GDPR - special category (sensitive) data

As 25 May 2018 fast approaches, and the EU General Data Projection Regulation (GDPR) comes into force, the GDPR has expanded data protection and refers to special category data, which the regulation says is sensitive personal data that needs more protection.

 
GP surgeries and other care providers, such as care homes, will collect and process special category data.
 
In order to lawfully process special category data you must identify both a lawful basis and a separate condition for processing such data. 
 
In the context of the health sector, the GDPR provides a wide definition of health data at Recital 35. This definition will help health professionals to determine whether the data they collect falls into this category of special data so they can ensure they have identified the correct basis and condition for processing.
 
Lawful bases are set out in Article 6 and include; 
  •  Consent; 
  •  That the processing is necessary for the performance of a contract with the data subject; 
  •  Compliance with a legal obligation; 
  •  To protect the vital interests of a data subject or another person; 
  •  Performance of a task carried out in the public interest; or 
  •  For the purposes of the legitimate interests pursued by the data controller or a third party (except where such interests are overridden by the interests of the data subject).
 

What are the GDPR exceptions to health data?

 
The processing of special category data is prohibited by Article 9(1) unless one of the conditions in Article 9(2) applies. The relevant conditions that provide exceptions to this general prohibition in relation to health data include its use for preventative or occupational medicine, medical diagnosis, the provision of health or social care, treatment or the management of health or social care systems and services, or for reasons in the public interest in connection with public health. 
 
To rely on some of these conditions, the personal data must be processed by or under the responsibility of a professional subject to professional secrecy or rules established by national competent bodies.
 
The GDPR makes provision for Member States to introduce further conditions with regard to processing data concerning health (as well as genetic data and biometric data) and the Data Protection Bill 2018 (“Bill”) confirms that the condition to override the prohibition against processing special category data relating to health or social care set out in the GDPR is met if the processing is necessary for those purposes. The Bill confirms the meaning of “health or social care purposes”.
 

What special category condition under GDPR must you apply?

 
The Information Commissioner’s Office points out that your choice of lawful basis under Article 6 does not dictate which special category condition you must apply, and vice versa. For example, if you use consent as your lawful basis, you are not restricted to using explicit consent for special category processing under Article 9. You should choose whichever special category condition is the most appropriate in the circumstances – although in many cases there may well be an obvious link between the two. For example, if your lawful basis is vital interests, it is highly likely that the Article 9 condition for vital interests will also be appropriate.
 
If you have any questions about this article or would like assistance with understanding your GDPR obligations please contact Tracey Dickens on 01206 217326 or alternatively you can email tracey.dickens@birkettlong.co.uk.
The contents of this article are intended for general information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.