I want to look up the 10 conditions for processing sensitive, special category data
If you process special category data, in addition to a lawful basis you must also identify a condition of processing, it may also be necessary to refer to the Data Protection Act 2018.
There are 10 conditions of processing for processing sensitive special category data, and they are set out below.
- Explicit consent: it must be freely given, specify the type of special category data, and must be confirmed in a clear statement (opt-in) separate from any other consents you are seeking. The individual must be able to withdraw their explicit consent at any time.
- Employment and social security and social protection: relevant to employers for checking entitlement to work, ensuring health and safety of employees, maintaining statutory sick pay and maternity pay records, making trade union deductions from payroll etc. The purpose of the processing must comply with employment or social security law, and you need to identify the legal obligation or right.
- Vital interests: This condition applies if the individual is physically or legally incapable of giving consent and generally only applies to life-or-death situations.
- For legitimate activities by a foundation, association, or not for profit body: Applies to some specified activities for not-for-profit bodies, it is unlikely to apply to processing by the university, recognised in law as a public authority.
- Made public by the individual: Only covers personal data the individual themselves has made public; it is not enough that its already in the public domain – it must be a deliberate act by the individual. The data must be realistically accessible to a member of the general public, disclosure to a limited audience is not necessarily ‘manifestly public. You should keep a record of the source of the data.
- Legal claims: You must show that the purpose of the processing is to establish, exercise or defend legal claims, it can include actual or prospective court proceedings, obtaining legal advice, or establishing, exercising or defending legal claims in any other way. You must be able to justify why processing this specific data is necessary.
- Substantial public interest: You need to meet one of 23 specific substantial public interest conditions set out in Schedule one of the Data Protection Act 2018.
- Health or social care: This covers preventative or occupational medicine, assessment of an employees working capacity, medical diagnosis, provision of health care or treatment, provision of social care or management of health care systems or services. You can only rely on this condition if the personal data is being processed by a professional who is subject to an obligation of professional secrecy, section 204 of the Data Protection Act defines the term ‘health or social work professional’.
- Public health: To rely on this condition, the processing must be carried out either by, or under the responsibility of a health processional or by someone who in the circumstances owes a legal duty of confidentiality. You need to be able to point to a benefit to the wider public or society as a whole. This condition may be used where it is necessary for public health monitoring or statistics, public vaccination programmes, responding to new threats to public health, clinical trials or reviewing standards of clinical practice.
- Archiving purposes in the public interest, scientific or historical research, or statistical purposes: You must demonstrate that processing is necessary for archiving, research or statistical purposes, it must be a reasonable and proportionate way of achieving one of these purposes, you must not have more data than you need, and you must demonstrate that processing is necessary in the public interest. It can include technological development and demonstration, fundamental research, applied research and privately funded research. Commercial scientific research must demonstrate the use of rigorous scientific methods and furthers a public interest. Appropriate technological and organisational measures must be in place to safeguard personal data.