Special category data: is your small business processing it?

Processing special category data

Special category data can’t be processed under the same lawful basis as regular data. You must also have a special ‘condition’ for justifying why you’re processing special category information.

There are ten different special conditions under which you could be processing special category data. You need to determine the condition before you start processing the data and record it as part of your GDPR evidence. Don’t forget about the need also to carry out a Data Protection Impact Assessment!

When might I need to process special category data?

You may need to hold special category data in the form of health information on staff depending on the nature of your business and the tasks they undertake. The coronavirus outbreak might mean you need to do this for the first time - if you’re managing lists of which staff have tested positive for Covid-19, or which are self-isolating as a precaution. Find out more about he GDPR requirements around Covid-19.

Employers are permitted to process health information, provided they can justify that it’s related to employment requirements, for example, if you’re planning a staff rota and need to understand who will be unavailable because of illness.

Using special category data in legal claims

If you’re in the business of providing advice, such as a financial advisor, insurance provider or a will writer, you may deal with a range of special category data – because it might influence a client’s decisions on financial investments, on wills and bequests, or on elements of financial support and insurances that they might be able to access in times of crisis.

You might not always need to use special category data for a client, but if you suddenly find that you need to then setting up the right lawful basis and condition at the time you first engage the client will ensure that you’re always on the right side of the law.

The good news is that there’s the perfect condition: where you are using information to establish or defend against legal claims then you can reasonably justify it’s necessary and in the client’s interests.

Here are a couple of examples from the Information Commissioner’s Office:

• A professional trust and estate practitioner
  A professional trust and estate practitioner advises a client on setting up a trust to provide for a disabled family member. The adviser processes health data of the beneficiary for this purpose. Although there is no active legal claim before the courts, this is still for the purpose of establishing the legal claims of the trust beneficiary for the purposes of this condition.
• A hairdresser
  A hairdresser conducts a patch test on a client to check that they will not have an allergic reaction to the hair dye. The hairdresser records when the test was taken and the results. The hairdresser is therefore processing health data about the client’s allergies. Although there is no actual or expected court claim, the purpose is to establish that the hairdressers is fulfilling their duty of care to the client, and to defend against any potential personal injury claims in the event of an adverse reaction.

About Astrid

Astrid is a secure online platform that makes data protection compliance simple. Developed with small businesses in mind, we provide you all the tools and guidance you need to become and remain compliant with data protection legislation. Find out more about our services.

Subscribe now to get your small business compliant and safeguard your reputation, your finances and your business. With prices starting from £225 a year, it’s a small price to pay to protect yourself from potential prosecution and penalty fees.