In detail
(a) Explicit consentArticle 9(2)(a) permits you to process special category if: Show
‘Explicit consent’ is not defined in the UK GDPR, but must meet the usual UK GDPR standard for consent. In particular, it must be freely given, specific, affirmative (opt-in) and unambiguous, and able to be withdrawn at any time. In practice, the extra requirements for consent to be ‘explicit’ are likely to be:
Explicit consent is the only condition that can apply to a wide range of circumstances, and in some cases may be your only option. If so, you need to make sure that you offer people genuine choice over whether and how you use their data. You need to be particularly careful if you ask for consent as a condition of your services, or if you are in a position of power over the individual, for example, if you are a public authority or their employer. If you need to process special category data to provide a service to the individual, explicit consent may be available as your condition for processing that data even if it is a condition of service. However, you must be confident that you can demonstrate consent is still freely given. In particular, that the processing is actually objectively necessary to perform the contractual service, and not just included in your terms for broader business purposes. Example A gym introduces a facial recognition system to allow members access to the facilities. It requires all members to agree to facial recognition as a condition of entry – there is no other way to access the gym. This is not valid consent as the members are not being given a real choice – if they do not consent, they cannot access the gym. Although facial recognition might have some security and convenience benefits, it is not objectively necessary in order to provide access to gym facilities, so consent is not freely given. However, if the gym provides an alternative, such as a choice between access via facial recognition and access via a membership card, consent could be considered freely given. The gym could rely on explicit consent for processing the biometric facial scans of the members who indicate that they prefer that option. We have produced separate detailed guidance on how to obtain, record and manage valid consent, including explicit consent. Further reading – ICO guidance Consent (b) Employment, social security and social protection lawArticle 9(2)(b) permits you to process special category data if:
The relevant legal authorisation is set out in the DPA 2018, in Schedule 1 condition 1. This condition also requires you to have an appropriate policy document in place. This condition is particularly relevant for employers, for example where you are:
It also applies to public authorities involved in providing social services and benefits. Social security and social protection covers benefits, social support or other interventions designed to assist individuals with:
Your purpose must be to comply with employment law, or social security and social protection law. You need to be able to identify the legal obligation or right in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, you can refer to a government website or to industry guidance that explains generally applicable employment obligations or rights. If you are providing social care, or managing social care services, you may find that the condition for health or social care is more appropriate. This condition does not cover processing to meet purely contractual employment rights or obligations. You must be able to justify why processing of this specific data is ‘necessary’ - it must be a reasonable and proportionate way of meeting specific rights or obligations, and you must not have more data than you need. Example A coach company wants to undertake random drug and alcohol testing of its drivers. As an employer, it has a health and safety obligation to ensure that its drivers are not under the influence of alcohol or drugs while working. It relies on the employment, social security and social protection condition for this processing. If the company widens the test to include those staff that don’t have a safety-critical role, it will not be able to justify that the processing of these individuals’ data is necessary. (c) Vital interestsArticle 9(2)(c) permits you to process special category data if:
You don’t need a DPA Schedule 1 condition to rely on vital interests or an appropriate policy document. Recital 46 provides some further guidance:
Vital interests are intended to cover only interests that are essential for someone’s life. So this condition is very limited in its scope, and generally only applies to matters of life and death. This condition only applies if the individual is physically or legally incapable of giving consent. This means you should ask for explicit consent if possible. If a data subject refuses consent, you cannot rely on vital interests as a fallback condition, unless they are not legally competent to make that decision. This condition is likely to be most relevant for emergency medical care, when you need to process personal data for medical purposes but the individual is unconscious or otherwise incapable of giving consent. Example A medical team in a hospital want to provide emergency care to an unconscious patient. They cannot obtain consent to process the individual’s medical records and so rely on the vital interests condition for processing. (d) Not-for-profit bodiesArticle 9(2)(d) permits you to process special category data if:
You don’t need a DPA Schedule 1 condition to rely on this condition or an appropriate policy document. This condition is one of the few that is not purpose-based. Instead, it applies to some specified activities of not-for-profit bodies. Because it is not purpose-based, there is no necessity test. However, this does not mean it is a blanket condition for all processing by not-for-profit bodies. You must still demonstrate how you meet the specific requirements of the condition, and you must still consider your data minimisation obligations. You can only rely on this condition if you:
Example A church processes personal data of its members and supporters in order to run church activities and provide pastoral care. The church can rely on the not-for-profit condition to process the data which reveals their religious belief. The church publishes an annual report which is available to third parties. The church must seek explicit consent before naming any of its members in the annual report. You may find it useful to conduct a legitimate interests assessment (LIA) to assess appropriate safeguards and document your reliance on this basis. There is no requirement to do so, but it can help you demonstrate your compliance in line with the accountability principle. More information on how to conduct an LIA is set out in our legitimate interests guidance. (e) Made public by the data subjectArticle 9(2)(e) permits you to process special category data if:
You don’t need a DPA Schedule 1 condition to rely on this condition or an appropriate policy document. This condition does not cover all special category data in the public domain. It only covers personal data that the individual themselves has made public. The term ‘manifestly made public’ is not defined by the UK GDPR. But it clearly assumes a deliberate act by the individual. It’s not enough that it’s already in the public domain – it must be the person concerned who took the steps that made it public. Example A security breach means that information about an individual’s health condition is publicly available from an organisation’s website. Clearly, making their special category data public was not a deliberate act on the part of the individual. Therefore this condition would not apply to any processing of health data obtained from the website. Example The political affiliations of a member of parliament are technically special category data (these are ‘political beliefs’). However these are clearly a matter of public knowledge and the individual has actively chosen to make these public by standing for election as a member of parliament. You need to be confident that it was the individual themselves who actively chose to make their special category data public and that this was unmistakably a deliberate act on their part. There is a difference between assenting to or being aware of publication, and an individual actively making information available. For example, by blogging about their health condition or political views. You might also find it hard to show that someone has manifestly made information public if, for example, they made a social media post for family and friends but default audience settings made this public. You should therefore be very cautious about using this condition to justify your use of special category data obtained from social media posts. To be manifestly made public, the data must also be realistically accessible to a member of the general public. The question is not whether it is theoretically in the public domain (eg in a publication in a specialist library, or mentioned in court), but whether it is actually publicly available in practice. Disclosures to a limited audience are not necessarily ‘manifestly public’ for these purposes. In particular, information is not necessarily public just because you have access to it. The question is whether any hypothetical interested member of the public could access this information. You cannot use this condition to justify publication of previously unpublished data. It only applies to information which is already public. So to use this condition, you should consider some specific questions:
For accountability purposes, you should keep a record of the source of the data, to help you demonstrate it was manifestly made public by the individual. It is important to remember that once you start processing this data, you become the controller for the data and this condition does not exempt you from your other obligations under the UK GDPR. You must always be able to demonstrate that your processing is more generally lawful, fair and transparent, and in particular that you have a valid lawful basis. You need to consider the individual’s reasonable expectations for further use of the data, in order to ensure your processing is fair. You also need to respect the individual’s rights and ensure you tell individuals that you are processing their data. There is no automatic exemption from transparency obligations just because information is in the public domain. (f) Legal claims and judicial actsArticle 9(2)(f) permits you to process special category data if:
You don’t need a DPA Schedule 1 condition to rely on this condition or an appropriate policy document. Legal claims You must show that the purpose of the processing is to establish, exercise or defend legal claims. ‘Legal claims’ in this context is not limited to current legal proceedings. It includes processing necessary for:
Example An employer is being sued by one of its employees following an accident at work. The employer wants to pass the details of the accident to its solicitors to obtain legal advice on its position and potentially to defend the claim. The information about the accident includes details of the individual’s injuries, which qualify as health data. The purpose of the disclosure is to establish its legal position and to defend the claim. Example A professional trust and estate practitioner advises a client on setting up a trust to provide for a disabled family member. The adviser processes health data of the beneficiary for this purpose. Although there is no active legal claim before the courts, this is still for the purpose of establishing the legal claims of the trust beneficiary for the purposes of this condition. Example A hairdresser conducts a patch test on a client to check that they will not have an allergic reaction to a hair dye. The hairdresser records when the test was taken and the results. The hairdresser is therefore processing health data about the client’s allergies. Although there is no actual or expected court claim, the purpose is to establish that the hairdresser is fulfilling their duty of care to the client, and to defend against any potential personal injury claims in the event of an adverse reaction. You must be able to justify why processing of this specific data is ‘necessary’ to establish, exercise or defend the legal claim. The use of this data must be relevant and proportionate, and you must not have more data than you need. Judicial acts This condition also applies whenever a court (or tribunal) is acting in its judicial capacity. If you are a court then you can apply this condition whenever you are processing special category data in your judicial capacity. If the processing is not part of your judicial duties then this condition does not apply and you need to look for an alternative condition in order to be able to process special category data. (g) Substantial public interestArticle 9(2)(g) permits you to process special category data if:
The relevant basis in UK law is set out in section 10(3) of the DPA 2018. This means that you need to meet one of the 23 specific substantial public interest conditions set out in Schedule 1 (at paragraphs 6 to 28). You must also have an ‘appropriate policy document’ in place for almost all of these conditions. For more information, see What are the substantial public interest conditions? (h) Health or social careArticle 9(2)(h) permits you to process special category data if:
The relevant basis in UK law is set out in the DPA 2018, in Schedule 1 condition 2. This condition covers the following purposes:
You must be able to justify why processing of this specific data is ‘necessary’ - it must be a reasonable and proportionate way of achieving one of these purposes, and you must not have more data than you need. Article 9(3) of the UK GDPR contains the additional safeguard that you can only rely on this condition if the personal data is being processed by (or under the responsibility of) a professional who is subject to an obligation of professional secrecy. Section 11 of the DPA 2018 makes it clear that in the UK this includes: (a) a health professional or a social work professional; or Section 204 of the DPA 2018 defines the terms “health professional” and “social work professional”. You should check the full details of section 204 where relevant, but as a guide this includes:
If you are not subject to a duty of confidentiality to the individual, but you are under a legal obligation in connection with the provision of social services, the condition for employment, social security and social protection law may be more appropriate. You don’t need to have an appropriate policy document in place. Where this condition applies, the individual does not have a right to erasure. (i) Public healthArticle 9(2)(i) permits you to process special category data if:
The relevant basis in UK law is set out in the DPA 2018, in Schedule 1 condition 3. In order to rely on this condition the processing must be carried out either:
Recital 54 of the UK GDPR gives more guidance on what is meant by ‘public health’:
You must be able to demonstrate that the processing is necessary for reasons of public interest in the area of public health. The term ‘public interest’ is not defined, but you need to point to a benefit to the wider public or society as a whole, rather than to your own interests or the interests of the particular individual. In particular, recital 54 makes clear this condition should not enable processing for other purposes by employers, or by insurance or banking companies. This condition may for example apply where the processing is necessary for:
Example A number of GP surgeries wish to use a workforce and workload planning tool for their practices. The tool requires the analysis of patients’ health data to supply information on current activity, and identifies opportunities to improve effectiveness and efficiency of health provision. The GP surgeries can justify that this is necessary for public interest reasons in the area of public health. You don’t need to have an appropriate policy document in place. Where this condition applies, the individual does not have a right to erasure. (j) Archiving, research and statisticsArticle 9(2)(j) permits you to process special category data if:
The relevant basis in UK law is set out in the DPA 2018, in Schedule 1 condition 4. This condition requires you to:
Not all research is covered by this condition. You need to demonstrate that your research is either scientific or historical in nature, and in the public interest. This applies to both public-sector and private-sector research. It can include, for example, technological development and demonstration, fundamental research, applied research and privately funded research. Commercial scientific research may therefore be covered, but you need to demonstrate that it uses rigorous scientific methods and furthers a general public interest. However, commercial market research is unlikely to be covered, unless you meet this requirement. Article 89(1) says that you must have appropriate safeguards in place to protect individuals, and in particular technological and organisational measures to ensure data minimisation. Section 19 of the DPA 2018 contains further safeguards and restrictions. In particular, this means you must:
You don’t need to have an appropriate policy document in place. Example A hospital asks a number of patients for their informed consent to take part in a series of clinical trials for a new medication, in line with clinical trials regulations. However, for the purposes of the UK GDPR, the hospital does not wish to rely upon explicit consent as its condition for processing the participants’ health data. The hospital needs to continue to process the research data already collected even if the patient withdraws their consent and drops out of the trial. It also considers that in the context of a clinical trial, consent does not match the ‘freely given’ standard of the UK GDPR, given the imbalance of power between the patient and the hospital clinicians. Instead the hospital relies upon Article 9(2)(j) - processing for scientific research purposes - as its condition for processing the special category data of the participants. It ensures it has addressed the safeguards set out in Article 89(1) of the UK GDPR and in section 19 of the DPA 2018. The hospital’s Article 6 basis for processing is Article 6(1)(e) - the performance of a task carried out in the public interest. Further reading – European Data Protection Board (EDPB) EDPB guidelines are no longer directly relevant to the UK regime and are l not binding under the UK regime. However, they may still provide helpful guidance on certain issues. The EDPB has adopted an opinion on the interplay between the CTR and the GDPR. Which of the following is one of the primary political causes of international market instability?There are five main political causes of instability in international markets: (1) some forms of government seem to be inherently unstable, (2) changes in political parties during elections can have major effects on trade conditions, (3) nationalism, (4) animosity targeted toward specific countries, and (5) trade ...
What is the top political issue concerning foreign businesses?exam 1. What causes a country to exercise exchange control?It can be due to changes in economic and political policies in the country, such as high taxes, low interest rates, increased political risk, pandemics, and so on. The government may resort to an exchange control regime where restrictions on outside payments are introduced to mitigate capital flight.
When the government of a country seizes an investment but makes some reimbursement for the assets it is engaged in _____?Terms in this set (40) Expropriation is: when the government seizes an investment but makes some reimbursement for the assets.
|