UK: ICO issues new guidance on special category data

On 14th November, the Information Commissioner’s Office (“ICO”) published an update to its guidance on the processing of special category data (“Guidance”).

Background

The General Data Protection Regulation (“GDPR”) recognises that some types of personal data are more sensitive than others, and as such merit extra protection under the law. By way of reminder, special category data includes:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; and
  • data concerning a person’s sexual orientation

Although the Guidance is not fundamentally unexpected or ground-breaking, it does provide plenty of nuanced examples of what constitutes special category data and explains how an organisation can process special category data whilst still complying with the GDPR.

Key takeaways – What qualifies as special category data?

  • Genetic and biometric data.

The Guidance provides much needed clarification about what constitutes genetic and biometric data. For example, it explains that a genetic sample itself is not data until it has been analysed, and it only becomes ‘personal data’ once it can be linked back to an identifiable individual (but the Guidance acknowledges that in most cases you process genetic information to learn something about an individual).

It also gives some less-obvious examples of what would comprise a physical or physiological identification technique (such as voice recognition or ear shape recognition), or a behavioural biometric identification technique (such as gait analysis, keystroke analysis or handwritten signature analysis).

The Guidance also clarifies that a digital photograph of an individual is not automatically biometric data (even if used for identification purposes), but it would become biometric data if you carried out ‘specific technical processing’, which in turn could be used for automated image matching and identification (a good example being the facial recognition technology which has been the subject of widespread discussion following an increase in its usage by UK police forces).

  • When does personal data become special category data?

The Guidance provides some interesting examples of what would constitute special category data, and specifically at which point ‘personal data’ becomes ‘special category data’. For example, knowing that one of your employees has a GP or hospital appointment will not in isolation tell you anything about that individual’s health, but if they were to tell you that they were going to see an osteopath or chiropractor that would constitute special category data. Another example is that a name in itself would not constitute special category data, even though many surnames are associated with a particular ethnicity or religion. However, if you are using names to target a specific service to a specific ethnicity or religion, you would then be deemed to be processing special category data. This underlines the already established principle that how data is used, and the purpose for which it is processed, is a relevant factor in determining how that data should be classified.

  • Inferences

The Guidance confirms that inferences can constitute special category data, but only if you can infer relevant information with a “reasonable degree of certainty” (even if it isn’t a cast-iron guarantee).  This appears to be a subjective test, and in practice controllers will likely need to arrive at considered, risk-based conclusions about whether or not there is sufficient certainty that special category characteristics can be inferred from particular data elements.

Key takeaways – Conditions for processing special category data

  • Reliance on the ‘employment, social security and social protection law’ basis for processing (article 9(2)(b)).

The Guidance provides advice for HR teams that are looking to rely on article 9(2)(b) for their basis for processing. The Guidance clarifies that a ‘legal obligation’ can be in reference to a legal provision or an appropriate source of advice or guidance that sets out a clear obligation on employers – this includes a government website or industry guidance. Consequently, in line with previous advice on what constitutes a “legal obligation” for article 6(1)(c) purposes, the Guidance makes it clear that it is not necessary to find a specific statutory provision which requires personal data processing, but rather it is about satisfying yourself that processing (special) category data is a reasonable and proportionate way of meeting specific rights or obligations which apply to employers.  However, note that if you are relying on this legal processing basis, you must have an appropriate policy document in place (see below).

  • Reliance on the ‘legal claims and judicial acts’ basis for processing (article 9(2)(f)).

Interestingly, the Guidance offers a potentially broad interpretation of this condition that it is not limited to current legal proceedings, but rather includes processing necessary in the context of ‘future legal claims’.   It provides the example of a hairdresser conducting a patch test on a client to check that they will not have an allergic reaction to the hair dye, and to thereby defend against potential personal injury claims from that client. This may open the doors for other businesses to rely more heavily on article 9(2)(f), for example a food takeaway business that collects allergy information about their customers may now be able to rely on article 9(2)(f) to defend against future claims relating to allergic reactions.

  • Reliance on the ‘archiving, research and statistics’ basis for processing (article 9(2)(j)).

The Guidance confirms that not all research can be covered by the condition, and to rely on it you would have to demonstrate that the research is either scientific or historical in nature, and in the public interest. The Guidance does not rule out that commercial activities may be able to rely on this basis, stating that commercial scientific research may be covered if it can be demonstrated that it uses rigorous scientific methods which advances a general public interest. However, it does state that commercial market research is unlikely to be covered (but doesn’t rule it out completely).

What should you be doing as a business?

Get the legal basis correct from the outset

The Guidance seeks to remind organisations that article 9 processing bases are not a replacement for processing bases under article 6, and you must be able to rely on both an article 6 and article 9 legal basis for processing special category data.

It also reminds organisations that the Data Protection Act 2018 (“DPA 2018”) supplements and tailors the GDPR conditions for processing special category data. As such, if you are relying on a GDPR condition which requires authorisation by law or a basis in law, then you must also meet one of the additional conditions in Schedule 1 of the DPA 2018. The Guidance provides a helpful summary of when you will need to comply with a Schedule 1 condition, and clarifies the following:

  • Although most of the conditions depend on you being able to demonstrate that the processing is ‘necessary’ for a specific purpose, that does not mean that it has to be absolutely essential. However, the processing must be a targeted and proportionate way of achieving that purpose.
  • For some of the conditions, you need to justify why you cannot give individuals a choice and get explicit consent for your processing.

Accountability

Accountability – and being able to evidence compliance – underpins almost every provision in the GDPR. As such, it is important to:

  • Carry out a data protection impact assessment (“DPIA”) if you plan to process special category data (a) on a large scale; (b) to determine access to a product service, opportunity or benefit; or (c) which includes genetic or biometric data (if in combination with any other criteria in European DPIA guidelines). The ICO recommends that if you’re in doubt, carry out a DPIA.
  • Put an ‘appropriate policy document’ in place, which is a short document that outlines your compliance measures and retention policies for special category data. The DPA 2018 states that you must have one in place for almost all of the substantial public interest conditions (and also for the employment, social security and social protection condition), as a specific accountability and documentation measure. The ICO has developed an ‘appropriate policy document template’ which can be found within the Guidance. The document must be retained until six months after the date that the relevant processing stops. Organisations should be prepared to submit this document to the ICO.
  • Ensure that you make it clear that you are processing special category data (and which categories of special category data) in your privacy notices. You do not need to say which condition you are relying on.
  • Ensure your records of processing activities are up to date, and keep a record of which processing basis (or bases) you are relying upon – and, most importantly, why you’re relying on that basis.

Jo Nevin and James Clark, DLA Piper UK LLP