. Health data not only includes specific medical conditions, but also “includes any related data which reveals anything about the state of someone’s health”. Examples given include information about an injury or disease, medical examinations or tests, information on registration or access to health services, appointment details or reminders that reveal something about an individuals’ health status, and an identifier assigned to an individual that identifies them for health purposes (i.e., NHS number) if combined with information revealing the individuals’ health status.
- Inferences and educated guesses. If you are able to infer information revealing special category data about an individual with “a reasonable degree of certainty” you will also be caught by Article 9. If, however, it is just a “possible inference” or an “educated guess”, then this is not special category data. This doctrinal approach will undoubtedly pose challenges when applied in real-world scenarios, as it will be unclear where an “educated guess” ends and “reasonable certainty” begins. However, the ICO also notes that if you process data with the intention of making such inferences about an individual (i.e., about their ethnicity, beliefs, or sexual orientation), you are processing special category data “irrespective of the level of statistical confidence”.
What rules apply?
The guidance reiterates that under the GDPR, organisations that process special category data must have both a lawful basis to process data under Article 6, as well as satisfy an Article 9 condition for processing. Where the Article 9 condition requires authorisation by law or a basis in law, the organisation must then also meet an additional condition set out in Schedule 1 of the DPA.
The ICO notes that in order to rely on many of the conditions under Article 9 and DPA Schedule 1, you have to demonstrate that it would not be reasonable to obtain consent from individuals, implying a preference for reliance upon consent. As a result, the guidance stipulates that if an organisation could give individuals a choice, it may not be appropriate to rely on one of the other conditions. In addition, organisations must also demonstrate that the processing is necessary for a specific purpose. According to the ICO, this does not mean it has to be “absolutely essential”, but it must be “more than just useful or habitual”. The condition is unlikely to be met if you can achieve the purpose without processing special category data.
Conditions for processing
The ICO provides the following guidance in relation to some of the key grounds for lawfully processing special category data:
- Explicit consent. The ICO acknowledges that the GDPR does not provide a clear distinction between consent and explicit consent. However, the ICO provides that the “extra requirements for consent to be ‘explicit’ are likely to be”: (i) a clear statement (oral or written); (ii) it must specify the nature of the special category data; and (iii) the consent should be separate from any other consent.
- Employment, social security and social protection law. To rely on this condition under the GDPR and DPA, organisations must be able to identify a specific legal obligation or right, either by “reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance”. The ICO provides that this may include “a reference to a government website or industry guidance”. The condition would not be met where the processing is based upon rights or obligations found in employment contracts, however.
- Vital interests. The ICO confirms that this condition is “very limited in scope”, as it only covers “interests that are essential for someone’s life”, generally meaning “matters of life and death”.
- Manifestly made public. This condition can only be relied upon where there is a “deliberate act by the individual” to make the information public. Just because the information is in the public domain is not enough. The ICO recommends considering the following questions: (i) is the special category data in the public domain?; (ii) was the data made public by the individual themselves?; and (iii) did the individual deliberately make the data public? Where an individual has made data accidentally or unintentionally public is not sufficient.
- Public health interest. In order to rely on this condition, the processing must be necessary for reasons of public interest in the area of public health, and must be carried out by a health professional or someone else who owes a legal duty of confidentiality. Public interest requires you to point to a “benefit to the wider public or society as a whole”. This may include public health monitoring, responding to new threats to public health, clinical trials of drugs or medical devices, or regulatory approval of drugs or medical devices.
- Archiving, research and statistics. To rely on this condition, you must be able to (i) demonstrate the processing is necessary for archiving, research or statistical purposes; (ii) comply with safeguards set out Article 89(1) of the GDPR and Section 19 of the DPA; and (iii) demonstrate that the processing is in the public interest. According to the guidance, not all research is covered, but instead only research that is either “scientific or historical in nature”, and in the “public interest”. These rules apply to both public and private sector. Again, public interest requires you to point to a “benefit to the wider public or society as a whole”.
- Substantial public interest conditions. The DPA provides for 23 conditions for processing in the public interest, set out in Schedule 1. Some conditions require a substantial public interest, whereas others require only that there is a public interest at stake. The term “substantial public interest” is not defined in the DPA or the GDPR. However, the guidance notes that public interest covers a wide range of values and principles relating to the public good, or what is in the best interests of society, rather than the best interests of a commercial operator. “Commercial or private interests are not the same as a public interest, and it is not enough for an organisation to point to its own interests.” According to the ICO, substantial public interest means the “public interest needs to be genuine and of substance” and therefore “it is not enough to make a vague or generic public interest argument”. Again the guidance notes that where there is no good reason why consent cannot be obtained, substantial public interest is unlikely to be the appropriate condition for processing.
Appropriate policy document
Many of the DPA Schedule 1 conditions require that an organisation have an “appropriate policy document” in place. This is a short document that should outline “compliance measures and retention policies with respect to the special category data” that the organisation is processing. This must include the condition for processing the data, how the organisation satisfies a lawful basis for that processing and details about whether retention and deletion policies have been followed. According to the guidance, the policy document should be retained for 6 months after the date the relevant processing stops. Although publishing the policy document is not required, the ICO recommends this as good practice. The ICO has also developed a template appropriate policy document to assist organisations.