Special Category Data meaning

This is a Checklist of the main issues that an employer will need to consider when seeking a medical report on a current employee during the employee’s employment: Clarify the objective of the report clearly. See Practice Note: Medical reports—data protection issues and AMRA 1988—Purposes of medical report. Explain why health information is required and set out the grounds for requesting a medical report—is there a defined element of the role that necessitates it, or is the aim to evaluate overall health, eg for a physically demanding post? Set the scope of the report—identify precisely what the employer needs to know, avoiding intrusion where it is not needed or relevant. Consider whether involving an occupational health (OH) professional or service could limit the volume of health data the employer processes. Specify who will have sight of the report, when they will see it, and for what purpose they will use it. Confirm who will prepare the report. ...

These Flowcharts These Flowcharts offer direction on the proper method for completing the parts of a stock transfer form that address consideration, stamp duty certification, and execution. They are included within an annotated stock transfer form, which clearly sets out instructions explaining how its sections should be properly filled in...

This Flowchart This Flowchart helps determine the appropriate rate of stamp duty land tax (SDLT) for the transaction in question. Different SDLT rates may apply to purchases depending on the property type (residential, non-residential (commercial property), or mixed-use property). Use this Flowchart in conjunction with Practice Note: Rates of SDLT. This Flowchart proceeds on the basis that: the buyer is acquiring a single property and the purchase is not linked with any other transaction. For further detail on linked transactions, see Practice Note: SDLT chargeable consideration—Linked transactions no relief from SDLT applies to the transaction...

This diagram outlines the concluding payment procedure for the JCT Intermediate Building Contract 2016 (with and without contractor’s design)...

What are the most significant changes introduced by the Act that pension scheme trustees need to prepare for? The most notable reforms in the Act that trustees should be ready for are: Data subject complaints: complaints about the handling of personal data must be acknowledged within 30 days and answered without undue delay. ICO enforcement powers: the Information Commissioner’s Office (ICO) now has authority to compel interviews and require the production of documents to assess compliance. Data subject access requests (DSARs): the Act codifies the ICO’s existing guidance, meaning (i) trustees must apply a ‘reasonable and proportionate’ search standard when responding; and (ii) the ‘stop the clock’ rule pauses the one-month deadline for a response. Automated decision making (ADM): the Act allows reliance on the full set of lawful bases — including ‘legitimate interests’ — when non-special category personal data is used for significant automated decisions about an individual, provided suitable safeguards are in place. ...

Austen Hays announced it has filed a claim in the High Court, asserting that Grindr violated data protection rules by unlawfully handling and disclosing users’ 'highly sensitive' medical information to third parties without permission. According to the firm, advertising partners including Localytics and Apptimize received private data from Grindr’s users between May 2018 and April 2020, and potentially for a longer period, the firm added in its claim. Founded in 2009, the app calls itself 'the largest social networking app for gay, bi, trans and queer people', claiming 'millions of daily users' who use its location-based technology to connect across more than 190 countries. Austen Hays said the breaches enabled a 'potentially unlimited number' of third parties to direct advertisements at users and tailor those promotions. These third parties either delivered adverts themselves or operated as so-called adtech intermediaries, with the potential to pass data on to additional entities. The allegations concern data protection law...

In this issue: New technologies Information technology Internet Data protection Advertising, marketing and sponsorship Reputation management LexTalk®TMT: a Lexis®Nexis community Daily and weekly news alerts New and updated content Dates for your diary Trackers Useful information New technologies iQIYI brings a landmark copyright claim against Chinese AI start-up MiniMax. According to MLex, the China-based video-streaming service has filed proceedings in a local court, accusing the domestic artificial intelligence start-up of infringement linked to AI model training and content production. See: iQIYI sues Chinese AI startup MiniMax for copyright infringement in landmark case. MLex has learned. Appeal Tracker: Comptroller-General of Patents, Designs and Trade Marks v Emotional Perception AI Ltd In Comptroller-General of Patents, Designs and Trade Marks v Emotional Perception AI Ltd [2024] EWCA Civ 825, the Supreme Court granted permission to appeal on 29 November 2024. Earlier, the Court of Appeal (Civil Division) upheld the hearing officer’s appeal from...

As of 31 January 2020, the UK left the EU and the EEA. This Practice Note introduces: the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR) framework (which applied within UK law up to the end of the Brexit implementation period—11 pm UK time on 31 December 2020—and continues to operate across the EEA; therefore, any references in this Practice Note to EEA or EU states should be read as also covering the UK until that period concluded) the United Kingdom General Data Protection Regulation, Retained Regulation (EU) 2016/679 (UK GDPR) framework (which applies under UK law from the end of the Brexit implementation period) Where there is no need to draw a distinction, this Practice Note refers to both as ‘GDPR’ for ease. When looking at the routine processing of personal data, the UK GDPR and the Data Protection Act 2018 (DPA 2018) should be consulted together, as both sets of provisions have direct effect. Practitioners will generally...

What is digital health? Digital health is a broad umbrella describing how information and communication technologies are used to enhance prevention, diagnosis, treatment, monitoring, and the management of health conditions and lifestyle habits that influence wellbeing. Its rise reflects the coming together of healthcare and technology, and a move away from provider‑focused, ‘one size fits all’ delivery towards personalised, patient‑centred care. This Practice Note explores data protection considerations across three digital health use cases: Wearables Use of artificial intelligence (AI) in medical diagnostics Digital health records Unlike mobile health (mHealth), which is limited to care delivered via mobile devices, digital health is wider in scope. It encompasses modern care models such as digital therapeutics, telemedicine, digitised health systems and electronic health records, as well as AI, machine learning and data analytics. For more on mHealth, see Practice Notes: Digital health—regulation of mHealth apps and medical software and mHealth—data protection considerations. Digital health solutions can be applied at every stage...

This Practice Note outlines the matters an employer must weigh up when obtaining medical assessment reports for their staff and prospective recruits...

Stop press: The Data (Use and Access) Act 2025 (Commencement No 6 and Transitional and Saving Provisions) Regulations 2026, SI 2026/82 now commence the remaining provisions of the Data (Use and Access) Act 2025 (DUAA 2025). Provisions covering the areas below apply from 5 February 2026, while those on penalty notices and complaints apply from 19 June 2026. For further details, see Practice Note: Data (Use and Access) Act 2025—employment implications. This Precedent will be updated shortly to reflect these changes. subject access requests legitimate interests purpose limitation automated decision-making international transfers enforcement [ Insert name of organisation ] Data protection privacy notice (secondment) As you are aware, it is proposed that you will be seconded to [ insert name ] (host employer). This notice sets out which personal data (information) [ insert name of employer ] [ trading as [ insert trading name, if different ] ] (‘we’ or ‘Company’) will provide to, and receive from, your...

STOP PRESS: This page is being revised to reflect implementation of the Data (Use and Access) Act 2025 (DUAA 2025), which modifies the UK GDPR and the Data Protection Act 2018. For additional direction on DUAA 2025’s compliance impact, consult Practice Note: Data (Use and Access) Act 2025—compliance implications. This data protection quick-reference guide outlines the principal elements of data protection law, including the UK General Data Protection Regulation (UK GDPR). What is the UK GDPR? The UK General Data Protection Regulation (Assimilated Regulation (EU) 2016/679—UK GDPR) forms the primary framework for data protection in the UK. It is read alongside, and augmented by, the Data Protection Act 2018 (DPA 2018). Who is the data protection regulator in the UK? In the UK, the Information Commissioner’s Office (ICO) oversees and enforces compliance with data protection legislation. What type of information does the UK GDPR regulate? The UK GDPR does not apply to every kind of information or dataset. Its remit is limited to personal...

1 Identify the need for a DPIA Outline at a high level what the project intends to deliver and the nature of the processing undertaken [ Add, eg you might find it useful to cite or link to supporting papers, such as a project proposal. Summarise the reasons you determined a DPIA is required. ] 2 Describe the processing Describe the nature of the processing [ Add, eg in what way will you gather, use, retain and erase data? What are the origins of the data? Will any data be disclosed to others? Which forms of processing considered potentially high risk are included? You could also refer to a flow chart or another method of mapping data movements ] Describe the scope of the processing: [ Add, eg what kind of data is involved, and does it cover special category or criminal offence data? How much data will be obtained and used? How frequently? For how long will it be kept? How many people...