As well as providing training and a GDPR Toolkit (details below) I also provide extended support to people who have attended training, bought the toolkit, or just need some friendly guidance. The GDPR Toolkit can be found here http://www.adaptconsultingcompany.com/gdprtoolkit/ Jersey Business as supporting the GDPR Training and they can be found at https://www.jerseybusiness.je/get-advice/it-office-systems/data-protection-small-business/

Saturday, 30 June 2018

Thoughts on Special Category Data v Confidential Data

The GDPR mentions Personal Data and Special Category Data

PERSONAL DATA: Name; Email; Address; Phone

SPECIAL CATEGORY DATA: Ethnic Origin; Politics; Religion; Trade Union Membership; Genetics; Biometrics (Where Used For ID Purposes); Health; Sex Life; Or Sexual Orientation.

I have always suggested that organisations should consider a middle Category called Confidential Data

CONFIDENTIAL DATA: SocSec; TaxRef; Passport; Driving Licence; Utility Bills; Bank Account;

I have also advocated perhaps have a RED, AMBER, GREEN approach to how data is classified and handled. This is simplistic, but for example, you might say GREEN can be shared within the organisation, AMBER only by approved persons and RED only by a senior manager under strict controls. This is a very simple approach to Data Processing Impact Assessment, making decisions based on the potential harm to the person.

RED = Special Category Data - likely to have significant negative impact on the data subject
AMBER = Confidential Data - likely to have a negative impact on the data subject
GREEN = Personal Data – unlikely to have a negative impact on the data subject

In Jersey the conditions for processing PERSONAL DATA are as follows
01 Consent
02 Contract
03 Vital interests
04 Public functions
05 Legitimate interests

The key thing about Special Category Data is that there are the conditions for processing special category data. The conditions are listed in Article 9(2) of the GDPR
In Jersey the conditions for processing SPECIAL CATEGORY data are as follows
06 Consent
07 Other legal obligations
08 Employment and social fields
09 Vital interests(subject to certain conditions)
10 Non-profit associations (subject to certain conditions)
11 Information made public
12 Legal proceedings, etc.
13 Public functions
14 Public interest
15 Medical purposes
16 Public health
17 Archiving and research
18 Avoidance of discrimination
19 Prevention of unlawful acts
21 Publication about malpractice and mismanagement
22 Counselling
23 Insurance and pensions: general determinations
24 Insurance and pensions: current processing
25 Functions of a police officer
26 Regulations

The point is that SPECIAL CATEGORY DATA must fit one of the conditions above.

As for CONFIDENTIAL DATA (which is not legally defined) this needs to comply with legal basis, but I would suggest merit a higher level of care, custody and safeguarding.

As noted above, this is what a Data Processing Impact Assessment is about. Ask yourself: Is there are risk? If there is perhaps give the data a special category and special treatment to make sure it is private, safe and secure.

So to be clear the law only talks about PERSONAL DATA and SPECIAL CATEGORY DATA, but I recommend that CONFIDENTIAL DATA is recognised as sensitive and treated accordingly.

Logically I would hope that any business would treat Passport; Driving Licence; Utility Bills; Bank Account; with special care and that is all I am advocating.


UK Guidance on Special Category Data


Jersey Law re Special Category Data

Working Party 29 Guidance on how to intrepret EU GDPR

No comments:

Post a Comment