Biometric data, health, political opinions… processing sensitive personal data is restricted by the GDPR, unless you meet one of the conditions set out by the GDPR.
What is sensitive personal data
Also known as special categories of data, the GDPR Recital 51 defines them as personal data that are particularly sensitive in relation to fundamental rights and freedoms as the context of their processing could create significant risks to the fundamental rights and freedoms of data subjects.
Sensitive personal data pose higher risks to data subjects and therefore their processing is prohibited, unless the conditions set out by law are met.
What includes sensitive personal data
GDPR Article 9.1 establishes that personal data revealing the following information shall be deemed as sensitive data:
Racial or ethnic origin
Religious or philosophical beliefs
Trade union membership
Whereas the GDPR Article 9.1 restriction only applies to the processing of the above categories of sensitive personal data, as the European Data Protection Board (“EDPB) highlighted in the Guidelines on Data Protection Impact Assessment (WP248), there are other categories of data that might also be deemed as sensitive because they are linked to household and private activities, or because they impact the exercise of a fundamental right, or because their violation clearly involves serious impacts in the data subject’s daily life.
Whereas these latter categories of sensitive data are not restricted by the GDPR, because of the risks their processing entails the implementation of appropriate security measures should be considered.
Genetic sensitive data
Genetic data is defined as personal data relating to the inherited or acquired genetic characteristics of a natural person which result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.
Biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data
Types of biometric sensitive data
There are two types of biometric data, depending on whether they reveal physiological characteristics or behavioral characteristics.
Physiological identifiers relate to the composition of the individual and include facial recognition, fingerprints, finger geometry (the size and position of fingers), iris recognition, vein recognition, retina scanning, voice recognition and DNA matching.
Behavioral identifiers include the unique ways in which individuals act, including recognition of typing patterns, walking gait and other gestures.
If interested, you can further expand on this topic on The Article 29 Working Party Opinion 3/2012 on developments in biometric technologies (wp193), or in Opinion 02/2012 on facial recognition in online and mobile services (wp192).
Sensitive personal data concerning health
For the European data protection framework, “data concerning health” means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
Examples of sensitive personal data about health
As the GDPR Recital 35 states, this category include all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject. This includes:
- information about the natural person collected in the course of the registration for, or the provision of, health care services to that natural person;
- a number, symbol or particular assigned to a natural person to uniquely identify the natural person for health purposes;
- information derived from the testing or examination of a body part or bodily substance, including from genetic data and biological samples; and
- any information on, for example, a disease, disability, disease risk, medical history, clinical treatment or the physiological or biomedical state of the data subject independent of its source, for example from a physician or other health professional, a hospital, a medical device or an in vitro diagnostic test.
Non sensitive data
Depending on the context of the processing, a piece of data may be deemed sensitive personal data in some instances and non sensitive data in other scenarios.
Such is the case, for example, of a data revealing the weight of an individual. That data might be statistical information when it forms part of a table along with other weight data from other individuals and anonymisation techniques have been applied to make identification of the data subject impossible, or health data when included in the records of a patient of a health center.
A second example is found with photographs. As the GDPR Recital 51 highlights, the processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.
Requirements to process the GDPR special categories of data
To process special categories of data you shall meet at least one of the conditions set out by Article 9.2 of the GDPR:
(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
(e) processing relates to personal data which are manifestly made public by the data subject;
(f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Meeting one of the above conditions is necessary to process sensitive data lawfully however that does not free you from the necessity to comply with the other GDPR principles of data protection, especially with the principle of lawfulness.
To such extent, meeting one of the above conditions is not enough to process sensitive personal data, instead you are also required to have an Article 6 legal basis and comply with all of the GDPR principles of data protection of Article 5.
Sensitive data and information security
The principle of information security requires you to assess the risks for the rights and freedoms and for information taking into account the confidentiality, integrity and availability of the information.
Sensitive personal data because of their nature may have severe negative consequences on data subjects when compromised, causing them stress, huge economic loss or even putting at risk their first generation fundamental rights, such as life or physical integrity.
A data breach affecting sensitive information has, therefore, a higher impact on the rights and freedoms of data subjects, which adds to the risks and which must be considered when evaluating the risks and selecting controls to treat those risks.
Classification of sensitive data
Whereas the GDPR does not list specify which controls organisations must adopt to secure sensitive personal data, these data entail higher risks to the rights and freedoms and one of ways to mitigate the risk and secure that type of data is classifying the information.
According to ISO 27001 standard, to correctly classify the information it is necessary to draft guidelines explanatory of how the information is to be classified and labeled. In addition, these guidelines should also describe how assets must be handled depending on their classification, including restrictions to access, protection of copies, storage, declassification and destruction.
Sensitive data storage
Printed copies of sensitive personal data should be stored in a locker locked under key and only authorised personnel should have assessed.
The GDPR principle of storage limitation also requires controllers or processors to establish storage limitation periods, which means that sensitive personal information should not be kept for longer than necessary and data retention periods should be defined where possible.
Data protection officer
One of the scenarios where the appointment of a data protection officer is mandatory is where the core activities consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
The meaning of “large scale” was addressed by the WP29 on the Guidelines on Data Protection Officers (“DPOs”). For that purpose, the WP29 recommends considering:
- The number of data subjects concerned, either as a specific number or as a proportion of the relevant population;
- The volume of data and/or the range of different data items being processed;
- The duration, or permanence, of the data processing activity; and
- The geographical extent of the processing activity.
Data protection impact assessment
According to The European Data Protection Board’s Guidelines on Data Protection Impact Assessment (WP248), using sensitive data or data of a highly personal nature is one of the criterions to consider when assessing the necessity of carrying out a data protection impact assessment.
As the EDPB stresses, this includes special categories of personal data as defined in Article 9 and personal data relating to criminal convictions or offences as defined in Article 10. Furthermore, it also covers data that might be considered sensitive because they are linked to household and private activities, or because they impact the exercise of a fundamental right, or because their violation clearly involves serious impacts in the data subject’s daily life
Regardless of the above conditions, Article 35.3 of the GDPR establishes that carrying out a data impact assessment is mandatory whenever sensitive personal data is processed at large scale.
Further restrictions to process sensitive information
FInally, the GDPR also allow Member States to introduce further conditions or limitations with regard to the processing of genetic data, biometric data or data concerning health, hence local law must be observed.
For instance, the Spanish Data Protection Law “LOPDGDD” Article 9 does not allow data subjects to give their consent for processing activities whose core purpose is to reveal data subjects ideology, trade union membership, religion, sexual orientation, beliefs, or racial or ethnic origins.