Tag Archives: special category data

Data Protection and Fingerprints

Under the EU General Data Protection Regulation (GDPR), biometric data is considered special category data, which requires more stringent conditions for processing.  Fingerprints are an example of biometric data, and employers need to consider carefully how and where they use such data.

When processing any personal data, an organisation needs to have legal grounds for doing so.  And, in the case of special category data such as fingerprints, an additional Article 9 Condition must be applied.

A company in Holland, who used fingerprints inappropriately to monitor their employee’s attendance and time registration, was recently fined E750,000.

The company had obtained Consent from its employees, but under the GDPR Consent must be freely given, which means that the individuals must be allowed to refuse to give Consent.  Because there is a significant imbalance in power between an employer and an employee, it can be difficult for employers to demonstrate that employees have been given an genuine opportunity to refuse Consent.

In this case, some employees had felt obliged to give Consent, so the Dutch DPA found that the company did not have valid legal grounds to process the data for this purpose. 

Though there may be an appeal, this illustrates the seriousness of processing special category data in a way that is not considered unnecessary or disproportionate.

If you have any questions about biometric data or data protection in general, please contact us via email team@datacompliant.co.uk or call 01787 277742.

Victoria Tuffill, 25th May, 2020

 

What does the law say about protecting your health and other sensitive data?

Health data, identity theft and fraud are among the most significant concerns of data protection, especially where sensitive personal data is concerned.  Now the Information Commissioners Office has published detailed guidance on how data controllers should protect and handle this ‘Special Category’ data. 

Special category data

Known as the most sensitive category of personal data, special category data concerns information on a person’s:

  • health
  • sex life or sexual orientation
  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • membership to a trade union
  • genetic data
  • biometric data for uniquely identifying a person such as a fingerprint, or facial recognition

Special care must be taken when processing sensitive data.  Because of its sensitive nature, there is a high risk to individuals if such data were to fall into the wrong hands.  It is illegal to process any of the above categories of data without a specific reason. 

So, data controllers MUST select one of the following legal grounds before processing:

  • explicit consent
  • obligations in employment
  • social security and social protection law
  • to protect vital interests
  • processing by non-for-profit bodies
  • manifestly made public
  • establish, exercise or defend legal claims
  • substantial public interest
  • preventative or occupational medicine
  • public health
  • research purposes.

‘Special Category’ data must also be given extra levels of security to protect it.  For example, limiting the number of individuals who may access such data, minimising the amount of data collected, stronger access controls – these and other such measures help protect the privacy of the individual, and to maintain the integrity and confidentiality of the data.

If you have any questions about data protection, please contact us via email team@datacompliant.co.uk or call 01787 277742

Gareth Evans, 15th November 2019