The new ICO Guidance on Special Category Data was published on Thursday 14th November 2019. It is 38 pages long and detailed.

I have listed here, 5 key points of note (not a replacement for actually reading it!)

1. Why Special Category Data deserves special protection

Special Category Data is does not just merit special protection because it may be seen as more sensitive or ‘private’ but because use of this data could create significant risks to the individual’s rights and freedoms. For the first time, there is a clear list of what those rights and freedoms might be.

• Freedom of thought, conscience and religion
• Freedom of expression
• Freedom of assembly and association
• The right to bodily integrity
• The right to respect for private and family life
• Freedom from discrimination

This list will be useful in other GDPR contexts, for example when evaluating the risk to individuals following a data protection breach.

2. Help with deciding what is and isn’t Special Category Data

The guidance offers some help with deciding what is and isn’t Special Category Data so, for example, it acknowledges that details about an individual’s mental health are much more sensitive than whether they have a broken leg but stresses that both are data concerning health. This appears to be a clear rule – if it is in the list of Special Category Data it must be treated as such, regardless of the perceived lack of sensitivity.

That said, the guidance adopts a commonsense approach to the issue of letters concerning medical appointments, which has vexed many a DPO. The guidance confirms that what matters is whether the appointment letter reveals anything about the state of someone’s health saying, ’ a GP or hospital appointment in isolation will not tell you anything about a person’s health as it may be a check-up or screening appointment. However, you could reasonably infer health data from an individual’s list of appointments at an osteopath clinic or from an invoice for a series of physiotherapy sessions’

3. Going beyond the GDPR to the DPA 2018

The Guidance sets out in detail how to justify the processing of special category data, going beyond the provisions of the GDPR itself to the detailed requirements of the Data Protection Act 2018 (DPA 2018). In many cases, finding a lawful basis in articles 6 and 9 of the GDPR is not enough as further conditions in the DPA 2018 must also be met. This is a step which many organisations have overlooked or intentionally shelved, pending further guidance on the issue. This is a stance which, up to now, has been defended with a comment such as ‘well, nobody actually does that bit’. A fair comment as even the ICO did not appear to have gone that far. However, this stance has become significantly more risky, now that the ICO has published guidance on it and the ‘How were we supposed to know?’ excuse has evaporated.

4. An ‘ Appropriate Policy Document’ template

This links with point 3 but one of the conditions which the DPA 2018 specifies in some cases is the need for an ‘appropriate policy document’ and it was previously unclear exactly what that meant. The guidance clarifies and there is now a template

5. Guidance on what ‘Legal Claims ‘ means

One of the Article 9 bases for processing special category data is for when the purpose of the processing is to establish , exercise or defend legal claims. Until now, lawyers have been unsure of how narrowly or widely this should be construed. From the guidance, the answer seems to be very widely indeed. It says, ‘Legal Claims in this context is not limited to current legal proceedings. It includes processing necessary for:
• actual or prospective court proceedings
• obtaining legal advice; or
• establishing, exercising or defending legal rights in any other way’

The guidance goes on to give an example of a hairdresser carrying out a patch test on a client to check for an allergic reaction, stating that this is covered because the purpose is fulfilling their duty of care to the client and to defend against any potential personal injury claims.