If you are collecting special category information under GDPR, do you know what to do? There have been incidences recently where an organisation has been collecting GDPR special category information. That is, information about:

  • health
  • ethnicity
  • sex life or sexual orientation
  • trade union membership
  • biometric data when used to identify you
  • political opinions and
  • religious or philosophical beliefs.

To be able to collect this information you need to have a second condition in place. One of the most common is explicit consent. There are others and depending on the organisation they may be able to use one of the alternatives as the secondary condition. You can find out more here

In addition to the secondary condition, the data once collected has to be held confidentially with only those who need access to the information, being able to access it. It has to be transferred securely. It has to be destroyed confidentially.

The organisations I am thinking of have been collecting special category information online. They are unclear what they need to do and did not put a secondary condition in place. Not only that but the collection of the special category information was a required field and could not be bypassed. What did they need that special category information for? How were they going to use it? None of this was explained. This implies that they do not know what they are doing with special category data and therefore they are probably not securing, transferring or deleting it correctly.

I contacted the organisations and offered to provide them with free advice to ensure that they were complying with data protection legislation. Lets see if they take up that offer.

If you need advice you can contact us here