Information about an individual, that is likely to be of a sensitive or private nature and could be used in a discriminatory way, is described as sensitive personal information and identified as special category data. This type of information needs to be treated with greater care than other forms of personal data.
Sensitive personal information may include:
- Racial or ethnic origin
- Political opinion
- Religious or other similar beliefs
- A physical or mental health or condition
- Sexual Orientation
When a data subject presents for an appointment, they will be required to provide, or a clinician may generate/obtain and document information that may contain sensitive or special category data, including information relating to a physical or mental health or condition.
Second Lawful basis for processing special category data
Special category data is personal data which the GDPR says is more sensitive, and so needs more protection. When processing special category data, Lexihealth must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9.
In accordance with GDPR Article 9, relating to special category information, the most appropriate lawful basis for Lexihealth in processing this kind of data is that processing is: “Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.”
However, you may be asked to provide consent before or during an appointment where special category information may be obtained and/or processed.
Consent needs to be clear, concise, specific, granular, explicit, separate from other terms and conditions and will require the data subject to positively opt-in. Consent forms will be periodically and routinely reviewed and updated to ensure they remain relevant and applicable to the process for which it is required.
We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you, and we will explain the legal basis which allows us to do so.
Requirements for sharing special category data with third-parties
Lexihealth may act as a processor of personal data but become a controller in obtaining special category data during an appointment. Lexihealth may also be a controller and need to transfer information to a third-party where the third-party acts as a processor. In these instances:
Third-parties will be identified to the data subject prior to transfer of information. Consent may be required for Lexihealth to share personal information with third-parties, irrespective of their original role. Third-parties will be required to have a contractual agreement with Lexihealth. As part of this contract, third-parties will be required to demonstrate that they have attained a suitable level of information security and have met the standards set by GDPR in acting as a processor.
Lexihealth will not routinely transfer information outside of the EU. However, upon request from the data subject, Lexihealth may be required to do so. In this situation, Lexihealth will again need to ensure that there are adequate safeguards in place and that the recipient has a suitable level of information security and meet the same standards set by GDPR.