Part 7: Special Category Personal Data

This part of the SWGfL GDPR Guidance focusses specifically on Special Category Personal Data.

Important GDPR Definitions

The following definitions are used throughout the GDPR, and throughout the SWGfL GDPR guidance:

  1. Processing is any operation (including collection, recording, organising, storing, altering, using, and transmitting) performed on Personal Data.
  2. Personal Data is any information relating to a natural person (called a Data Subject) who can be (directly or indirectly) identified using that information.
  3. Data Controller is a person, authority, agency or other body which determines the purposes and the means of Processing.
  4. Data Processor is a person, authority, agency or other body which undertakes Processing on behalf of a Data Controller.

Special Category Personal Data

An overview of Special Category Personal Data is set out in part 2 of the SWGfL GDPR guidance, which can be found here.

Processing of Special Category Personal Data is prohibited (Article 9) unless:

  1. the Data Subject has explicitly consented for a specified purpose;
  2. the Processing is necessary in relation to employment, social security or social protection law, where clearly defined in law;
  3. the Processing is necessary to protect vital interests of a natural person and where they are unable to provide consent;
  4. the Processing is undertaken for legitimate purposes by a political, philosophical, religious or trade union organisation;
  5. the Processing relates to Personal Data made public by the Data Subject;
  6. the Processing is necessary in relation to legal proceedings;
  7. the Processing is undertaken substantially in the public interest and where clearly defined in law;
  8. the Processing is necessary for the provision of health and social care services, where clearly defined in law;
  9. the Processing is necessary for reasons of public health and where clearly defined in law; or
  10. the Processing is necessary for scientific, historical or statistical purposes (in the public interest), where clearly defined in law.

Since Special Category Personal Data would likely result in greater harm to Data Subject if Processing was not undertaken in a compliant manner (e.g. such data was lost), it would be advisable to apply additional controls to ensure such Processing is compliant (and in particular that the data is secure).

Processing of Special Category Personal Data is prohibited, unless a lawful basis permits it and one of the ten conditions set out is true.

Special Category Personal Data and the Data Protection Act 2018

This is an area in which the Data Protection Act 2018 differs from the GDPR. Sections 10 and 11 of the Data Protection Act 2018 specify certain additional conditions, those being that the exemptions in points (b), (g), (h), (i) and (j) above shall only apply (i.e. Processing shall only be permitted) if:

  1. For (b) above – employment, social security and social protection (Part 1 of Schedule 1 of the Data Protection Act 2018): the Processing is necessary under law relating to employment, social security and social protection, and that the Data Controller has an appropriate policy which specifies how compliance with the GDPR will be achieved (in particular the data protection principles (Article 5) and the retention and erasure processes).
  2. For (g) above – substantial public interest (Part 2 of Schedule 1 of the Data Protection Act 2018): the Processing is necessary for reasons of substantial public interest; and:
    1. is for equality, racial or ethnic diversity purposes; or
    2. is for purposes of supporting individuals with disabilities on a not-for-profit basis; or
    3. is for purposes of counselling; or
    4. is for the purposes of safeguarding children or individuals at risk (including economic safeguarding of certain individuals); and
    5. that the Data Controller has an appropriate policy which specifies how compliance with the GDPR will be achieved (in particular the data protection principles (Article 5) and the retention and erasure processes).
  3. For (h) above – health or social care (Part 1 of Schedule 1 of the Data Protection Act 2018): the Processing is necessary for health or social care reasons and is carried out by a health professional or someone else who is legally obliged to maintain confidentiality.
  4. For (i) above – public health (Part 1 of Schedule 1 of the Data Protection Act 2018): the Processing is necessary for public interest reasons relating to public health, and is carried out by a health professional or someone else who is legally obliged to maintain confidentiality.
  5. For (j) above - scientific, historical or statistical purposes (Part 1 of Schedule 1 of the Data Protection Act 2018): the Processing is necessary for these purposes, is in the public interest, and is carried out in accordance with Article 89 of the GDPR.

This is a complex area, but is worthy of note due to the inclusion of specific conditions relating to safeguarding of children and to health or social care, which will likely be relevant to schools.

Schools will likely be Processing numerous pieces of Special Category Personal Data, including:

  1. racial or ethnic origin data (as part of school census);
  2. data concerning religious beliefs (as part of holiday planning, and where schools have formal links with religious or faith-based organisations);
  3. biometric data for identification (where an IT, security or catering system uses it); and
  4. data concerning health (i.e. medical data).

Other data is also worthy of note, including:

  1. photographs (which could be used to identify multiple children in a certain location);
  2. family situation (including social services or local authority involvement);
  3. safeguarding information;
  4. learning information (such as behaviour and special education needs); and
  5. financial and funding information (including pupil premium and school meals).

Though these data items may not be Special Category Personal Data under the strict interpretation of the GDPR, such data is sensitive and it would be advisable to apply similar Processing safeguards.

It is possible that the ‘substantial public interest conditions’ (set out in Part 2 of Schedule 1 of the Data Protection Act 2018) in relation to the ‘substantially in the public interest’ exemption (set out in Article 9(2) point (g)) of the GDPR will be applicable to certain Processing of Special Category Personal Data in schools.

Certain conditions may be applicable to Processing of Special Category Personal Data in schools.