GDPR & Data Protection

Workplace Special Category Data

Bulletproof takes a look at employee special category data, including what a business needs to do to stay compliant with the GDPR.

Isha Mishra Headshot

Isha Mishra Data Protection Consultant

10/10/2024 7 min read

Introduction

Regulation such as the GDPR and UK laws make the protection of employees’ personal data is vital for any organisation. According to the ICO’s Q2 incident report, employee data accounted for the highest percentage of reported data beaches, making up 31% of the total. The figures indicate that more focus needs to be placed on safeguarding employees' personal data. Now is the time for employers to comprehend their responsibilities towards processing data of their staff and ensure compliance. Moreover, organisations have an added responsibility when they choose to process special categories of their employees’ data.

Share this Article

What is special category data?

First, I want to make sure we’re all on the same page. Special category data is personal data that is considered sensitive and requires additional safeguards when processed, as it can have a significant impact on an individual's life.

This typically includes things like racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Organisations might gather special category data from the staff for various reasons, including providing health insurance, managing sick or maternity leave, assessing workplace diversity, meeting legal and industry-specific requirements, or fulfilling client demands. This data is classified as special because it is sensitive and has capability to create high risks to individual’s rights and freedom, and thus additional protection is required. So, it is crucial for employers to consider the sensitivity of this information, in fact determine whether its collection is absolutely necessary, before asking staff members to provide these protected categories of information.

But there are also grey areas. Individuals' financial information is deemed sensitive and raises comparable fundamental issues, but interestingly this type of data is not classified as special category data under UK GDPR. Additionally, personal data relating to criminal allegations and convictions is not considered special category data either. However, similar regulations and safeguards apply when processing this data to address the specific risks it presents.

When can I process special category data?

There are certain conditions for processing employees’ special category of data under UK GDPR:

Article 6 legal basis for processing

Employers are required to identify a valid legal basis specified in Article 6 of the UK GDPR, irrespective of whether the data falls into special categories. In the context of employment, the most common lawful bases are contract for fulfilling duties related to employment, legal obligation to comply with laws like employment law, and legitimate interests, for ensuring staff safety by implementing CCTVs etc. Consent is rarely used as a legal basis in employer-employee relationship because it can be difficult to demonstrate that consent was gathered freely, which is a key requirement for a valid consent.

Exceptions under Article 9

Article 9 of the UK GDPR prohibits processing of special categories of data, but it provides ten exceptions to this rule. They are:

  1. Explicit consent
  2. Employment, social security, and social protection (if authorised by law)
  3. Vital interests
  4. Not-for-profit bodies
  5. Made public by the data subject
  6. Legal claims or judicial acts
  7. Reasons of substantial public interest (with a basis in law)
  8. Health or social care (with a basis in law)
  9. Public health (with a basis in law)
  10. Archiving, research and statistics (with a basis in law)

Conditions under Data Protection Act 2018 (DPA 2018)

Apart from UK GDPR, employers are required to comply with Schedule 1 conditions as set out in Data Protection Act 2018.

Schedule 1 has two parts.

Part 1 applies to processing relied on any of the below conditions:

  1. Employment, social security and social protection - Article 9(2)(b)
  2. Health or social care - Article 9(2)(h)
  3. Public health - Article 9(2)(i); and
  4. Archiving, research or statistics - Article 9(2)(j).

On the other hand, conditions laid down laid out in Part 2 of Schedule 1 is mandatory for organisations to satisfy if they rely on "substantial public interest" basis under Article 9(2)(g) of the UK GDPR.

What this means in practice

Generally, organisations depend on health and social care systems when managing sick, maternity, or paternity leaves, offering workplace adjustments, or maintaining employee health by gathering dietary requirements or allergen information. They also process employee data for employment, social security, and social protection purposes to fulfil legal obligations under related laws.

In some cases, organisations collect data on sexual orientation, ethnicity, and other personal characteristics to promote equality of opportunity and treatment or to assess racial and ethnic diversity at senior levels. This data helps ensure fairness in promotions, salary increases, and decisions regarding senior positions.

What do I need to do?

There are a number of documents you need to create to process special category data. As per schedule 1 of the DPA 2018, creating Appropriate Policy Document (APD) is an additional requirement for organisations. Briefly, it is a document outlining compliance measures and retention policies for special categories of data. It is a must for employers relying on substantial public interest and employment, social security, and social protection conditions.

An APD must have schedule 1 condition, procedures for complying with all principles of the UK GDPR, retention and deletion policies, and retention period for specific data. It’s not necessary to have separate APDs for all processing activities – one for all will be sufficient – and retain the APD until six months after the processing is stopped.

Secondly, a Data Protection Impact Assessment (DPIA) must be conducted for processing activities that are likely to pose a high risk. This implies that DPIAs are necessary when handling special categories of staff’s data.

Article 30 Records of Processing Activity (RoPA) document must be updated with the processing activities in relation to employees’ special categories of data, the lawful basis, and conditions under schedule 1 of the DPA 2018.

To comply with the transparency principle under the UK GDPR, an organisation must provide a privacy notice to all employees. This should include all the elements required by Articles 13 and 14, including information about the processing of special categories of their personal data.

How to manage retention period of staff’s special category data?

As we know, the GDPR requires that data should not be retained longer than necessary. In order to comply with the storage limitation principle, organisations must collect special category data only when required. For example, an organisation may need to collect data to assess workforce fitness or accommodate dietary needs at an event.

The organisation must have appropriate legal of business justification for retaining the data. For instance, it is recommended to keep medical records and health-related information for one year after termination, allowing time for claims of unfair dismissal or discrimination under the Employment Rights Act 1996 and Equality Act 2010 to expire. Similarly, it is advisable to keep documents relating to maternal and parental leave to be retained for 3 years after the end of the tax year in which the maternity/shared parental pay period ends to fulfil legal obligation under the Statutory Maternity Pay (General) Regulations 1986 and the Statutory Shared Parental Pay (Administration) Regulations 2014/2929.

A retention policy and a detailed retention schedule is beneficial to optimise the deletion procedures by providing reminders for when data should be removed. Automating this process enhances efficiency and minimises the likelihood of human error, ensuring compliance and streamlined operations.

The importance of securing special category

Staff’s special category data is of sensitive nature and has capability of potential harm during the event of a breach. Therefore, enhanced technical measures are required by organisations. This may include using a separate database with role-based access control, password-protected files, and storing any physical records in locked filing cabinets. In line with the data minimisation principle, managers should only access employee data that is essential for their tasks. Additionally, implementing security practices such as encryption and pseudonymisation can enhance data protection. For instance, when analysing organisational diversity, it is preferable to use pseudonymised data rather than maintaining the data in its identifiable state.

As an organisational measure creating security policies like information security policy, clear desk policy, acceptable use policy etc., is a good plan.

Conclusion

To sum up, special category data is considered high-risk and has the potential harm to an individual’s rights and freedoms, if compromised. That’s why it is essential for organisation to take an extra care while dealing with such data.

To comply with legal regulations and reduce instances of harm caused to individuals, organisations must fulfil the additional requirements outlined in UK GDPR and the Data Protection Act 2018. It is also necessary to regularly update policies and documentation, promptly deleting data that is no longer needed, and embracing new technologies to ensure effective technical safeguards are in place.

It’s a fact that the severity of the harm caused due to breach related to special categories of data may vary on a case-by-case basis, thus organisations must adopt a risk-based approach. For instance, while both physical and mental health information are classified as health data, the impact of a breach involving mental health data could be more sensitive from that of physical health data. Given the potential risks to fundamental rights, it is essential to identify any special category data and handle it with care, even if it may not initially seem highly sensitive.

By taking steps to protect employees' personal data, an organisation not only ensures compliance with regulations, reduces the number of subject access requests, and avoids substantial fines, but also fosters trust among employees, which is a key sign of a successful business.

Isha Mishra Headshot

Meet the author

Isha Mishra Data Protection Consultant

Isha is a qualified Bulletproof data protection consultant with a background in law. She’s full of enthusiasm for both legal and technological areas of data Protection and & information privacy.

Get support with data protection

Trust our expert consultants to solve your data protection challenges. Get flexible expertise with an outsourced data protection officer.

Get data protection support

Related resources


Trusted cyber security & compliance services from a certified provider


Get a quote today

If you are interested in our services, get a free, no obligation quote today by filling out the form below.

(1,500 characters limit)

For more information about how we collect, process and retain your personal data, please see our privacy policy.