Many organisations process what is now referred to as special category data; and depending upon the nature of their work, others will process criminal conviction data. The sensitive nature of such data has always meant that its processing was subject to more protection. But with new data protection laws now in place, have the GDPR and the Data Protection Act 2018 changed anything?
The short answer is yes. There are still additional protections in place, or “conditions” to be more precise. But the 2018 Act has added some new ones; and for many of these, the extra requirement of a written policy.
Special category data is similar to the concept of sensitive personal data under the old 1998 Act, but now includes some biometric data in the definition. Examples of special category data include race, sexual orientation, trade union membership, genetics, religion, politics, health etc. Criminal conviction data is now regarded as a separate, although similarly processed, type of data.
To process special category data you must still have a lawful basis for your processing in exactly the same way as for any other personal data. But you will also need to satisfy one of the specific conditions mentioned above.
Your choice of lawful basis for processing does not dictate which special category condition you must also apply, and vice versa. You should just choose whichever special category condition is the most appropriate in the circumstances.
To process criminal conviction data you must also have a lawful basis, but additionally, be processing the data in an official capacity, or have specific legal authorisation to do so. On the face of it, this would prevent organisations undertaking DBS checks on people working with children or vulnerable adults. However, the new 2018 Act adds a number of conditions relating to processing criminal conviction data, including in relation to employment law.
Although the GDPR itself sets out 10 specific conditions for processing special category data, the new 2018 Act specifies a large number of additional conditions. Schedule 1 of the Data Protection Act provides a full list of conditions, but some examples of these are:
- The special category data has been made public by the data subject.
- The data subject has given their consent.
- Processing of past or present member data by non-profit organisations that have a political, philosophical, religious or trade union aim.
- Complying with any employment or social security law (so perhaps to undertake a DBS check).
- Monitoring equal opportunity or treatment.
- Safeguarding children and vulnerable adults without their consent.
- Enabling the provision of confidential counselling, advice or support without the consent of the data subject.
As already mentioned, many of the conditions require the additional safeguard of a written policy. This should explain the controller’s procedures for securing compliance with the GDPR data protection principles in respect of the specific condition, and their policies as regards the retention and erasure of special category or criminal conviction data.
The Act doesn’t go in to much detail on this, so until we get some clear guidance from the Information Commissioners Office, it would seem prudent to include in such a policy:
- a description of the (special category or criminal conviction) data that is being processed,
- the reasons for processing such data,
- the processing method,
- the particular special conditions (in addition to the lawful basis) upon which you are relying in order to comply with the GDPR/Data Protection Act,
- how long the data is kept, and
- how it is destroyed/deleted.
This could either be a standalone policy, or form part of a more general data protection policy.
Of course, for any organisation that followed best practice in pre-GDPR days, none of this will be particularly onerous. For the less prepared organisation, it would be wise to accept that the GDPR was not simply a one-off event that is now behind us, but rather an opportunity to improve your practices; and ensure that going forwards, privacy is built in to all your personal data processing.