Legal bases for processing special categories of personal data (a) Explicit consent of the data subject To rely on explicit consent for special categories of personal data, the same basic requirements as those for consenting to the processing of regular personal data apply. However, the requirements for explicit consent extend beyond that, which means that implied consent is not acceptable and the ‘clear affirmative actions’ that meet the requirements for ordinary consent are not sufficient. The key difference is that ‘explicit’ consent must be affirmed in a clear statement. Explicit consent will be: A signature from the data subject A tick in an unchecked box by the data subject to say ‘I consent’ An oral statement ‘Yes, I agree’ Even in written context, not all consent will be explicit. Difference between implied and explicit consent Example 1: The Student Counselling Service provides the following to students registering for the service: “Email address (optional) - We will share your file with selected therapy centres and have them send you information to help you further.” Example 2: The Student Counselling Service provides the following to students registering for the service: “I consent to you sharing my file with selected therapy centres and receive emails from them." In Example 1, the students, while actively entering their email, still give implied rather than explicit consent. In Example 2, they are giving a clear statement by ticking the box. If you intend to use explicit consent as your legal basis, see the guidance on consent. (b) Necessary for employment law or social security law purposes This legal basis is likely to be used in a HR context where an employee’s sensitive personal data might be used to, for example, adapt a workstation. Example Changing an employee’s contract to part-time after an illness. (c) Necessary to protect vital interests This replicates broadly the legal basis for processing ordinary personal data – if a person is incapable of giving consent due to, for example, being unconsciousness, medical data can be provided to the paramedics. (e) Personal data manifestly made public Sensitive personal data can, for example, be considered to have been made public by the data subject through a media interview published in a newspaper or broadcast on TV. In the case of publishing through social media, this will need to be considered on a case-by-case basis. If you are in a situation where you may wish to rely on this legal basis, please contact the Data Protection Officer for advice. This does not include photographs, even though they might show the racial group or even the sexual orientation of an individual. Neither does it include information that a data subject has announced to a gathering of friends. (f) Establishment, exercise or defence of legal claims This will cover most activities of lawyers acting on behalf of the University and carrying out the University’s instructions. Examples HR processes an employee’s sickness absence information with a view to seeking legal advice on an unfair dismissal allegation. A School passes a student’s information about the student’s dyslexia on to Legal Services as the student has threatened legal action, insisting that there was not enough extra time during an exam. (g) Substantial public interest Additional legislation has been created to make the processing of special categories of personal data legal for the purposes of providing counselling services and to detect and investigate malpractice. (h) Medical purposes and the provision of health or social care This legal basis will be used in situations where the processing is necessary for the purposes of occupational medicine and social care as well as preventative medicine and diagnosis, the provision of health care and treatment and also the management of health or social care systems and services. The data processing must be carried out by a professional who is subject to the duty of confidentiality, or a non-professional who is subject to the same standards. This covers medical professionals in the University hospitals and will also cover medical and genetic researchers. (i) Public health This legal basis permits the processing sensitive personal data in cases of threats to health from infectious diseases. Should a case of, for example, cholera, ebola, or diphteria occur in a University hospital, then the University and the NHS will have the legal duty to notify the government to prevent the spread of the disease. (j) Archive, statistical and research purposes If at all possible, all personal data – both special categories and ordinary personal data – should be anonymised for archiving, research and statistics. If that is not possible, then data protection legislation allows the activities to be carried out under suitable safeguards. Examples Archiving material from a conference by a School. Conducting a longitudinal study which requires regular data from patients’ health records to be fed in. Complete anonymisation would not be possible. Providing information to the Higher Education Statistics Agency. This article was published on 2023-11-09