Special category data is data which requires a higher level of protection under the UK’s General Data Protection Regulation (GDPR). Organisations dealing with this type of data need to make sure they process it appropriately and have stronger security standards. Many of the special categories overlap with the protected characteristics, but they are not exactly the same.
What types of data are covered by special category data?
Special category data involves any data which relates to any of the following eight categories:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (where used for identification purposes)
- Sex life and/or sexual orientation
What do these terms mean?
Most of these terms are self-explanatory. However, further guidance is offered on the definition of certain sections. In particular, the act highlights the difference between genetic data, biometric data and health data.
The act defines genetic data as:
‘Data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question’.
This basically means data about the unique genetic makeup of a person. It does not mean a DNA sample. This can only be special category data if it has been analysed. If the data has been anonymised, it is not considered special category data.
Similarly, the act further defines biometric data:
‘Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic (finger-print recognition) data.’
This means any data that can be used to identify a person. Types of biometric identification include facial recognition or fingerprint recognition. Many banks now employ voice recognition software as part of their two-factor authentication. Equally, almost all modern mobile phones use finger-print recognition. This is considered special category data. More examples include
- Iris scanning
- Ear shape recognition
- Gait analysis
- Signature analysis
- Keystroke analysis
The act also includes a definition of health data, to separate it from these two other categories:
“‘personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
This includes data relating to injury, disease, or disability. It covers any contact the individual has had with the health services such as diagnosis, examination or advice.
What counts as special category data?
In the UK, special category data is any data linked to these categories. We’ve used the word ‘related’ a lot in this article and this is an important part of special category data to remember. It can be anything which reveals or concerns the details of the categories.
However, there are limits to this. You might be able to infer someone’s religion from their name, but the accuracy of this is questionable. This does not count as special category data. Therefore, it depends on how the data is being used. If it is used to draw a distinction between different groups, then it does count.
What does special category data mean for organisations?
Organisations must ensure their process for dealing with special category data is legal and effective. Explicit consent that is active and constant must be obtained. The company must only process special category data when it is necessary for them to do so. They must also ensure that appropriate safeguards are in place.
Convene’s software is fully GDPR compliant and equipped to deal with special category data. Conceived to ensure the best governance principles, our comprehensive solution allows you to make faster, more informed decisions. The software is designed to protect top-level data with AES-256 bit standard encryption.