Before we address the issue of whether your organisation holds special category data, we’d better start with what special category data actually is.
What is Special Category Personal Data?
Special category data is information about an individual which is particularly sensitive. This includes personal information, such as:
- race or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data for the purpose of uniquely identifying someone
- physical or mental health
- sex life or sexual orientation
Further regulations apply to information that relates to an individual’s criminal convictions and offences.
What Sort of Organisations Hold Special Category Personal Data?
All sorts of organisations hold this kind of information. If you are an employer, you may have information about your employees’ trade union membership or about their health, such as sick leave. Obviously, if you work in the health industry, whether that be in a hospital where major operations are carried out or a beauty salon providing eyelash extensions, your organisation will hold special category information about your clients. Many other industries also hold large amounts of this kind of data.
What Are Your Responsibilities if You Hold Special Category Personal Data?
Firstly, because this data is particularly sensitive you must have both a lawful basis and a separate condition for processing this data under the General Data Protection Regulation (GDPR). Some of the conditions are:
- You have the individual’s explicit consent
- The individuals are incapable of giving consent and it is in their vital interest
- It is necessary to establish, exercise or defend of legal claims or the courts are acting in their judicial capacity
There are 10 conditions – these are just a few examples.
You should determine your condition(s) for processing special category data and very clearly document it in order to comply with the GDPR.
Do You Need Additional Security if You Hold Special Category Data?
This data must be kept secure. The ICO recommends a layered approach to data security. For example: locked and alarmed buildings; locked filing cabinets; locked computers; encrypted files; strong passwords which change regularly. A Data Protection Professional can advise on the security measures you should take.
Is the Retention Period for Special Category Data Different?
The GDPR says that you should only keep personal information and special category personal data for as long as necessary for the purpose of processing. This means that the retention periods vary and depend on the type of data and why you are processing it. For example, personal data collected in relation to the performance of a contract is often retained for 6 years, whereas personal data relating to births is retained for 25 years. It is important to have a retention schedule setting out the different types of data you hold, and what the retention period is for each type.
What Are the Penalties for a Special Category Data Breach
The penalty for a data protection breach depends on which Article of the GDPR has been breached. However, if the breach involves this type of data then the ICO may treat your organisation more harshly, and issue a higher penalty. These kinds of breaches can also have a negative effect on reputation.
If you are unsure whether you hold this type of data or worry that you may not be adhering correctly to the GDPR contact the Data Privacy Advisory Service at dpas.gsl.media
You can also find out how we help companies like yourself in managing your special category date by reading our case study.