I want to process special category data (sensitive personal data)
It is sometimes necessary to process sensitive personal data referred to as ‘special category’ by the UK GDPR. As this type of personal data is sensitive information about people, additional care must be taken to manage the data and protect their privacy.
Using sensitive personal ‘special category’ data, at a glance...
This ‘how to’ guide explains the steps you need to follow to build in the extra safeguards needed to ensure sensitive special category information is handled safely and legally according to data protection law. These steps are summarised at a glance here:
If you are planning to use sensitive personal data, it’s important you ensure you have completed the mandatory information security training within the last two years.
What is personal data?
‘Personal data’ means any data or information relating to an identified or identifiable living person. It includes objective information (name, date of birth), and subjective information (opinions, beliefs). Examples of personal data include, a home address, sex, an email address (work and personal), location data e.g., location data held on mobile phones, an Internet Protocol (IP) address, images, and voice recordings.
A person can become identifiable directly or indirectly, by reference to an identification number (staff or student ID), or by combining one or more factors that are specific to their identity (physical, genetic, economic, cultural, or social identity).
Some personal data should be treated with greater care, if the context of its use could create significant risks, interfere with individuals’ fundamental rights, or subject someone to discrimination. Whilst the information may not fall under the definition of ‘special category’ data, it might still be highly sensitive. If you have any concerns, it might expose a person to harm, consider the possible risks associated with its use and put in place additional safeguards equivalent to special category data. For example, using personal data relating to gender identity or children’s personal information.
What does ‘processing’ mean?
Almost anything you do with personal data will involve ‘processing’ it, this includes its collection, recording, storage, alteration, analysis, use (including as a mailing list), sharing, erasure, or destruction. If you are considering doing any of these things, you must read on.
What is ‘special category data’?
There is some personal data that by its nature is considered more sensitive. Special category data is data that reveals a person’s:
- Racial or ethnic origin,
- Political opinions,
- Religious or philosophical beliefs,
- Trade union membership,
- Genetic data,
- Biometric data,
- Health data (mental and physical),
- Sex life,
- Sexual orientation.
Special category data is data or information that reveals sensitive facts about a person, and the sensitive nature of the information means there is a greater risk that it’s collection and use might cause an individual actual harm.
The Data Protection Act defines data concerning health as personal data relating to the physical or mental health of an individual, including provision of health care services, which reveals information about their health status. For example, any information about injury, disease, pregnancy, disability status, and mental health.
Personal data relating to children (anyone under 18) is not categorised as special category data. However, the data you process about a child may fall under ‘special category’ rules. In addition, the UK GDPR requires that extra care be taken when processing it.
Personal data about criminal records and proceedings is not special category data. However, there are similar rules about processing it.
The Equality Act 2010 identifies nine protected characteristics in relation to personal data, but these do not map neatly onto the types of personal data as defined in the UK GDPR. Find out more information and see a comparison of both at the link below.
Why is ‘special category data’ special?
You should avoid processing special category data (sensitive personal information) or data where extra care is required, where at all possible, it should only be collected and used if it is necessary.
If it is necessary to process special category data, by law you need to take additional care to protect the data (to safeguard the person it relates to). The collection and use of this data could create significant risks to the person’s rights and freedoms. For example, it could accidentally or unintentionally expose someone to discrimination or harm.
Because of the sensitivity of special category data, and the risks involved in processing it, the UK GDPR and Data Protection Act (2018) put in place specific circumstances in which it can be processed, otherwise its use is not allowed.
The consequences of unlawful processing or misuse of this sensitive personal data could have far-reaching and severe consequences for the individual’s safety, it might also damage the University’s reputation, erode trust in the institution, and result in legal action or financial penalties being taken.
What does all this mean if I need to process special category data?
Before you process sensitive ‘special category’ personal data there are a number of steps you must complete, these are not optional, they ensure your use of special category data is legal and are designed to protect the individuals whose sensitive personal information you plan to use. You must be able to:
1. Confirm you have completed mandatory information security training provided by the University
You are required to complete the Loughborough University information security training every two years. Due to the risk associated with processing special category data, all staff and doctoral researchers must confirm they have completed the training within the last two years. If you do not know how to check your training record, your Data Co-ordinator will be able to assist.
2. Demonstrate it is necessary
You must be able to clearly explain the purpose you need to use sensitive personal data for, the outcomes you aim to achieve, why it is essential to process it, and confirm you have considered and found no other way you could achieve the outcome without using special category data. It must be more than ‘just useful’ or ‘because it’s always been done’. If you have not yet explored other ways to achieve the outcome without using special category data, you must do this before proceeding further.
To assist you, here is a Necessity Test template:
3. Clarify your Lawful Basis for processing
To process personal data, you must have a justifiable legal reason for processing it, known as a lawful basis. The UK GDPR sets-out six lawful bases to choose the most appropriate one from. Because of the sensitivity and additional risks associated with processing special category data, the UK GDPR puts in place further restrictions on its use. In addition to selecting a lawful basis, you must also identify a condition of processing, there are 10 conditions to select from. Be aware that some conditions of processing rely upon additional requirements set out in the Data Protection Act (2018).
If you are unable to find an appropriate lawful basis and a condition of processing, you cannot legally process special category data.
To process personal data → pick one lawful basis
To process special category data → pick one lawful basis + one condition of processing
|Lawful Basis (UK GDPR, Article 6)||Condition of processing (UK GDPR, Article 9)|
|Performance of a contract||Obligation in employment, social security, and social protection law*|
|Legal obligation||Protect vital interests of a person|
|Protect vital interests of a person||Legitimate activity of a body with a political, philosophical, religious or trade union aim|
|Task in the public interest||Personal data manifestly made public by the individual|
|Legitimate interest||Substantial public interest based on UK law*|
|Health or social care (with a basis in law)*|
|Purposes of preventative or occupational medicine|
|Archiving purposes in the public interest, scientific or historical research or statistical purposes in accordance with UK law*|
Where a condition of processing includes an * = also refer to the Data Protection Act, Schedule 1
You must take care to select the most appropriate options, as conditions will apply to how the data can be used, and once a lawful basis and condition of processing has been selected, it may be unlawful to change it retrospectively, it may mislead the people whose data you are working with.
When is consent the best option?
If you are processing personal data, consent is often not the most appropriate lawful basis because individuals have the right to change their mind, meaning you must remove their personal data. However, if you are processing special category data, explicit consent is often the best condition of processing, it gives individual’s the greatest control over how their sensitive personal information is used.
To find out more about selecting the most appropriate lawful basis and condition of processing:
4. Identify and manage any risks associated with processing special category data
You need to consider and document any risks associated with processing the sensitive personal data you are planning to work with, along with your plans for either reducing or removing such risks.
If you cannot manage a risk, you must also consider if it is safe and appropriate to continue.
You should look for ways in which you can ‘bake-in’ safeguards to protect the data and individuals it concerns. Evaluate:
- Are the risks associated with processing the data, proportionate to the purpose of the activity you want to use sensitive information for?
- Have you limited the sensitive personal data to the very minimum necessary to complete the purpose you are using it for?
- Do you need additional security measures to keep safe the sensitive information you are using, and protect the individuals whose personal data you are processing?
If you are planning to use special category data, the University requires that you complete a Data Protection Impact Assessment (DPIA), this is a legal requirement for any processing that is likely to be high-risk.
Potential risks you might encounter, include:
- Excessive collection or unjustifiable use of personal data (including special category data),
- Unauthorised / unlawful processing, accidental loss, destruction, or damage to personal data,
- Use of data beyond individuals’ reasonable expectations (lack of transparency around what, why, and how personal data will be used,
- Use or storage of inaccurate or outdated personal data,
- Unjustifiable unauthorised access, transfer, sharing or publishing of data; and
- Individuals feel a loss of control over what information is collected.
You can find out more about completing a DPIA and use the University template below:
5. Publish information about the processing, so people know what to expect
The UK GDPR requires that personal data is processed lawfully, fairly and in a transparent manner. This means you must tell people what you are doing with their personal and sensitive personal data. They have the right to know why you need it, what you will do with it, and who you will share it with. These factors will have been considered as part of the Data Protection Impact Assessment, and publishing information about them will assist individuals should they wish to exercise their rights in relation to how the University uses their personal data.
The University already publishes information about how it uses personal data in privacy notices. If the type of processing you are planning to do is already covered by an existing privacy notice, you may refer individuals to the appropriate information. Alternatively, it might be possible to amend an existing privacy notice to add a new processing activity, at the discretion of the relevant Data Owner. For example, the student privacy notice is reviewed on an annual basis. If your processing activity is new or unique, you will need to produce a new privacy notice to tell people how you will use their personal data.
The University has published a ‘Policy on processing special categories of personal data and criminal offence data’ contained in appendix 5 of the Loughborough University Data Protection Policy. The purpose of the policy is to guide individuals on how they may exercise their right to request the University stops processing their sensitive personal information if it is using ‘substantial public interest’ as the condition for processing their special category data. We are legally required to publish this information.
6. Keep records of processing special category data in the Data Asset Register
The University must document and keep a record of all processing activities involving personal data, this includes special category data, we must do this to comply with the UK GDPR. In the University this record is known as the Data Asset Register and maintained by your Data Co-ordinator.
What about anonymous data?
Before sensitive personal data is processed, care should be taken to manage the risks of re-identification and the possible consequences of the disclosure. Whilst it can be difficult to completely anonymise personal data, it is considered anonymous if:
- Information does not relate to an identified or identifiable person; or to
- personal data where the individual is no longer identifiable.
Anonymisation is a process that attempts to prevent the identification of individuals from a specific data set either by permanently substituting or deleting personal data. If a person can no longer be identified because their personal data has been made anonymous, it is not subject to data protection law.
Data protection law applies only to information concerning an identified or identifiable person. If they can be identified, their identity inferred, or attributed to, using additional information, their personal data is not regarded by the UK GDPR as anonymised. For this reason, pseudonymised data (where a unique identifier is used to disguise the personal data but can be tracked back using a key) is categorised as personal data.
If the risk of identification cannot be completely resolved, consider if it is possible to mitigate its impact by using techniques such as rounding up numbers of individuals within a specific category, or redefining categories e.g., re-grouping age ranges. If this is not possible, or individuals remain identifiable, revisit your data protection impact assessment and reassess if it is safe and appropriate to continue.