Sensitive personal data meaning

What are the most significant changes introduced by the Act that pension scheme trustees need to prepare for? The most notable reforms in the Act that trustees should be ready for are: Data subject complaints: complaints about the handling of personal data must be acknowledged within 30 days and answered without undue delay. ICO enforcement powers: the Information Commissioner’s Office (ICO) now has authority to compel interviews and require the production of documents to assess compliance. Data subject access requests (DSARs): the Act codifies the ICO’s existing guidance, meaning (i) trustees must apply a ‘reasonable and proportionate’ search standard when responding; and (ii) the ‘stop the clock’ rule pauses the one-month deadline for a response. Automated decision making (ADM): the Act allows reliance on the full set of lawful bases — including ‘legitimate interests’ — when non-special category personal data is used for significant automated decisions about an individual, provided suitable safeguards are in place. ...

In this issue: E-commerce Public procurement Sale and supply of goods Supply chain Daily and weekly news alerts New and updated content Dates for your diary Trackers Latest Q&A E-commerce EU GDPR obligations and platform liability (X v Russmedia) The operator of an online marketplace where a listing appeared was held to have breached its duties under the EU General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), even though it removed the advert swiftly, in under an hour after receiving a takedown request. The court concluded it acted as a joint controller of the sensitive personal data within the advert and should, before publication, have put in place measures to: (i) detect adverts containing sensitive personal data; (ii) confirm that the advertiser is the individual whose sensitive personal data features in the advert and, if not, ensure the data subject’s explicit consent has been obtained; and (iii) implement safeguards to stop any further...

On 1 February 2024, the ICO stated it had given approval to the legal services operational privacy certification scheme, referred to as LOCS:23. The programme is intended to support the legal profession in evidencing adherence to data protection standards whenever law firms handle clients’ personal information. According to Emily Keaney, the ICO’s deputy commissioner, providers of legal services handle significant quantities of sensitive personal data. Choosing to join the new certification scheme, she added, will help to reassure clients that firms are committed to safeguarding their personal details and have robust information security arrangements in place. This certification scheme is the fifth set of certification criteria the ICO has approved since such criteria were first introduced under the UK General Data Protection Regulation (UK GDPR), which brings elements of the EU’s GDPR into UK law. The UK data regulations came into force in January 2021 after the UK formally left the EU...

This Practice Note explores the following data protection, privacy and security matters arising in connection with the use of autonomous and connected vehicle technology: The technology Declaration of Amsterdam Cooperative Intelligent Transport Systems (C-ITS) United Kingdom General Data Protection Regulation Privacy and Electronic Communications Regulations 2003 Cybersecurity The Product Security and Telecommunications Infrastructure Act 2022 Connected and autonomous vehicles in the EU International Practical issues For further detail and context on additional UK legal considerations linked to this technology, see the Practice Notes: Autonomous vehicles—key legal issues and Autonomous vehicles and insurance, and for a concise overview of dates and key points, see: UK automated vehicles—tracker. To monitor developments within the EU, also consult the Practice Notes: Automated vehicles—key legal issues in the EU and EU automated vehicles—tracker. The technology Contemporary vehicles already incorporate a suite of external communications, such as satellite navigation, in-car entertainment and emergency assistance, capable of automatically transmitting precise...

UK GDPR regime This material focuses on the UK GDPR framework, with legislative references pointing to Assimilated Regulation (EU) 2016/679, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), unless expressly indicated otherwise. It also takes into account the Data (Use and Access) Act 2025 (DUAA 2025). Note that pages within the Information Commissioner’s Office (ICO) UK GDPR guidance and resources are being revised to reflect DUAA 2025. When preparing for and managing employment tribunal proceedings, employers will need to process—ie gather, organise, use and disclose—information about claimants (whether prospective, current or former employees or workers) and other individuals, which will amount to personal data. The employer may additionally wish to process: special category data (previously known as sensitive personal data); and personal data regarding criminal convictions and offences, or related security measures (criminal offence data) For further information on what is meant by: personal data, see: Personal data—lawful processing conditions below...

Special category personal data Special category personal data is highly sensitive or private and therefore demands heightened protection. It is closely associated with: freedom of thought, conscience and religion freedom of expression freedom of assembly and association the right to bodily integrity the right to respect for private and family life freedom from discrimination There is a presumption that such data must be handled with greater care, as collecting and using it is more likely to intrude upon these fundamental rights or expose someone to discrimination. This Practice Note assumes familiarity with the concept of personal data. It outlines what qualifies as special category personal data and offers practical guidance on when and how you may process it. This Practice Note does not cover criminal offence data, which is governed by separate rules. This is most likely to be relevant to private sector commercial organisations in the employment relationship—see Practice Note: Criminal offence data—employment data protection...

STOP PRESS: This page is being revised to reflect implementation of the Data (Use and Access) Act 2025 (DUAA 2025), which modifies the UK GDPR and the Data Protection Act 2018. For additional direction on DUAA 2025’s compliance impact, consult Practice Note: Data (Use and Access) Act 2025—compliance implications. This data protection quick-reference guide outlines the principal elements of data protection law, including the UK General Data Protection Regulation (UK GDPR). What is the UK GDPR? The UK General Data Protection Regulation (Assimilated Regulation (EU) 2016/679—UK GDPR) forms the primary framework for data protection in the UK. It is read alongside, and augmented by, the Data Protection Act 2018 (DPA 2018). Who is the data protection regulator in the UK? In the UK, the Information Commissioner’s Office (ICO) oversees and enforces compliance with data protection legislation. What type of information does the UK GDPR regulate? The UK GDPR does not apply to every kind of information or dataset. Its remit is limited to personal...

1 The issue We must preserve the confidentiality of current and former clients’ affairs unless one of the following applies: disclosure is required or permitted by law; or the client gives consent. The duty of confidentiality is a fundamental obligation of a solicitor. It is an unqualified responsibility to keep information confidential, not merely to take reasonable steps towards that end. Working away from the office, including from home, inevitably means handling and discussing sensitive matters outside a controlled environment. Security is a major concern and, inseparable from it, confidentiality. Although we operate on secure networks, once information leaves the office or discussions occur elsewhere, security cannot be assured. Confidentiality is far easier to maintain in a protected workspace such as our offices; therefore, when working in other locations, we must remain alert to confidentiality risks in our personal and work settings and exercise extra care with confidential data. 2 What we need from you Wherever you are working, it...

Dear [ Insert employee name ] Notice of change of employer From [ insert date of acquisition ] the [ insert name of the business being transferred in the reorganisation ] transferred to [ insert buyer name ]. Under the Transfer of Undertakings (Protection of Employment) Regulations 2006, you automatically became employed by [ insert buyer name ]. Your terms and conditions remain as with [ insert seller name ], and your rights [ apart from those relating to your occupational pension ] are unaffected. Your continuous service is preserved; only your employer’s name has changed. Your contract of employment and all information held about you by [ insert seller name ] transferred to [ insert buyer name ], including sensitive data like your sickness record. [ insert buyer name ] confirms it now holds your personal data to fulfil its obligations and exercise its rights as your employer. [ A statement of any changes to your employment terms is enclosed. ] Please acknowledge this change...