Sensitive personal data (sometimes called special category data) under GDPR is deemed higher risk and whilst it is important that all personal data is protected, there are certain activities or categories of personal data which might present a higher risk to the data subject if they were to be mistreated. These are detailed within the regulation and if these are processed then there is a requirement that further protections should be placed around the processing of this data.
Types of Sensitive Personal Data
The data which is deemed as special category data includes:
- Racial or Ethnic origin
- Political opinion/affiliation
- Religious or political beliefs
- Trade Union membership
- Genetic or biometric data
- (for the purpose of uniquely identifying a natural person)
- Data concerning health
- Sex-life/sexual orientation
Mistreatment of this type of data might result in additional harm to the data subject, for example it could be the cause of additional discrimination, embarrassment or even result in harm through blackmail or ransom.
In order to process special categories of personal data the organisation needs an additional lawful basis over and above those specified for personal data not deemed sensitive.
Lawful Basis for Sensitive Personal Data
One or more of these additional lawful bases must also be met:
- Processing is required for carrying out obligations under employment, social security or social protection law, or a collective agreement
- Processing is required to protect the vital interests of a Data Subject or another individual where the Data Subject is legally or physically unable to give consent
- Processing carried out by a not-for-profit body with a philosophical, religious, political or trade union aim, provided the processing relates only to members or former members (or those who have regular contact with it regarding those purposes) and provided there is no disclosure to a third party without consent
- Processing relates to personal data manifestly made public by the Data Subject
- Processing is required for the establishment, exercise, or defence of legal claims or where courts are acting in their judicial capacity
- Processing is required for reasons of significant public interest on the basis of Union or Member State law which is equivalent to the aim pursued, and which contains suitable safeguards
- Processing is required for the purposes of preventative or occupational medicine, for evaluating the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
- Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or guaranteeing high standards of healthcare and of medicinal products or medical devices
- Processing is required for archiving purposes in the public interest, or historical and scientific research purposes or statistical purposes
- Explicit consent of the Data Subject, unless dependence on consent is prohibited by EU or Member State law
There are also further concerns where additional risks arise as part of the same activity processing the sensitive data, for example if sensitive personal data is processed in an activity which also processes data on a large scale, then there is no doubt that this would be a high risk activity and a Data Protection Impact Assessment would be required.