Special category data is personal data that is particularly sensitive and therefore requires more protection under the law.
Special category data includes personal information about a persons:
In particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination because of sexual orientation or religious belief.
There is stronger legal protection for special category data which means that it can only be processed in more limited circumstances.
There are separate safeguards for personal data relating to criminal convictions and offences. We will explore these principles further in this course.
When are you allowed to process special category data?
In order to process special category data you need to meet certain legal conditions. These are listed in the relevant Laws as Articles or placed in a Schedule. They are all broadly the same in each law, so in GDPR they are:
(a) Consent: The data subject has given explicit consent to the processing of their personal data for one or more specified purposes.
(b) Employment & Social Security: Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security.
(c) Vital Interests: processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(d) Not-for-Profit Organisation: processing is carried out in the course of the controllers legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) Public Function: processing relates to personal data which are manifestly made public by the data subject;
(f) Legal Defence: processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(g) Public Interest: processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
(h) Medical Purposes: processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems.
(i) Public Health: processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices.
(j) Research: processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
What is important to remember, everything relating to a natural living person that can identify them, whether that is a single piece of data (a name) or separate data when put together (Christian name and Data of Birth), is all personal data. Personal data will include health data, race, sexual orientation etc , but this type of data is categorised in Law as ‘Special Category’, which requires more security to protect and safeguards in place when processing.
It also reflects the significant harm if data is disclosed inappropriately. If my name and postcode for example were hacked from a database, it is not going to cause me harm, so it would be a minor breach of the law. If adding to that data, some medical information came out about me, the harm caused could be significantly increased, so the breach would be serious.
That is why we have two levels of ‘Personal Data’ the ‘Special Category ‘ data needs more protection.