Workplace Special Category Data

What is special category data?

First, I want to make sure we’re all on the same page. Special category data is personal data that is considered sensitive and requires additional safeguards when processed, as it can have a significant impact on an individual's life.

This typically includes things like racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Organisations might gather special category data from the staff for various reasons, including providing health insurance, managing sick or maternity leave, assessing workplace diversity, meeting legal and industry-specific requirements, or fulfilling client demands. This data is classified as special because it is sensitive and has capability to create high risks to individual’s rights and freedom, and thus additional protection is required. So, it is crucial for employers to consider the sensitivity of this information, in fact determine whether its collection is absolutely necessary, before asking staff members to provide these protected categories of information.

But there are also grey areas. Individuals' financial information is deemed sensitive and raises comparable fundamental issues, but interestingly this type of data is not classified as special category data under UK GDPR. Additionally, personal data relating to criminal allegations and convictions is not considered special category data either. However, similar regulations and safeguards apply when processing this data to address the specific risks it presents.

When can I process special category data?

There are certain conditions for processing employees’ special category of data under UK GDPR:

Article 6 legal basis for processing

Employers are required to identify a valid legal basis specified in Article 6 of the UK GDPR, irrespective of whether the data falls into special categories. In the context of employment, the most common lawful bases are contract for fulfilling duties related to employment, legal obligation to comply with laws like employment law, and legitimate interests, for ensuring staff safety by implementing CCTVs etc. Consent is rarely used as a legal basis in employer-employee relationship because it can be difficult to demonstrate that consent was gathered freely, which is a key requirement for a valid consent.

Exceptions under Article 9

Article 9 of the UK GDPR prohibits processing of special categories of data, but it provides ten exceptions to this rule. They are:

1. Explicit consent
2. Employment, social security, and social protection (if authorised by law)
3. Vital interests
4. Not-for-profit bodies
5. Made public by the data subject
6. Legal claims or judicial acts
7. Reasons of substantial public interest (with a basis in law)
8. Health or social care (with a basis in law)
9. Public health (with a basis in law)
10. Archiving, research and statistics (with a basis in law)

Conditions under Data Protection Act 2018 (DPA 2018)

Apart from UK GDPR, employers are required to comply with Schedule 1 conditions as set out in Data Protection Act 2018.

Schedule 1 has two parts.

Part 1 applies to processing relied on any of the below conditions:

1. Employment, social security and social protection - Article 9(2)(b)
2. Health or social care - Article 9(2)(h)
3. Public health - Article 9(2)(i); and
4. Archiving, research or statistics - Article 9(2)(j).

On the other hand, conditions laid down laid out in Part 2 of Schedule 1 is mandatory for organisations to satisfy if they rely on "substantial public interest" basis under Article 9(2)(g) of the UK GDPR.

What this means in practice

Generally, organisations depend on health and social care systems when managing sick, maternity, or paternity leaves, offering workplace adjustments, or maintaining employee health by gathering dietary requirements or allergen information. They also process employee data for employment, social security, and social protection purposes to fulfil legal obligations under related laws.

In some cases, organisations collect data on sexual orientation, ethnicity, and other personal characteristics to promote equality of opportunity and treatment or to assess racial and ethnic diversity at senior levels. This data helps ensure fairness in promotions, salary increases, and decisions regarding senior positions.

What do I need to do?

There are a number of documents you need to create to process special category data. As per schedule 1 of the DPA 2018, creating Appropriate Policy Document (APD) is an additional requirement for organisations. Briefly, it is a document outlining compliance measures and retention policies for special categories of data. It is a must for employers relying on substantial public interest and employment, social security, and social protection conditions.

An APD must have schedule 1 condition, procedures for complying with all principles of the UK GDPR, retention and deletion policies, and retention period for specific data. It’s not necessary to have separate APDs for all processing activities – one for all will be sufficient – and retain the APD until six months after the processing is stopped.

Secondly, a Data Protection Impact Assessment (DPIA) must be conducted for processing activities that are likely to pose a high risk. This implies that DPIAs are necessary when handling special categories of staff’s data.

Article 30 Records of Processing Activity (RoPA) document must be updated with the processing activities in relation to employees’ special categories of data, the lawful basis, and conditions under schedule 1 of the DPA 2018.

To comply with the transparency principle under the UK GDPR, an organisation must provide a privacy notice to all employees. This should include all the elements required by Articles 13 and 14, including information about the processing of special categories of their personal data.

How to manage retention period of staff’s special category data?

As we know, the GDPR requires that data should not be retained longer than necessary. In order to comply with the storage limitation principle, organisations must collect special category data only when required. For example, an organisation may need to collect data to assess workforce fitness or accommodate dietary needs at an event.

The organisation must have appropriate legal of business justification for retaining the data. For instance, it is recommended to keep medical records and health-related information for one year after termination, allowing time for claims of unfair dismissal or discrimination under the Employment Rights Act 1996 and Equality Act 2010 to expire. Similarly, it is advisable to keep documents relating to maternal and parental leave to be retained for 3 years after the end of the tax year in which the maternity/shared parental pay period ends to fulfil legal obligation under the Statutory Maternity Pay (General) Regulations 1986 and the Statutory Shared Parental Pay (Administration) Regulations 2014/2929.

A retention policy and a detailed retention schedule is beneficial to optimise the deletion procedures by providing reminders for when data should be removed. Automating this process enhances efficiency and minimises the likelihood of human error, ensuring compliance and streamlined operations.

The importance of securing special category

Staff’s special category data is of sensitive nature and has capability of potential harm during the event of a breach. Therefore, enhanced technical measures are required by organisations. This may include using a separate database with role-based access control, password-protected files, and storing any physical records in locked filing cabinets. In line with the data minimisation principle, managers should only access employee data that is essential for their tasks. Additionally, implementing security practices such as encryption and pseudonymisation can enhance data protection. For instance, when analysing organisational diversity, it is preferable to use pseudonymised data rather than maintaining the data in its identifiable state.

As an organisational measure creating security policies like information security policy, clear desk policy, acceptable use policy etc., is a good plan.