Personal Data vs Special Category Data

Understanding the nuances between different types of data is essential for compliance and effective data management. Personal data, as defined by the ICO, includes any information related to natural persons who can be identified directly or indirectly. This broad category also encompasses special categories of personal data and data related to criminal convictions and offences, which are considered more sensitive and are subject to stricter processing conditions.

Special category data is a subset of personal data that includes highly sensitive information about individuals. Due to its sensitive nature, there are stricter limitations on how this data can be collected, stored, and processed. This blog will explore:

• The differences between personal data and special category data
• The specific protections required for special category data
• The conditions under which it can be processed.

Understanding these distinctions is crucial for ensuring compliance with data protection regulations and safeguarding individuals’ rights and freedoms.

Personal data encompasses information related to natural persons who:

• Can be identified directly from the information in question, or
• Can be indirectly identified from that information when combined with other data.

This category also includes special categories of personal data and data related to criminal convictions and offenses, which are deemed more sensitive and are subject to stricter processing conditions.

Special category data is a subset of personal data that includes more sensitive information about individuals. Due to its sensitive nature, there are stricter limitations on how this data can be collected and stored.

Is personal data the same as special category data?

Special category data generally refers to a sub-section of personal data. This includes:

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions;
• personal data revealing religious or philosophical beliefs;
• personal data revealing trade union membership;
• genetic data;
• biometric data (where used for identification purposes);
• data concerning health;
• data concerning a person’s sex life; and
• data concerning a person’s sexual orientation.

We refer to this as ‘special category data’.

The majority of the special categories are not defined and are fairly self-explanatory. However specific definitions are provided for genetic data, biometric data and health data.

What is special category data?

Special category data isn’t just more sensitive or private; it requires specific protection under the UK GDPR. This is because using this data can pose significant risks to an individual’s fundamental rights and freedoms. These categories are closely linked to:

• Freedom of thought, conscience, and religion
• Freedom of expression
• Freedom of assembly and association
• The right to bodily integrity
• The right to respect for private and family life
• Freedom from discrimination

The UK GDPR presumes that special category data needs greater care because its collection and use are more likely to interfere with these fundamental rights or expose someone to discrimination. This is part of the GDPR’s risk-based approach.

While other data, like financial information, can also be sensitive, it doesn’t raise the same fundamental issues and thus isn’t classified as special category data under the UK GDPR. Similarly, data about criminal allegations or convictions, although sensitive, is governed by separate rules.

It’s also important to note that some protected characteristics under the Equality Act, such as race, religion or belief, and sexual orientation, are classified as special category data. This may also include disability, pregnancy, and gender reassignment, as they can reveal health information.

Special category data is broadly defined and can include information that might not seem particularly sensitive. For example, details about an individual’s mental health are likely more sensitive than whether they have a broken leg, but both are considered health data. Given the potential risks to fundamental rights, it’s crucial to identify any special category data and handle it with care, even if it doesn’t seem particularly sensitive.

What are the conditions for processing special category data?

Processing special category data requires meeting specific conditions under UK GDPR and the Data Protection Act 2018 (DPA 2018). The key conditions are:

1. Explicit Consent: You must obtain explicit consent from the individual to process their special category data.
2. Employment, Social Security, and Social Protection: Processing is necessary for carrying out obligations and exercising specific rights in the field of employment, social security, and social protection law.
3. Vital Interests: Processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent.
4. Not-for-Profit Bodies: Processing is carried out in the course of legitimate activities with appropriate safeguards by a foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union aim.
5. Public Health: Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare.
6. Health or Social Care: Processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care, or the management of health or social care systems and services.
7. Archiving, Research, and Statistics: Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
8. Legal Claims: Processing is necessary for the establishment, exercise, or defense of legal claims or whenever courts are acting in their judicial capacity.
9. Substantial Public Interest: Processing is necessary for reasons of substantial public interest, based on UK law.
10. Criminal Convictions and Offences: Processing is necessary for reasons relating to criminal convictions and offences, but this is covered by separate rules.

When processing special category data, it’s crucial to ensure that you have both a lawful basis under Article 6 and a specific condition under Article 9 of the UK GDPR. Additionally, you must implement appropriate safeguards to protect the data and mitigate any risks to the individual’s rights and freedoms.

Getting consent

If you are processing special category data this means you must still identify a lawful basis for your processing, in exactly the same way as for any other personal data. In other words, you must identify both a lawful basis under Article 6 and a condition for processing special category data under Article 9.

However, if you are relying on legitimate interests as your lawful basis, you need to take into account the particular risks associated with special category data in your legitimate interests assessment. You may need to put in place more robust safeguards to mitigate any impact or risks to the individual to demonstrate that the legitimate interests basis applies.

Understanding the distinction between personal data and special category data is crucial for ensuring compliance with data protection regulations. Businesses must implement robust safeguards to mitigate any risks to individuals’ rights and freedoms. By carefully handling special category data, organizations can ensure they respect privacy and uphold the principles of data protection.