Special categories (sensitive personal data)
-
Special categories
Special categories refer to data concerning
-
race or ethnic origin
-
political, philosophical or religious beliefs
-
health
-
sex life or sexual orientation
-
trade union membership
-
genetic and biometric data for the purpose of identifying a natural person
Special categories are defined in article 9 (1) of the General Data Protection Regulation (GDPR) (lovdata.no, in Norwegian).
The processing of special categories is generally prohibited, but special categories can be processed if one of the conditions in Article 9 (2) are met.
-
-
Special requirements associated with the processing of “special categories”
Duty to consult
There is a duty to consult the Data Protection Officer at the institution or the Data Protection Services for Research (Sikt) before you can commence processing of personal data, cf. Sections 9 and 10 of the Norwegian Personal Data Act (lovdata.no, in Norwegian), if you are intending to process “special categories” in connection with research activities or without consent for the purposes of archiving or statistics. In special cases, the Norwegian Data Protection Authority may grant permission for the processing of “special categories” if necessary for reasons of substantial public interest, cf. Section 7 of the Norwegian Personal Data Act.
Data Protection Impact Assessment
In some cases, it is also necessary to conduct a data protection impact assessment (DPIA) in accordance with Article 35 of the GDPR. See also the Norwegian Data Protection Authority's web page about DPIA's (in Norwegian).
-
Other personal data that may be sensitive
Personal data concerning criminal convictions and offences or related safeguards
Restrictions also apply to the processing of personal data concerning criminal convictions and offences or related safeguards as set out in Article 10. Such data must be processed only under the control of the public authorities or when processing is authorised by law. The authority and duty to consult the Data Protection Officer or equivalent is governed in Section 11 of the Norwegian Personal Data Act (lovdata.no, in Norwegian) and Section 8 of the Norwegian Personal Data Act (lovdata.no, in Norwegian).
Personal data concerning vulnerable groups or people in vulnerable situations
Other personal data may also be considered sensitive, both because the data concerns vulnerable groups (such as patients, children, elderly persons with dementia or cognitive impairments, etc.) or because the data concerns persons in a vulnerable situation (such as individuals suspected of cheating, misconduct, who are involved in a conflict, etc.). There are also other reasons why data should be classified as “protected” (examples include national identification numbers, secret addresses or passwords).
-
Additional security when processing “special categories” and personal data deemed sensitive for other reasons
Personal data defined under the GDPR as “special categories” (Article 9) and personal data concerning criminal convictions and offences (Article 10) is normally associated with a high degree of sensitivity and must be processed according to strict rules.
It may be useful to look at Normen's guidance for small health enterprises (ehelse.no, in Norwegian).
Classification will govern how data can be processed and the technical solutions that can be used; in combination with the degree of personal identification (amount of personally identifiable data available in the data material). Learn about classification and the how to store data correctly in the storage guide.
It follows from Security Instruction 2.9 that sensitive personal data must not be submitted unencrypted via e-mail. Consider alternative options. See concerning the use of email at OsloMet.
-
Special information about national identification numbers (11 digits)
National identification numbers do not fall under special categories as defined in the GDPR, but constitute special personal data and should be processed with particular care (cf. Section 12 of the Norwegian Personal Data Act). See the Norwegian Data Protection Authority's web page on national identity numbers (in Norwegian). National identification numbers have been established by the government as a unique key used to distinguish individuals from one another. The national identification number is, among other things, used to link information about individuals. It also often acts as a form of "password” when contacting government agencies, in order to access services or other personal data. This means that national identification numbers can be used, among other things, in connection with identity theft.
National identity numbers should not be recorded unless absolutely necessary and must not be submitted via unencrypted email or shared on the internet.