11# Special category data & criminal offence data

Hi and welcome, today we are talking about a bit more sensitive data. The regulation acknowledge that personal data are more or less sensitive in themselves. The lawmakers have gathered some of them into what’s called special categories of personal data, and another data type called criminal offence data. They are both considered so sensitive to other personal data types that they are afforded an extra layer of protection. By default, you are not allowed to process data from these special categories, unless exemptions apply.

This post’s structure is that I will first go over the special categories, and then criminal offence data, since the requirements differ between the two.

First off, what are the different data types? The special categories that are stipulated in the articles are:

• Personal data revealing race or ethnic origin (observe that regulations do not accept theories which attempt to determine the existence of separate human races)
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• The processing of genetic data or biometric data (to uniquely identify a natural person)
• Data concerning health
• Data concerning a natural person’s sex life, or sexual orientation

In the regulations (EU and UK GDPR), these data types are prohibited to process. In addition to a regular lawful basis, you also need to apply one of the following ten exemptions from the banned processing.

Four of them are stricter variants of the legal bases for regular processing activities:

• Explicit consent
• Vital interest of the data subject, or another natural person
• Reasons for public interests of public health
• Reasons of substantial public interest based on EU/EEA or Member State law

The others entail processing necessary for:

• Employment and social security
• Legitimate activities by not-for-profit bodies
• Legal claims
• Medicinal or health system purposes
• Archiving purposes in the public interest, for scientific, historical, or statistical purposes
• If the personal data are manifestly made public by the data subject

Onward to criminal offence data, i.e., personal data relating to criminal convictions and offences or related security measures. What is that? The UK’s Information Commissioner’s office stated that criminal offence data could be, for example, criminal activity, allegations, investigations, and proceedings. The Court of Justice of the European Union’s usual method for assessing whether something is an offence is by looking at three factors. The method is often called the Engel-criteria (after the name of the original case law). The criteria are:

1. the legal classification of the offence under national law
2. the very nature of the offence
3. the nature and degree of severity of the penalty that the person concerned is liable to incur

In the EU and the UK, criminal offence data may only be processed under the control of official authority, or when the processing is authorised by EU/EEA or Member State law. In the UK, that is under domestic law instead. However, if it is a comprehensive record of criminal convictions, it must be under the control of official authority in both jurisdictions.

If you aren’t an official authority in the UK, you may apply one of the 28 conditions in the Data Protection Act’s schedule 1. These are only some examples of the conditions: Employment, social security and social protection; preventing or detecting unlawful acts; and research. Here is the link to the ICO’s website to see all applicable conditions.

That is it for today. A small dive into sensitive personal data. If you have any questions, you can always reach out to me at albin.thelin@nulldporganizer.com or any of my colleagues in the Professional Services Team. Until next week, cheers!