Should you treat all Personal Data as Special Category data under GDPR…?

Those of us involved in evaluating the General Data Protection Regulation (aka GDPR) and advising on how to implement it for different scenarios are well aware of the distinction between “Personal Data” and “Special Category” data and we know that our Clients need to pay special attention to “Special Category” data. However, I have been thinking more and more about scenarios where I might consider recommending Clients treat routine “Personal Data” as if it was “Special Category” data.

Read on for an example to illustrate the point, although there are more examples (and I expect there are many that I haven’t thought of). Dissenting and assenting opinions are welcome so feel free to chime in with your views.

To start, for those less familiar with GDPR, the following definitions will help set the context:

• Personal Data (Article 4.1): “…‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly “
• Special Category Data (Article 9): “…processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation…”

There is an interesting, if subtle, distinction in emphasis on the various sub-classes of characteristics in Article 9 (at least, by my interpretation), broken down as follows:

• Processing any data capable of revealing various listed characteristics;
• Processing any genetic or biometric data capable of identifying a data subject;
• Processing data concerning health, sex life or sexual orientation.

The last of these is of interest for this particular example. Article 9 does not explicitly prohibit processing of data capable of revealingsexual orientation… but it does prohibit processing data concerningsexual orientation.

What’s the difference? Well, assume you are selling Car Insurance. You sell Insurance to Mr Joe Bloggs. In doing so, you ask if there is another named driver to be included on the Policy, which there is. The named driver is called Mr Michael Bloggs. No problem. Could be brothers or even father & son, right? All of the data collected (name, DoB, Gender etc is routine “Personal data”.

Except, you then ask what the relationship is between the two Insured drivers – and the Customer selects’ Spouse’. You now know something about the sexual orientation of both named drivers.

You might assume the Insurer could still ensure GDPR compliance by asking Mr Joe Bloggs to explicitly agree to allow such processing under Article 9.1.a (Explicit Consent) or perhaps the Insurer could even apply Article 6.1.b (“…processing is necessary for the performance of a contract to which the data subject is party…”). Problem solved, right?

Well, maybe for Mr Joe Bloggs, but not for Mr Michael Bloggs because he has not explicitly consented and he may not even be aware he is party to a contract. You could argue he is not actually party to the contract. Besides, that doesn’t matter, since “performance of a contract” is not one of the Legal Bases for processing ‘Special Category’ data in Article 9.

Perhaps some Data Controllers – especially those who capture details of Spouse or Partner – might consider treating Gender as “Special category” data just to be on the safe side?

As I said at the start, this is just one subtle example. Another might be as simple as a report in a Church Newsletter about a recent event or gathering, in which the attendees are named… thereby revealingsomething about religious beliefs. Of course, a proportionate evaluation of each case will presumably lead to an appropriate decision about that to do… but this assumes someone has thought of the subtle question to ask.

If you have any views on the above, or – more usefully perhaps – have other examples of scenarios where routine “Personal Data” should be treated as “Special category” data, feel free to comment…