Are you Processing Special Category Personal Data Without Knowing It?

The UK General Data Protection Regulation (GDPR) classifies the following types of personal data as potentially more sensitive and provides them with additional protection:

• Personal data revealing racial or ethnic origin
• Personal data revealing political opinions
• Personal data revealing religious or philosophical beliefs
• Personal data revealing trade union membership
• Genetic data
• Biometric data (where used for identification purposes)
• Data concerning health
• Data concerning a person’s sex life
• Data concerning a person’s sexual orientation.

Generally, this type of personal data is called ‘special category data’.  The UK GDPR explains that these types of personal data merit specific protection and must be handled with greater care, as the use of this data could create significant risks to an individual’s fundamental rights and freedoms or potentially expose them to discrimination.  This is part of the risk-based approach of the UK GDPR.

‍

‍

Whilst other data may also be sensitive, such as an individual’s financial data, this does not raise the same fundamental issues and so does not constitute special category data for the purposes of the UK GDPR.  And, while data about criminal allegations or convictions may raise some similar issues, it technically does not constitute special category data (although it is covered by separate, similar rules in the UK).

To process personal data, you need to determine a lawful basis under Article 6 of UK GDPR, however for special category data you also need to determine a further lawful ground for processing under Article 9.

In fact, Article 9.1 prohibits the processing of special category data, while Art. 9.2 defines 10 exceptions to this general prohibition, usually referred to as ‘conditions for processing special category data’:

1. Explicit consent
2. Employment, social security and social protection (if authorised by law)
3. Vital interests
4. Not-for-profit bodies
5. Made public by the data subject
6. Legal claims or judicial acts
7. Reasons of substantial public interest (with a basis in law)
8. Health or social care (with a basis in law)
9. Public health (with a basis in law)
10. Archiving, research and statistics (with a basis in law).

Five of the conditions only apply if your processing has an authorisation or basis in law.  In the UK, these legal mandates are set out in the Data Protection Act 2018 (DPA 2018).

Most of the Art. 9.2 conditions depend on you being able to demonstrate that the processing is ‘necessary’ for a specific purpose.  This does not mean that processing needs to be absolutely essential, but it must be more than just useful or habitual.  It must be a targeted and proportionate way of achieving that purpose.

The condition does not apply if you can reasonably achieve the same purpose by some other less intrusive means – in particular, if you could do so by using non-special category data.  There is a link here to the UK GDPR’s data minimisation principle (which requires that you only collect the minimum personal information that you need) that you should consider carefully for special category data.

The Information Commissioner’s Office (ICO) says that it is not enough to argue that processing is necessary because it is part of your organisation’s particular business model, processes or procedures, or because it is standard practice.  The question is whether the processing of the special category data is, as mentioned, a targeted and proportionate way of achieving the purpose described in the condition.

Due to the requirement that processing must be necessary and that additional measures must be taken to protect special category data, it is vital to avoid the collection of special category data wherever possible. Furthermore, the purpose limitation principle applies to prevent you collecting special category data ‘just in case’ it might be useful in the future.

‍

ICO guidance confirms that special category data includes not only personal data that specifies relevant details, but also personal data revealing or concerning these details.

If the information itself does not clearly reveal or concern something about one of the special categories, it may still be possible to infer details about someone that do fall within those categories.  For instance, you may be able to infer an individual’s religion or ethnicity from their name or images of them, as many surnames or modes of dress can be associated with a particular ethnicity or religion.

However, you do not have to treat all such names or images as special category data in every instance.  The ICO guidance states that inferred data counts as special category data and triggers Article 9 if:

• Your processing intends to make an inference linked to one of the special categories of data; or
• You intend to treat someone differently on the basis of inferred information linked to one of the special categories of data.

There have been a number of judgements in the Court of Justice of the European Union (CJEU) that relate to the processing of special category data. Whilst the UK is no longer in the EU, the CJEU’s judgements still provide guidance to help us understand the issue and how special category data can be inferred or collected inadvertently.

For example, a recent CJEU judgement (C-21/23) involved an online pharmacy which sold pharmacy-only medicines through Amazon and had collected the customer’s name, address and the medicine they ordered, from which details of the customer’s health could be inferred.

The CJEU held that data which can indirectly reveal information about a person’s health must be treated as health data under the GDPR, even if the organisation processing the data did not intend to process health data.  It found that the purchase information is health data, regardless of whether the information relates to the purchaser or another person, whether the information is correct or whether the controller intended to use it.

This contradicts the ICO guidance that inferred data is only special category data if the controller intends to use it.

A further CJEU case (C-184/20) involved a Lithuanian law which required a director of an establishment receiving public funds to publish their interests in a register, which should include the name of the director’s spouse, cohabitee or partner.  It was argued that from this, the director’s sexual orientation could be inferred.

The CJEU acknowledged that there is a difference between ‘revealing’ and ‘concerning’.  The CJEU held that the publication of personal data on a public website that discloses indirectly the sexual orientation of a person constitutes processing of special category data.  The relevant question was not that the processing concerns special category data, but rather that it reveals or discloses special category data.

These CJEU cases demonstrate how collecting personal data may also provide you with the ability to infer or disclose special category personal data, whether this is intended or not.  You may not mean to collect special category data, but it can be collected directly or inadvertently, or be inferred from other data you collect.  Here are some of the ways you may unintentionally collect special category data, and how each should be handled:

• Customer surveys that include a free text box which could be used by respondents to provide special category data about themselves.  Even if surveys are anonymous, free text boxes can be used by respondents to identify themselves and provide other information such as contact details or health data, or to disclose disabilities.
  If you are conducting staff or customer surveys, try to ensure that they are demonstrably anonymous – you’ll get more honest feedback, a better response rate and more accurate outcomes from the survey anyway.  Avoid using free text boxes if you can, not least because the data they hold is difficult to analyse quantitively.  If you must use them, delete any identifying information or special category data they reveal as part of the initial process after the survey has closed.

• Call centre recordings can collect special category data offered by the caller during a call.  This poses a difficulty of going back through recordings to delete any special category data collected inadvertently.
  If you are operating a call centre, depending on the nature of your organisation, you may wish to include in your recorded call centre greeting a request for people not to share sensitive information with the call handlers.  If a call does contain irrelevant special category data, the call handler must be able to flag the call as one which may need to be deleted or edited.

• Event catering often includes requests for dietary information that could inadvertently disclose a person’s health or religion.
  If you are catering for an event, try to collect only the numbers of certain types of specialist catering rather than assign preferences to an individual.  This may not be possible, but ensure that you don’t retain the information for longer than is necessary – for example, delete it immediately after the event.

• Photographs of staff, customers or attendees at events could identify individuals with disabilities or who are wearing traditional or religious clothing or symbols.  A photograph of a wedding could disclose the sexual orientation of the married couple.
  When your organisation takes and uses photographs, try to obtain consent or a model release wherever possible and always honour people’s wishes not to be photographed.  The UK GDPR is fairly silent on photography, however Recital 51 states that photographs should not systematically be considered as special categories of data.  They will only constitute special category data if they fall within the scope of biometric data, such as their use for facial recognition.  But as we have discovered, photographs can disclose or be used to infer special categories of data such as racial or ethnic origin, health, religion or sexual orientation.

Three of the most effective ways to prevent inadvertent collection or processing of special category data are training, awareness and culture.  Your staff need to be aware of the implications of their actions and to know when to ask for special GDPR support.  It is no coincidence that the majority of issues occur in organisations which ignore retention and disposal, keep data ‘just in case’ or which have a culture of reusing personal data for new purposes without considering the implications.  As such, compliance with the storage limitation, data minimisation and purpose limitation principles of the GDPR will do much to ensure that you are also compliant in your processing of special category data, or that you are able to avoid processing it altogether.