ICO guidance on special category personal data

The ICO has published guidance on the processing of "special category" personal data (sometimes referred to as "sensitive" personal data).  Overall the guidance gives schemes trustees/operators additional comfort that the ICO is not likely to challenge the legitimacy of the processing by pension scheme trustees of health data where it is necessary for the administration of the scheme.  

Personal data falling into certain categories is regarded as particularly sensitive and the GDPR therefore imposes an absolute prohibition on processing such data unless it falls within a specific exemption under the GDPR.

Data concerning health is classed as special category personal data. Pension schemes often need to process information about an individual's health in order to deal with requests to take benefits early due to ill-health, and may also find that information about health is provided when trustees make enquiries to decide how to pay a lump sum death benefit held on discretionary trusts.  Where a pension scheme is provided as a workplace benefit, trustees may have put in place a policy as part of their GDPR compliance which enables them to rely on the condition which allows processing in the field of employment and social security.  The guidance helpfully confirms that this condition covers old age benefits, death benefits, survivors' benefits and ill-health benefits, though, perhaps surprisingly, the guidance says, "This condition does not cover processing to meet purely contractual employment rights or obligations."

The guidance also indicates that the ICO gives a broad interpretation to the condition which allows processing which is "necessary for the establishment, exercise or defence of legal claims".  The guidance says that this condition is not limited to actual or prospective court proceedings, but includes "establishing, exercising or defending legal rights in any other way".  It gives the example of a professional trust and estate practitioner processing health data of a client's disabled family member for the purposes of setting up a trust to provide for that family member.  This example seems quite closely analogous to scheme trustees holding health data in connection with a member's request to take benefits early due to ill-health.

The guidance makes clear that there does not have to be an actual or expected court claim for the "defence of legal claims" condition to apply.  It gives the example of a hairdresser who does a hair dye patch test on a client to check for allergic reactions, and who then records the result of that test to make sure any future claims alleging breach of duty of care can be defended.  

Our thoughts

The recognition that it may be necessary to retain health data in case of future claims is useful for scheme trustees/operators who wish to retain data relating to health which they have received in the context of an ill health early retirement application or in the context of making enquiries before exercising their discretion in relation to payment of a lump sum death benefit.   Unlike the "employment and social security" condition, the "defence of claims" condition does not require trustees to have a policy in place, though such a policy can still be helpful in demonstrating that persons who are data controllers have met their wider data protection obligations.

ICO consultation on draft right of access guidance

The ICO is consulting on draft guidance on the obligations of a data controller to comply with requests from individuals wishing to exercise their right under data protection legislation to access their personal data.

The draft guidance covers such matters as:

• what rights an individual has to access his/her personal data;
• how to recognise a data subject access request (DSAR);
• what steps the ICO expects a data controller to take to comply with a DSAR;
• time limits for complying with a request;
• the circumstances in which a data controller can refuse to comply with a request;
• the level of checks which it is reasonable to make to verify the identity of a person making a DSAR; and
• the approach to be taken where information requested includes information about other individuals.

The consultation closes on 12 February 2020.