Sensitive personal data
GDPR states that processing of sensitive personal data shall be prohibited, however there are some exceptions from this prohibition. If the purpose requires sensitive personal data to be processed there must be an applicable exception for that specific processing activity. Keep in mind that you still need to comply with the other requirements in GDPR.
Sensitive personal data (referred to as special categories of personal data in GDPR) are data that reveals:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data are data relating to a person's inherited or acquired genetic characteristics which provides unique information about the person's physiology or health and appears through an analysis of a biological sample, in particular chromosome-, DNA- or RNA analysis. Thereby all genetic data are not classified as sensitive personal data.
- Biometric data for the purpose of uniquely identifying a natural person are personal data relating to a person's "physical, physiological or behavioral characteristics" that enables identification of people, for example through fingerprint reading or eye scan technology. Photos of people only classifies as biometric data when they get processed with technology that enables identification or authentication of a person, such as face recognition technology.
- Data concerning health is data that covers all aspects of a person's health, such as data derived from tests or examinations, data that reveals disease, disease risk, disease history or disability. This applies to all health data, it does not matter what source that has been used for collection.
- Data concerning a natural person's sex life or sexual orientation
The exceptions in GDPR:
If the data subject has given an explicit consent
If the data subject has given an explicit consent to the processing of sensitive personal data for one or more specified purposes (the content in the consent must comply with the requirements in GDPR) the data may be processed, but only for the purpose approved by the data subject.
To protect vital interest
If the data subject is physically or legally incapable of giving a consent and the processing is necessary to protect the vital interests of the data subject or any other natural person.
Example: A person is consciousness. Their personal data may be processed to check the blood group and disease history of the person as well as to contact relatives.
When the data subject manifestly has made the data public
If the data subject manifestly has made the sensitive personal data public, KI may also process that data.
Example: A person appears on television and represents a certain political opinion, religious belief or tells about his illness. That person has made that sensitive personal data public.
Note: It is the person's intention that decides whether or not the data has been made public. A participant in a meeting organized by a trade union has probably not intended to publicly state that he or she is a member of the trade union. The same applies to data that occurs in court proceedings
The exceptions in supplementary data protection regulations
In some cases, you will have to look in other laws or regulations to find an exception that can be used to process sensitive data. This section will give you a brief summary of some of the exceptions that can be found in supplementary laws, and some examples of when these can be used.
In the field of labor law, social security and social protection
KI may process sensitive personal data to fulfill our obligations and to exercise our rights as an employer. In order for this exception to apply, the processing must be permitted in Swedish law or in collective agreement which also establishes appropriate safeguards for the data subject's fundamental rights and interests.
Examples:
- In order for KI to be able to pay sick pay or carry out rehabilitation of an employee.
- In order for KI to be able to offer or convey occupational pensions and different types of group insurances to employees at KI.
- In order for KI to provide certain personal data to trade unions to comply with the Discrimination Act.
For an important public interest
If necessary for an important public interest, it is permitted to process sensitive personal data. This may be the case when KI receives personal data and, according to law, must process it in order to handle a case or if the processing of personal data is necessary for an important public interest. However, which cases and situations that classifies as an important public interest are not entirely clear. An example of an important public interest is the foundation-based right to access public documents.
Additional provision in the Swedish Data Protection Act (SFS 2018:218)
There are provisions in the Swedish Data Protection Act (SFS2018:218) that is intended for the public sector where there are no sector-specific regulations on the processing of personal data. However, many authorities have sector-specific laws.
For archiving purposes
KI is obligated to archive documents for various reasons: as part of the national cultural heritage, in order to satisfy the right to access public documents, the need for administrative procedure and for research needs. Sensitive personal data may be processed if it is necessary to comply with such archive regulations.
Note: If the sole purpose of processing sensitive personal data is archiving, then that data may not be used for other purposes, unless there are particular reasons to do so with regard to the data subject’s vital interests. However, this use limitation does not apply to personal data contained in public documents.
For research purposes
When processing sensitive personal data or data on offenses for research purposes some additional safeguards measures must be implemented in order to protect the data subject’s fundamental rights and interests. An ethical review can be seen as such a safeguard measure, and therefore, research projects at KI must have at least one approval for the research from the Ethical Review Board before the research begins.
For statistical purposes
It may be necessary to collect and process sensitive personal data for statistical surveys and to produce, for example, business statistics. KI may carry out such processing activities if the public interest clearly outweighs the risk of intrusion to the privacy of the data subjects. If KI handles personal data solely for statistical purposes, this data may not be used for any other purpose, unless there are any particular reasons to do so for the vital interests of the data subject. Therefore, KI needs to assess if the statistics contribute more to society than it is likely to jeopardize the privacy of the data subjects. The assessment should contain:
- How important the statistical project is, how much benefit it makes in society
- Which categories of personal data that needs to be processed
- The security of personal data
- How costly/painful/ damaging it is to obtain or not to obtain the consent from the data subjects
- If information about the processing can be provided through, for example, an advertisement in a newspaper or a similar way
- Whether or not it is easy or identify individuals.
It may also be permitted to process sensitive personal data for statistical purposes under other laws that provides an adequate protection for the rights and interests of the data subjects.
Personal identification number
Personal identification number is also considered personal data that needs additional protection. These and coordination numbers may be processed if the data subject have given their consent to the processing. If there are no consent, personal identification numbers may only be processed when clearly motivated with regards to:
- The purpose of the processing
- The importance of a reliable identification
- Another important purpose
Other personal data that may need additional protection
There are many other categories of personal data that are sensitive, although GDPR not mention them as sensitive personal data. These categories of personal data may need additional protection. Personal data that could be classified as sensitive:
- Salary information
- Data that reveals offences
- Evaluation data, such as data from performance reviews, results from personality tests or personality profiles
- Information about someone's private sphere
- Information about social conditions.
These examples above are classified as privacy sensitive personal data. There is no prohibition to process privacy sensitive data, however, note that processing of this type of data may require a higher level of security than processing of more harmless personal data.