The Data Protection Act has special rules about what is called “special category data.” This replaces sensitive data from the 1998 Act and has been updated to reflect changes over this time period. As it is special it requires more protection. “Special category data” means information about:
- Race
- Ethnic origin.
- Politics
- Religion
- Trade Union Membership.
- Genetics
- Biometrics (where used for ID purposes)
- Health
- Sex life; or
- Sexual orientation
We hold a fair amount of this information about some people. Essentially, the same grounds for passing on information to other agencies applies as with other forms of personal information but the conditions are more closely controlled.
We can only pass on personal special category data to protect someone’s vital interests if the following additional conditions are satisfied:
- Consent cannot be given by or on behalf of the person whose information it is.
- We cannot reasonably be expected to obtain the consent of the person; or
- Where the consent has been unreasonably withheld.
So, if we believe we need to pass on special category information to protect someone’s vital interests, our first thought should be to get their consent. If they cannot give their consent (e.g. because they are a very young child or have a severe learning disability or mental illness) we can make a judgement about whether to pass the information on without consent. If it might cause a risk to seek consent, e.g. if we have concerns about parental abuse and need to pass information to the child protection team, then we can make a judgement about whether to pass on without asking for consent. If we ask and the person refuses, we can make a judgement about whether we should override their refusal but that would need to be for very good reasons with a high level of risk e.g. they were a serious suicide risk or a risk to others.
There are several other grounds on which special category information can be passed on to others including where the individual has made information public themselves, e.g. by making a statement to the press, or where we want to take legal advice. These decisions will be made at senior management level where necessary.
All teams that need to share personal information in any circumstances where consent is not obtained should have their own process for ensuring that the information is only shared when it should be. If you are in any doubt as to the judgement to make, you should check with your line manager or the Assurance Manager/DPO.