Special categories (sensitive personal data)

Special categories refer to data concerning

• race or ethnic origin

• political, philosophical or religious beliefs

• health

• sex life or sexual orientation

• trade union membership

• genetic and biometric data for the purpose of identifying a natural person

Special categories are defined in article 9 (1) of the General Data Protection Regulation (GDPR) (lovdata.no, in Norwegian).

The processing of special categories is generally prohibited, but special categories can be processed if one of the conditions in Article 9 (2) are met.

• See the Norwegian Data Protection Authority's web page on special categories of personal data (in Norwegian)
• See the Norwegian Data Protection Authority's web page on the processing of special categories of personal data - prohibitions and exemptions (in Norwegian).

Duty to consult

There is a duty to consult the Data Protection Officer at the institution or the Data Protection Services for Research (Sikt) before you can commence processing of personal data, cf. Sections 9 and 10 of the Norwegian Personal Data Act (lovdata.no, in Norwegian), if you are intending to process “special categories” in connection with research activities or without consent for the purposes of archiving or statistics. In special cases, the Norwegian Data Protection Authority may grant permission for the processing of “special categories” if necessary for reasons of substantial public interest, cf. Section 7 of the Norwegian Personal Data Act.

Data Protection Impact Assessment

In some cases, it is also necessary to conduct a data protection impact assessment (DPIA) in accordance with Article 35 of the GDPR. See also the Norwegian Data Protection Authority's web page about DPIA's (in Norwegian).

Personal data concerning criminal convictions and offences or related safeguards

Restrictions also apply to the processing of personal data concerning criminal convictions and offences or related safeguards as set out in Article 10. Such data must be processed only under the control of the public authorities or when processing is authorised by law. The authority and duty to consult the Data Protection Officer or equivalent is governed in Section 11 of the Norwegian Personal Data Act (lovdata.no, in Norwegian) and Section 8 of the Norwegian Personal Data Act (lovdata.no, in Norwegian).

Personal data concerning vulnerable groups or people in vulnerable situations

Other personal data may also be considered sensitive, both because the data concerns vulnerable groups (such as patients, children, elderly persons with dementia or cognitive impairments, etc.) or because the data concerns persons in a vulnerable situation (such as individuals suspected of cheating, misconduct, who are involved in a conflict, etc.). There are also other reasons why data should be classified as “protected” (examples include national identification numbers, secret addresses or passwords).

Personal data defined under the GDPR as “special categories” (Article 9) and personal data concerning criminal convictions and offences (Article 10) is normally associated with a high degree of sensitivity and must be processed according to strict rules.

It may be useful to look at Normen's guidance for small health enterprises (ehelse.no, in Norwegian).

Classification will govern how data can be processed and the technical solutions that can be used; in combination with the degree of personal identification (amount of personally identifiable data available in the data material). Learn about classification and the how to store data correctly in the storage guide.

It follows from Security Instruction 2.9 that sensitive personal data must not be submitted unencrypted via e-mail. Consider alternative options. See concerning the use of email at OsloMet.

National identification numbers do not fall under special categories as defined in the GDPR, but constitute special personal data and should be processed with particular care (cf. Section 12 of the Norwegian Personal Data Act). See the Norwegian Data Protection Authority's web page on national identity numbers (in Norwegian). National identification numbers have been established by the government as a unique key used to distinguish individuals from one another. The national identification number is, among other things, used to link information about individuals. It also often acts as a form of "password” when contacting government agencies, in order to access services or other personal data. This means that national identification numbers can be used, among other things, in connection with identity theft.

National identity numbers should not be recorded unless absolutely necessary and must not be submitted via unencrypted email or shared on the internet.