Personal data is data which relates to a living individual, and which can be used to identify that individual. This includes names, dates of birth, addresses (postal and email), phone numbers, and even online identifiers, such as an IP address.
Personal data includes special category data, which is considered more sensitive and can only be processed in more limited circumstances.
Special category data is information revealing a person’s:
- racial or ethnic origin
- religious or philosophical beliefs
- political opinions
- trade union membership
- physical or mental health
- sexual orientation
- sex life, or
- genetic or biometric data.
The UK GDPR includes requirements as to how personal data should be gathered, processed and kept safe and secure, whether you store it in electronic files or manual filing systems. There are stricter provisions as to how special category data should be dealt with.
To process special category data, in addition to the regular lawful basis needed, a further lawful basis specific to special category data is required.
There are ten express conditions for processing special category data. The conditions include express consent, employment, social security and social protection, and legal claims or judicial acts.
Special category data can be factual or inferred data about an individual. Intentionally processing data to infer details about an individual that fall within the special categories will require one of the express conditions for processing.
Our team can guide you through the different requirements for both types of data and tell you whether you need to update your current practices.
