A fresh guidance has been published by the UK’s Information Commissioner’s Office (ICO) on the usage of special category personal data.
The new guidance showcases the necessity for a lawful basis for processing and an appropriate policy document, which is a short official record that outlines the compliance measures and retention policies for special category data.
According to the ICO, the guidance is for the data protection officers (DPOs) and those who are responsible of specific data protection in larger organisations.
The guidance issued by the non-departmental public body has detailed special category data, including its definition, rules on the usage of the data, conditions for processing it, and the public interest conditions.
The General Data Protection Regulation (GDPR) stated that certain types of personal data are expected to be more sensitive, and are given extra protection. Included in these are personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic data, health, sex life, biometric data, and others.
Special category data under the GDPR is more or less identical to sensitive personal data under the Data Protection Act 1998. However, this kind of data also includes information on genetic and biometric identification.
The type of data is considered to be the most sensitive personal information a controller can process. The misuse of it is expected to interfere with the fundamental rights and freedoms of individuals and could potentially harm and damage them.
The ICO’s guidance has set out 23 significant public interest conditions under which DPOs can go ahead with processing of the data. Some of the conditions include statutory and government purposes, administration of justice and parliamentary purposes, racial and ethnic diversity at senior levels, suspicion of terrorist financing or money laundering, insurance, and others.
The ICO’s advice to DPOs reads as: “These conditions allow you to process special category data for a variety of specific purposes.
“If you are clear on your purpose for processing, it should be relatively straightforward to identify the most relevant condition(s). You then need to consider the detail of that condition carefully, and ensure you can demonstrate that it applies.”