What is sensitive data?
Technically called "special category data" by GDPR, sensitive data is personal data which the GDPR treats as more sensitive than "standard" personal data and requires data controllers and processors to protect more carefully.
Special categories of data include:
(ii) ethnic origin;
(v) trade union membership;
(vii) biometrics (where used for ID purposes);
(ix) sex life; or
(x) sexual orientation.
In order to lawfully process special category data, a controller must identify both a lawful basis and a separate condition for processing special category data. These do not have to be linked.
There are ten conditions for processing special category data set out in the GDPR itself.
The condition for processing sensitive data must be identified before the controllers starts processing special category data and this information must be recorded. Often this will be set out in the data protection impact assessment.
Special category data is very similar to the concept of sensitive personal data under the Data Protection Act 1998. The requirement to identify a specific condition for processing this type of data is also very similar.
However there are several changes introduced by GDPR:
(i) GDPR includes genetic data and some biometric data in the definition of special category data;
(ii) special category data does not include personal data relating to criminal offences and convictions. However, there are separate provisions relating this to information.
The Data Protection Bill (which will become the Data Protection Act 2018) will set out detail on the conditions for processing special category data.
A controller must have a lawful basis for processing special category data, in the same way as for any other personal data. However, in addition, the controller will also need to satisfy a specific condition under Article 9 of GDPR.
The choice of lawful basis does not dictate which special category condition must apply, and vice versa. For example, if a controller uses consent as its lawful basis, its is not required to use explicit consent for special category processing. A controller should choose whichever special category condition is the most appropriate in the circumstances.