What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?
Data Protection & Cyber Security
Sensitive PII is the PII relating to racial or ethnic origin, political commitments, religious or philosophical beliefs, health or sex life.
Generally, this PII can be processed, however based on limited scope of grounds as such written consent of a data subject to processing (form and content of this consent is subject to certain statutory requirements); data subject made this data publicly available; processing is necessary to protect life, health and other vital interests of a data subject or third parties provided that obtaining of the consent is not possible; in some other cases provided by Russian laws, which rarely apply in practice.
Information on data subject’s criminal records may be processed by public authorities within their powers and by other persons in cases explicitly prescribed by federal laws. In particular, processing of information on criminal records is required in the course of applying for certain jobs (e.g. teaching activities).
Please note that employer shall not process employee’s PII on his/her membership in public associations or labour union activities if otherwise in not provided by laws.
Russian law also distinguishes biometric PII. This is data relating to physiological and biological characteristics of an individual which allow the individual to be identified and which is actually used by the data controller for the purpose of identification. Such data may only be processed with the written consent of the data subject (subject to some statutory requirements to its form and content) or pursuant to Russian law and applicable international treaties.
With regard to sensitive data, the law provides for a more restrictive set of regulations.
Under the Data Protection Law no person may be obliged to supply sensitive personal data, and such data may only be collected if authorized by law, and for a public interest purpose. However, in certain administrative decisions the Data Protection Authority has expressed that the consent of the data subject is sufficient basis for the processing of its sensitive data.
Sensitive data also may be collected for statistical or scientific purposes, provided that the data subject cannot be identified. Setting up files, records, or databases which either directly or indirectly reveal sensitive data is forbidden. Despite this, the Catholic Church, religious associations, political organizations and unions can keep a registry of their members.
Data related to criminal precedents may be collected solely by the relevant competent authorities, and within the scope of the applicable legislation.
It is not prohibited to collect sensitive information. However, the processing of sensitive personal data may only occur if the holder or his legal representative consents, in a specific and prominent way for such specific purposes. Without the data subjects’ consent, the processing of sensitive personal data must follow one of the events listed below:
- For compliance with legal or regulatory obligation by the controller;
- By the public administration for the processing and shared use of data required for the implementation of public policies;
- For the conduction of studies by research entities, ensuring, whenever possible, the anonymization of personal data;
- When necessary for the performance of a contract or the regular exercise of rights in judicial, administrative or arbitral procedures;
- For the protection of the life or physical safety of the data subject or a third party;
- For the protection of health, in procedures carried out by health professionals or sanitary entities;
- For the guarantee of the prevention of fraud and security of the data subjects, in the processes of identification and certification of records in electronic systems, observing the data subject rights, and except in the event of prevalence of fundamental rights and liberties of data subjects that require protection of personal data.
The rules of the GDPR with regard to processing of special categories of personal data apply. No special national rules have been adopted in this regard. According to Article 9, para. 2 GDPR, processing of special categories of personal data is prohibited unless one of the following applies:
- The data subject has given explicit consent to the processing for one or more specified purposes unless EU or member state law prevents the data subject from lifting the general prohibition on this sort of processing.
- The processing is:
- necessary to carry out the obligations or exercise the specific rights of the controller or data subject in the field of employment, social security, or social protection law; and
- EU or member state law or a collective bargaining agreement authorises the processing and provides for appropriate safeguards for the data subject's fundamental rights and interests.
- The processing is necessary to protect the vital interests of the data subject or of another natural person when the data subject is physically or legally incapable of giving consent.
- A foundation, association, or any other not-for-profit body with a political, philosophical, religious, or trade union aim carries out the processing in the course of its legitimate activities with appropriate safeguards and:
- the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and
- the data is not disclosed outside the body without the data subject's consent.
- The processing relates to personal data that the data subject has manifestly made public.
- The processing is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity.
- The processing is necessary for reasons of substantial public interest on the basis of EU or member state law and:
- is proportionate to the aim pursued
- respects the data protection rights, and
- provides for suitable and specific measures to safeguard the data subject's fundamental rights and interests.
- The processing is necessary for one of the following purposes and subject to the specific safeguards:
- preventative or occupational medicine
- the assessment of an employee's working capacity
- medical diagnosis, or
- the provision of health or social care or treatment or the management of health or social care systems and services.
- The processing is necessary for public health reasons, such as protecting against serious cross-border health threats or ensuring high standards of quality and safety of health care, medicinal products, or medical devices, on the basis of EU or member state law, including professional secrecy, which provides suitable and specific measures to safeguard the data subject's rights and freedoms.
- The processing:
- is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, and is based on EU or member state law is proportionate to the aim pursued, respects data protection rights, and provides for suitable and specific measures to safeguard the data subject's fundamental rights and interests.
The processing of personal data relating to criminal convictions and offences or related security measures must be carried out only under an official authority's control or when EU or member state law authorises it and provides for appropriate safeguards for the data subjects' rights and freedoms (Article 10 GDPR). In any other circumstance the processing of such personal data is prohibited.
Sensitive personal data and personality profiles are subject to stricter requirements than the processing of “normal” personal data. When collecting and processing sensitive personal data or personality profiles, the data controller is subject to an active information duty (see art. 14 FADP). Furthermore, the disclosure of such data to third parties must be justified by consent, law or an overriding interest (see art. 12 para. 2 lit. c in connection with art. 13 FADP).
There are no categories of personal data, which are generally prohibited from collection.
In general, processing of sensitive data is prohibited by the GDPR, although this provision is not applicable when one of the exceptions established in article 9.2 occurs. Among others: when the data subject gave their consent, the process is covered by law, the data are manifestly made public by the data subject or its processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller.
In Spanish legislation (LOPD) it is established the prohibition on consenting data processes exclusively consisting of storage of identifying information about certain categories of specially protected data, so its treatment will only be legitimate if it is within the exceptions provided by the GDPR.
The sensitive data may not be subject to processing, unless (i) the law so authorizes; (ii) there is express consent from the subject of the sensitive data; (iii) or it is necessary for granting health benefits.
In the case of physician or doctor prescriptions and laboratory analyses or exams and services related to healthcare; are confidential. Such content could be revealed or copied with the express consent of the patient, granted in writing. Nevertheless, pharmacies can publish for statistical purposes, the sales of pharmaceutical products of any nature, including the name and amount thereof.
The Data Privacy Act include special provisions regarding a person’s economic, financial, banking or commercial information/data and its communication: see answer to question 4.
Explicit consent from the personal information subject is required for processing sensitive personal information.10 “Explicit consent” is defined as express consent given in writing or through other unambiguous and affirmative actions freely made by personal information subjects.11 A personal information controller is required to ensure that the explicit consent of the personal information subject is freely given, specific, fully informed and unambiguous.12 Prior to the collection of sensitive personal information via voluntary provision or automatic collection, the personal information controller should: 1) inform the personal information subject of the core functions of the provided products or services and the personal sensitive information necessary to collect, and clearly disclose the impacts which may occur if the personal information subject refuses to provide it or refuses to consent. The personal information controller should allow the personal information subject to choose whether the provision or automatic collection [of the personal sensitive information] should be allowed. 2) where the products or services provide other additional functions and personal sensitive information needs to be collected, explain to the personal information subject prior to the data collection that what personal sensitive information is needed for which specific additional functions and allow the personal information subject to choose one by one whether the provision or automatic collection of the personal sensitive information will be allowed. When the personal information subject rejects, the related additional functions can be stopped, but this should not be a reason to stop providing core business functions, and the related service quality should be maintained.13
Network operators are prohibited by the CSL from collecting personal information that is not relevant to the services it provides.14 Collecting personal information expressly banned by laws and regulations is unlawful under the PI Specification.15 Some sectors may also prohibit the collection of certain types of information.
10 - PI Specification. 5.5.
11 - PI Specification. 3.6.
12 - PI Specification. 5.5 a).
13 - PI Specification. 5.5 b).
14 - CSL. § 41.
15 - PI Specification. 5.1 d).
Art. 9 GDPR prohibits the processing of special categories of personal data unless certain requirements are met. According to paragraphs 2 and 3, if the data subject has given explicit consent to the processing or if the processing is necessary for an overriding interest, the processing is legitimate. Such an interest is for example given when processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity. The same applies if processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law or if processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
These exceptions are then again restricted by European Union or member state law.
Special categories of personal data encompass personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Considering the aforementioned exceptions, there is no category of personal data that is completely and strictly exempt from processing under the governance of the GDPR or the FDPA.
Under the Privacy Rules, prior written consent is required for collection of sensitive PII. For seeking this consent, intended usage must be communicated to the Data Subjects.
With respect to sensitive PII, the Privacy Rules also prescribe:26
(a) Lawful purpose - Sensitive PII can only be collected for a lawful purpose connected with the function / activity of the concerned body corporate and where collection of sensitive PII is necessary for that purpose.
(b) Storage limitation - Sensitive PII cannot be retained for longer than it is required for the purpose for which is was collected.
(c) Conditions for transfer - Prior consent of the Data Subjects needs to be taken before sensitive PII can be disclosed to a third party unless such disclosure is: -
(i) agreed under a contract; or
(ii) necessary for compliance with a legal obligation.
(d) Stipulations for third party recipients - Any third party receiving sensitive PII from a body corporate is restricted from disclosing it further.27
(e) Publishing restriction - Sensitive PII cannot be published.
No category of sensitive PII is prohibited from collection.
Except for the incremental requirement to procure "explicit consent" to process SPD, the PD – related compliances given under the Privacy Bill are equally applicable for processing of SPD. It also does not prohibit any category of SPD from being collected.
26 - Please note that measures applicable for processing of PII (identified in our response at Para 4.1 to Query 4 above) also apply to processing of sensitive PII.
27 - The security requirements to be complied with by third party recipients have been indicated in our response to Query 15 below.
As discussed in Point 3 above, MCI Regulation 20/2016 does not distinguish between PII and Sensitive PII. Generally, any Personal Data can be obtained and processed as long as the ESO already obtained the Data Subject’s consent in accordance with the prevailing laws and regulations.
As foreseen in article 8 of the GDPR, where the child is below the age of 16 years and the processing of PII is related to the offer of information society services directly to him/her (except preventing or counselling services pursuant Recital 38) and is based on consent, the controller must seek consent from the holder of parental responsibility over the child.
The Portuguese Data Protection Law may establish a lower age (up to 13 years).
Furthermore, increased attention should be paid for the information to be provided to children in order to ensure it is intelligible and clear for them.
Sensitive personal data is now called "special categories" of personal data.
The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation (special category data) is prohibited.
There are exceptions to this prohibition. These include (but are not limited to) processing based on the data subject's explicit consent, processing necessary for the establishment, exercise or defense of legal claims, and processing necessary to carry out the obligations and rights of the controller or the data subject in the fields of employment, social security and social protection law. Full details are set out in Article 9 of the GDPR and parts 1 and 2 of Schedule 1 of the Data Protection Act 2018 (DPA 2018). These contain further details about the circumstances in which these exceptions will be met and where such processing is therefore permitted.
The definition of "special categories" of personal data has been expanded to include biometric data for the purpose of uniquely identifying a natural person, and genetic data. "Data concerning health" has also been specifically defined as "Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status. "Wellbeing" data could therefore be caught by the rules regarding the processing of "special category" personal data. References to sexual orientation have also been added to the definition.
Criminal convictions and offences are not included within the definition of special category data; however the DPA 2018 deals with this type of data in a similar way. In order to process criminal convictions a controller must have a lawful basis, meet a condition set out in Schedule 1 of the DPA 2018 and comply with the safeguards set out in that Act.
Processing of special categories of personal data is as a rule prohibited, unless one of the available lawful bases for the processing of special categories of personal data applies (article 9 of the GDPR). Examples of such lawful bases:
- The explicit consent of the data subject was obtained.
- The data is required for the establishment, exercise or defence of legal claims.
- The personal data was manifestly made public by the data subject.
Article 9 par. 1 of the GDPR introduces a general prohibition on the processing of special categories of personal data. However, par. 2 of the above article provides for the specific requirements that must be met in order for the processing to be legal. Explicit consent by the data subject, carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law, protecting the vital interests of the data subject or of another natural person, processing which is necessary in the course of legitimate activities with appropriate safeguards by a foundation, association any other not-profit body, processing relating to personal data which are manifestly made public by the data subject, the establishment, exercise or defense of legal claims, substantial public interest, the provision of health or social care or treatment, public interest in the area of public health, archiving in the public interest, scientific or historical research purposes or statistical purposes, are all legal bases which can justify processing of special categories of personal data.
Moreover, article 9 par. 4 of the GDPR provides for the possibility of Member States to maintain or introduce further conditions, including limitations, with regards to the processing of genetic data, biometric data or data concerning health.
Pursuant to the aforementioned possibility provided by the GDPR, article 7 of the Greek draft law, introduces a general prohibition on the processing of genetic data as well as on genetic testing for health and life insurance purposes. Furthermore, it is not allowed to process personal data arising from genetic tests involving family members of the data subject.
Conditions for processing “special categories of personal data” are provided under Article 6 of the Law No. 6698 and a stricter protection regime is prescribed for the processing of such personal data:
It is prohibited to process special categories of personal data without obtaining the explicit consent of the data subject; however, special categories of personal data other than those relating to health and sexual life, may be processed without obtaining the explicit consent of the data subject, provided that the relevant processing activity is envisaged under the laws.
Personal data relating to health and sexual life shall only be processed without obtaining the explicit consent of the data subject for the purposes of protection of public health, operation of preventive medicine, medical diagnosis, treatment and care services, planning, management and financing of healthcare services by persons under the obligation of secrecy or authorized institutions and organizations.
It should be noted that, as opposed to its EU counterpart, the Law No. 6698 does not provide a derogation from the general rule prohibiting the processing of health data without obtaining the explicit consent of the data subject, in favor of employment practices.
The provisions of the GDPR apply to the processing of sensitive data.
However, the DSG provides additional requirements for the processing of personal data concerning criminal convictions. In brief, such is only permissible if (i) an express statutory authorisation or obligation exists or (ii) under the control of official authority.
Sensitive PII, or more accurately now 'special categories' of personal data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
In line with the GDPR, the definition of 'special categories' of personal data has been expanded under French law and now includes genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning a natural person's sexual orientation (French DPA 1978, Article 6(I)).
As a general principle, the processing of special categories of data is prohibited (GDPR, Article 9(1) ; and French DPA 1978, Article 6(I)). As the collection is a form of data processing, the collection of special categories of data is also, as a general principle, prohibited.
However, there are exceptions to this prohibition. The exceptions to the prohibition are laid down either in the GDPR or the French DPA 1978 (Article 6(II)). These include but are not limited to processing based on the data subject's explicit consent, processing necessary for the establishment, exercise or defence of legal claims, and processing necessary to carry out the obligations and rights of the controller or the data subject in the fields of employment, health, social security and social protection law. Full details are set out in Article 9 of the GDPR and Articles 6 and 44 of the French DPA 1978. These contain further details about the circumstances in which these exceptions will be met and where such processing is therefore permitted.
Another exception to this prohibition is the processing of personal data justified by public interest carried out on behalf of the State acting in the exercise of its powers as a public authority (French DPA 1978, Articles 6(III), 31 and 32).
It should be mentioned that criminal convictions and offences are not included within the definition of special category data. The French DPA 1978 deals with this type of data. The processing of personal data relating to criminal convictions and offences is prohibited unless the controller is listed in Article 46 of the French DPA 1978.
In general, privacy laws in the U.S. do not designate specific categories of personal information as sensitive. Accordingly, there is no uniform view of what constitutes sensitive personal information in the U.S., although certain types of data, such as financial and health information, and PI collected online from children, or by schools or their contractors from or about students, often are subject to heightened protections. For example, HIPAA imposes privacy and security obligations on entities that handle PHI; GLBA protects “nonpublic personal information” maintained by financial institutions about their customers; FCRA governs how consumer reporting agencies collect, use and disclose consumer credit information; and the Genetic Information Nondiscrimination Act prohibits certain uses of genetic information. There also are state laws applicable to particular categories of personal information that may be considered sensitive, such as laws concerning the collection, use and retention of biometric information (for example, the Illinois BIPA) and requiring heightened data security safeguards for regulated financial institutions and insurers (for example, the New York Department of Financial Services Cybersecurity Regulation). Relatedly, certain federal and state nondiscrimination laws prohibit soliciting certain types of personal information or using such information to the detriment of a protected class or group, particularly in housing, employment and credit. California’s Unruh Civil Rights Act prohibits discrimination in public accommodations, or the offering of products or services, based on any of a large number of protected classes, or any other arbitrary classification. Protected groups, depending on the law at issue, include those discriminated against on the basis of sex, gender, religion, age, race, ethnicity, citizenship, ideology, political affiliation, creed, appearance, family status, sexual orientation, health status, military or veteran status, or source of income.