What are an employer's obligations under the General Data Protection Regulation (GDPR) in relation to the processing of special categories of personal data?
Personal data that falls within the "special categories" set out in the General Data Protection Regulation (2016/679 EU) (GDPR) attracts additional protection. The special categories of personal data under the GDPR are:
- data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership;
- genetic data and biometric data for the purpose of uniquely identifying an individual; and
- data concerning health, sex life or sexual orientation.
Special category data is similar to what was known as sensitive personal data under the previous Data Protection Act 1998.
The processing of special categories of personal data is prohibited unless one of the specific grounds set out in the GDPR applies. The grounds most relevant in the employment context are likely to be that:
- processing is necessary for carrying out obligations or exercising rights under employment law, social security law or social protection law, or under a collective agreement;
- the data subject has given their explicit consent to the employer processing the data for the particular purpose; or
- processing is necessary for the establishment, exercise or defence of legal claims, or where courts are acting in their judicial capacity.
The processing of personal data relating to criminal convictions and offences is regulated separately under the GDPR and is therefore not included as a special category of personal data, but similar rules apply.
The Data Protection Act 2018, which supplements the provisions of the GDPR, allows an employer to process special categories of data and criminal records data where the processing is necessary for carrying out obligations or exercising rights under employment law, provided that the employer has an appropriate policy document in place. The document must set out how the employer will comply with the principles of the GDPR in relation to the special category or criminal records data and explain its policies on retention and erasure of the data.
The employer must keep the document updated and must make it available to the Information Commissioner on request.