The Information Commissioner's Office has laid down a criteria of what constitutes "special category personal data" and has asked data controllers to take all necessary precautions to protect this data and ensure they are fully compliant with DPA 2018.
In a new blog post published recently, the ICO said that special category personal data include information about a person's health, sex life or sexual orientation, racial or ethnic origin, political opinion, religious or philosophical beliefs, membership to a trade union, as well as genetic and biometric identification data.
"Special category data is the most sensitive personal data a controller can process. The misuse of this data is likely to interfere with an individual’s fundamental rights and freedoms and could cause real harm and damage," said Ian Hulme, Director for Regulatory Assurance at the ICO.
While GDPR prohibits organisations from holding or processing special category personal data of their customers, they can only do so after acquiring explicit consent and for various purposes such as for employment, social security and social protection, securing vital interests, for reasons of substantial public interest, for health or social care with legal basis, for ensuring public health or for archiving, research, and statistics that have a basis in law.
Can your organisation hold or process special category personal data?
If your organisation needs to hold or process special category personal data of your customers, the ICO says that your organisation must retain only the minimum amount of special category data, should be able to justify why it needs the data, and should include information about categories of data in privacy notices to customers.
In addition, your organisation needs to appoint a Data Protection Officer if its core activities require large scale processing of special category data, and should maintain complete records and documentation including your condition for processing the data, how you satisfy a lawful basis for that processing, and specific details about whether you have followed your retention and deletion policies.
"Most of the conditions depend on you being able to demonstrate that the processing is ‘necessary’ for a specific purpose. This does not mean that processing has to be absolutely essential. However, it must be more than just useful or habitual. It must be a targeted and proportionate way of achieving that purpose.
"The condition does not apply if you can reasonably achieve the same purpose by some other less intrusive means – and in particular if you could do so by using non-special category data.
"It is not enough to argue that processing is necessary because it is part of your particular business model, processes or procedures, or because it is standard practice. The question is whether the processing of the special category data is a targeted and proportionate way of achieving the purpose described in the condition," the ICO added.
Data protection practices of UK organisations have improved: ICO
In March this year, a survey carried out by the ICO as part of Global Privacy Enforcement Network's (GPEN) annual intelligence-gathering operation revealed that 67% of organisations in the UK maintained inventories of personal data collected from their customers and a similar number of them carried out regular self-assessments or audits of internal data protection standards and practices.
"The findings suggest that whilst organisations contacted by the ICO and our international partners have a good understanding of the basic concept of accountability, in practice there is significant room for improvement," said Adam Stevens, head of intelligence at the ICO.
"It is important that organisations have appropriate technical and organisational measures in place. This includes having clear data protection policies, taking a ‘data protection by design and default’ approach and continuing to review and monitor performance and adherence to data protection rules and regulations," he added.