GDPR for Healthcare Professionals – Sensitive Personal Data

This is the fourth instalment of our series of blogs on the effects of the GDPR on healthcare professionals. For a general overview on the GDPR, please click here.

The General Data Protection Regulation (GDPR) is coming into force on 25 May 2018 and replaces the Data Protection Act 1998 (DPA).

Sensitive Personal Data is defined under the GDPR as ‘special categories of personal data’. On the whole, these are the same as those defined under the DPA, however new categories have been added.


Under the DPA, sensitive personal data is defined as:

personal data consisting of information as to:

(a) the racial or ethnic origin of the data subject;

(b) his political opinions;

(c) his religious beliefs or other beliefs of a similar nature;

(d) whether he is a member of a trade union;

(e) his physical or mental health or condition;

(f) his sexual life;

(g) the commission or alleged commission by him of any offence; or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.”


Under the GDPR, sensitive personal data is defined as:

“data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.”

The addition of genetic and biometric data is new and clearly, pertinent to healthcare professionals. As such data is included in the Sensitive Personal Data category, there are specific grounds where the processing of such data is allowed.

These grounds for processing personal data under the GDPR are largely the same as those under the DPA, and at least one must be satisfied in order for the processing to be lawful. These ten conditions are as follows:

  1. Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law.
  2. Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement.
  3. Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent.
  4. Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.
  5. Data manifestly made public by the data subject.
  6. Necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity.
  7. Necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures.
  8. Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
  9. Necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices.
  10. Necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes in accordance with Article 89(1).

The ground most likely to be relied on by healthcare professionals is consent (ground 1 above).

However, healthcare professionals may also be able to rely upon the ground relating to preventative and occupational medicine as well as medical diagnosis (ground 8 above) explicit consent is not provided as is the likely case for reasons of public interest in the area of public health (ground 10 above).

A less likely, but also possible, ground that healthcare professionals could rely on when processing sensitive data is that relating to scientific research purposes (also ground 10 above).

Healthcare professionals should take comfort that under Article 6(1)(c), they shall also be permitted to process Sensitive Personal Data should they be complying with a legal obligation to which they are subject (for example; professional regulation requirements).

If you would like to discuss any of the points raised in this blog, or would like to speak to a specialist solicitor in our healthcare team, then contact us on 0161 926 9969.