ICO and guidelines on special category data
The Article 9 of the GDPR, 679/2016, refers to the “processing of certain special categories of personal data”. Special category data are personal data that need more protection because they are sensitive.
Paragraph 4 of Article 6 of the GDPR, asks the holder to take into account, moreover, “c) the nature of personal data, especially if special categories of personal data are processed in accordance with the Article 9”.
And this Article says: ‘The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership, as well as the processing of genetic data, biometric data designed to uniquely identify a natural person, data concerning a person’s health or sex life or sexual orientation shall be prohibited’, unless there are a number of exceptions set out in the following paragraph. Especially in paragraph 2 of the same Article, points (h) and (i), reference is made to personal, indeed sensitive, data necessary for preventive medicine purposes or for reasons of public interest in the field of public health.
The Information Commissioner Officer (ICO), the UK Data Protection Supervisor, has recently updated the guidelines, precisely in relation to special category data, by analyzing three macro categories, genetic data, biometric data and health data.
On the first ones, the ICO states that, if the genetic analysis includes genetic markers that are unique to an individual, they are to be considered personal data and special category data, even if names or other identifiers have been removed, in the same way as the results of genetic tests on a specific biological sample, because they can be traced back to a specific identity. Otherwise, if you have partial genetic sequences or used for testing purposes, or not traceable to a specific identity, they are considered non-personal data.
On the second ones, the ICO has had the opportunity to clarify some rather important distinctions: a digital photograph of an individual is not automatically a biometric data, but becomes one only if the data of that image are used to create a single digital profile, to be used for correspondence and automated identification. Such data are almost always special category data.
With regard to third parties, health data, they reveal a lot about an individual’s life, not only current, but also past and future, which is why they are certainly personal data and certainly special category data, because they reveal a lot about personal data itself and other details. Therefore, if, through these data, one obtains data with a high degree of certainty, they are special category data, otherwise if they are used only for statistical purposes, and therefore can be traced back to mere hypotheses, only personal data remain (for example, one can often deduce belonging to an ethnic group from a name or image, but there is no absolute confirmation). It is true that if users, even for purely statistical purposes, on the basis of ethnicity, or religion, or political or sexual orientation, there is no doubt that special category data are being processed, beyond the specific purposes that are intended to be achieved.
In such cases a specific consent is required, which may not even be enough! And if you are unable to obtain a valid explicit consent, you should stop and not use such data, except in cases of public interest for journalism, academia, art or literature, pursuant to article 89 of the GDPR.
Explicit consent must:
- be confirmed in a clear statement (oral or written), rather than by any other affirmative action
- specify the nature of the data in the special category
- be separated from any other kind of consent.
Paragraph 2(e) of Article 9 of the GDPR states, as an exception to paragraph 1: “the processing concerns personal data made manifestly public by the data subject”, to indicate a deliberate act of sharing by the user.
Point (j) of this Article explicitly refers to the exception relating to ‘storage purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89(1) on the basis of Union or national law, which is proportionate to the purpose pursued’, specifying the reason why anonymous data cannot be used, a real assessment of the use of pseudonymisation techniques, and evidence of concrete steps to safeguard and guarantee the privacy of users and their security.
In conclusion, the ICO states that «data of special categories include personal data revealing or concerning the types of data mentioned above. Therefore, if you have deduced or guessed the details about someone who falls into one of the above categories, these data can be considered as special category data. It depends on how certain that inference is and whether you are deliberately drawing that inference.»
The AEPD and the guideline on health data
The Spanish Data Protection Authority, the AEPD, also wanted to analyze health data protection in greater depth, issuing guidelines to clarify some key points, summarized below:
- in the field of health care, the right to suppression of clinical history data is very limited, as such data is intended to ensure adequate patient care; and may be necessary for judicial, epidemiological, public health, research or teaching purposes, as well as for public interest or compliance with legal obligations.
- Only healthcare professionals can determine whether health data can be deleted.
- Hospital access controls must be strictly observed.
- A doctor is not authorized to know confidential information about a patient with whom he or she has no professional relationship.
- it is possible to ask for medical information to be corrected, but it is up to the healthcare professional to decide whether it should be corrected.
At a time when the web giants are getting their hands on health data for business purposes, the Data Protection Authorities feel even more strongly about the need to draw clear lines in their defense.
All Rights Reserved
Raffaella Aghemo, Lawyer