Governance and Compliance

Special category and criminal offence data

What are the ‘special categories of personal data’?

While all types of personal data require secure and proper handling, data protection legislation specifies some types of personal data which are likely to be more sensitive and which require a greater level of security and governance. These are called ‘special categories of personal data’.

We process these categories of personal data for a limited range of purposes and only where necessary. These types of data are listed below:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; and
  • data concerning a person’s sexual orientation.

What is ‘criminal conviction data’?  

We also process some criminal offence data for limited purposes. This type of data includes information about criminal allegations, proceedings and convictions. It also includes information linked to any security measures.

How do we process these types of data and remain compliant with legislation?  

Due to the sensitive and impactful nature of these categories of data, we need to have additional security measures in place to keep it safe. We take steps to stop this data being lost, stolen or disclosed inappropriately, and we make sure that the correct controls are in place before we start to process the data. For example, we may consider completing a Data Protection Impact Assessment, or we may use differing handling methods as appropriate. Other measures include breach management, contract reviews, up to date record keeping and reviews of data protection legislation in advance of new processing.

In addition to these measures we must also identified a specific reason for processing each of these types of data, when we process them. We must also meet the conditions set out in legislation to ensure our processing is lawful.  

The conditions that we, as a Data Controller, need to meet are detailed in the General Data Protection Regulation (EU) 2-16/679 (‘GDPR’) and the Data Protection Act 2018. In the GDPR there are ten conditions for processing special categories of personal data in Article 9, and in the Data Protection Act 2018 they can be found detailed in Schedule 1, where you can also find details of the conditions for processing criminal conviction data.

Not all of the conditions for processing which are listed out in the legislation apply to us, so we do not use all of them. Those that we commonly use are listed below:

  • The lawful basis that we often rely on to process such data is consent. Put simply, consent means “any freely given, specific, informed and unambiguous indication” of an individual’s wishes / agreement to the processing of their personal data;
  • We also process special categories of data for employment, social security and social protection purposes;
  • For health or social care purposes;
  • To ensure equality of opportunity or treatment;
  • For the prevention or detection of unlawful acts;
  • So that we can protect the public against dishonesty
  • So that facilitate the provision of counselling and other support;
  • So that we can manage legal claims and proceedings.

You can find out more about our processing of criminal conviction data and the special categories of personal data by reading our Appropriate Policy Document.

Any further questions or concerns about the way we process special categories of personal data or criminal offence data should be referred to our Information Management Team at GDPR@sussex.ac.uk