Special Category Data (round 2!)
Hi apologies if my last post wasnt clear.
When processing Special Category Data I get tied up in knots! Can I clarify my thinking please?
Each time I process special category data do I need each of these three things below:
A Lawful basis (Article 6)
An exemption (Article 9)
Then on top of that do I also need an Appropriate Policy Document too?
Many thanks for your help.
You need to have a lawful basis under article 6 and an exception under article 9. You only need to do a DPIA if the processing of special categories of data is large scale or in combination with other risk processing.
You should always be clear in your privacy notice what data you are processing and the lawful basis and exceptions you rely upon.
Agree completely with Dominga. With regards to Appropriate Policy Document, it’s always a good idea to have a record of why you are processing special category data in your general processing records.
Agreed on what has been said before, but regarding your Schedule 1 conditions and references to legislation, remember the DPA has been amended and is not currently showing on Legislation.gov.uk in its updated form. You can use the Keeling Schedule at https://www.gov.uk/government/publications/data-protection-law-eu-exit
That being said, there shouldn’t be any consequential differences and Legislation.gov.uk is easier to navigate. Just worth double-checking – it’s more relevant if you need to look at the newly-added Schedule 21, particularly with regard to international transfers.
To add to Dominga and Hellen, you may also need to document that you’ve met the provisions in the Data Protection Act 2018. Section 10 of the DPA18 sets out conditions that need to be met to rely on special category lawful bases for employment, substantial public interest, health and social care, public health, and research. https://www.legislation.gov.uk/ukpga/2018/12/section/10/enacted
These are found in Schedule 1 of the DPA18. https://www.legislation.gov.uk/ukpga/2018/12/schedule/1/enacted