The Information Commissioner’s Office (ICO) has published new guidance on the use of special category personal data, highlighting the need for a lawful basis for processing and an appropriate policy document.
Its director for regulatory assurance Ian Hulme (pictured) outlined the basics of the change, saying the guidance is aimed at helping data controllers to take all necessary precautions in protecting the data.
The move has a big significance for the public sector in including information on health, which can influence the provision of a service to an individual, along with other types of sensitive information that can be relevant in some cases. These take in sex life or orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs and whether the person is a member of a trade union.
“The misuse of this data is likely to interfere with an individual’s fundamental rights and freedoms and could cause real harm and damage,” Hulme said.
Lawful basis
He highlighted two elements of the guidance. One is the need to always have lawful basis to process the data under both articles six and nine of the General Data Protection Regulation. There could also potentially be a need for an association Data Protection Act schedule one condition.
The second point is the need for an appropriate policy document outlining compliance measures and retention policies with respect to the data being processed.
The ICO has also produced a template appropriate policy document within the guidance.
“There is more to do when processing special category data, but the provisions are in place to help you protect the data of those whose information you hold, and increase their confidence in you,” Hulme said.
Image from ICO
