• 3 min read

On what basis can my organisation process special category personal data?

HR concepts and personal file storage, personal information mana

In a previous article we looked at what lawful bases (i.e. legitimate reasons) organisations can rely upon to process personal data. The basic principle is that a controller must have a lawful basis to process personal data (Article 6 of the UK GDPR). However, if the personal data is special category personal data a lawful basis alone is not enough. This is because Article 9 of the UK GDPR prohibits the processing of special category personal data unless one of ten exceptions (also known as ‘conditions for processing’) apply.

The ten conditions for processing can be briefly summarised as follows:

(a) The individual has given explicit consent to the processing for one or more specified purposes

(b) Processing is necessary for employment, social security and social protection purposes (which have a basis in UK law)

(c) Processing is necessary to protect the vital interests of the individual where the individual is physically or legally incapable of giving consent

(d) Processing is carried out by not-for-profit bodies

(e) Processing relates to personal data which is made public by the data subject

(f) Processing is necessary for legal claims or where courts are acting in their judicial capacity

(g) Processing is necessary for reasons of substantial public interest (which have a basis in UK law)

(h) Processing is necessary for health or social care purposes (which have a basis in UK law)

(i) Processing is necessary for public health purposes (which have a basis in UK law)

(j) Processing is necessary for archiving, research and statistics purposes (which have a basis in UK law)

You will note that five of the conditions above state they must have a ‘basis in law’ and in the UK that means as set out in the Data Protection Act 2018 (DPA). If an organisation wishes to rely on one of these five conditions for processing special category data then the relevant requirements set out in Schedule 1 of the DPA must be complied with.

There is a lot of detail around the use of the various conditions for processing special category data which we do not have the space to include in this article but let’s look at a couple of examples of special category data processing and how that processing may be justified:

1. A logistics company wants to undertake random alcohol testing of its lorry drivers. As an employer of the lorry drivers and operator of the lorries the organisation has an obligation to ensure its drivers are safe to operate the lorries. The information relating to the alcohol tests (even negative tests) will constitute special category personal data relating to the drivers. The logistics company can rely on legitimate interests as its lawful basis for processing and its condition for processing can be (b) employment, social security and social protection. To rely on condition (b) the DPA requires that the organisation must be able to demonstrate the processing of the personal data is “necessary” and have no more personal data than it needs for its purpose. An appropriate policy document is also required (the Information Commissioner’s Office (ICO) has a template on its website which can be used). 

2. An organisation provides company cars to some of its employees and insures those vehicles. An employee suffers a medical episode while driving his company car which leads to a collision with another vehicle leaving the driver of the second vehicle injured. The collision is reported to the insurers of both vehicles and legal proceedings commence in respect of the collision. The organisation needs to provide details of the accident, which includes special category data about their employee who was driving and the medical episode that caused the accident, to their insurer and their legal advisers to get advice in relation to the legal proceedings.  The lawful basis for processing may be legitimate interests but the condition for processing can be (f) legal claims. To rely on condition (f) the DPA again requires the organisation to be able to demonstrate the processing of the personal data is “necessary”. 

When considering whether processing of personal data is “necessary” the ICO states that this “does not mean that processing has to be absolutely essential. However, it must be more than just useful or habitual. It must be a targeted and proportionate way of achieving that purpose”.

This is a complex area of data protection law and the use of special category personal data needs to be considered carefully on a case-by-case basis.

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].

Answers are just a click away

Make an enquiry