What are an employer's obligations under the General Data Protection Regulation (GDPR) in relation to the processing of sensitive personal data?

The General Data Protection Regulation (GDPR) uses the phrase "special categories of personal data" to refer to what is known as "sensitive personal data" under the current regime. The special categories of personal data under the GDPR are:

  • data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
  • genetic data and biometric data for the purpose of uniquely identifying an individual; and
  • data concerning health, sex life or sexual orientation.

The processing of special categories of personal data is prohibited unless one of the specific grounds set out in the GDPR applies. The grounds most relevant in the employment context are likely to be that:

  • the data subject has given his or her explicit consent to the employer processing the data for the particular purpose;
  • processing is necessary for carrying out obligations or exercising rights under employment law, social security law or social protection law, or under a collective agreement; or
  • processing is necessary for the establishment, exercise or defence of legal claims, or where courts are acting in their judicial capacity.

The processing of personal data relating to criminal convictions and offences is regulated separately under the GDPR and is therefore not included as a special category of personal data.

The Government has published the Data Protection Bill, which will supplement the provisions of the GDPR when in force. The Bill will allow an employer to process special categories of data and criminal records data where the processing is necessary for carrying out obligations or exercising rights under employment law, provided that the employer has an appropriate policy document in place. The document must set out how the employer will comply with the principles of the GDPR in relation to the special category or criminal records data and explain its policies on retention and erasure of the data.

The GDPR will come into effect on 25 May 2018.