15 December, 2019
The ICO has now published detailed guidance on "Special Category Data" which provides further guidance to organisations about the use of, and safeguards to protect, special category data. A copy of this guidance can be found here - https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/special-category-data/.
The GDPR recognises that certain sensitive personal information should be treated with additional care. The GDPR states that special category data is information relating to:
The GDPR also recognises that information relating to criminal offences or convictions should also be treated with additional care.
The new guidance makes it clear that you must have a lawful basis to process special category data or information relating to criminal convictions or offences.
In order to lawfully process special category data you will need:
In order to lawfully process criminal data you will need:
Your appropriate policy document will need to outline the compliance measures you have in place to ensure special category data is processed lawful and details of the applicable retention periods which will apply to special category data.
In light of this new guidance, you should review the special category data your organisation holds and look at your lawful basis' for processing that information. If an appropriate policy document is required then you will need to review your existing policies to conclude whether or not you need another policy to cover your use of special category data.
For more information contact Daniel Milnes in our Governance, Procurement & Information department via email or phone on 01254 222313. Alternatively send any question through to Forbes Solicitors via our online Contact Form.