June is Pride month, an opportunity to commemorate, celebrate and raise awareness of the LGBTQIA+ community around the world. Individuals in this community continue to suffer persecution and discrimination; even in England and Wales only in the last decade, by virtue of the Marriage (Same-Sex Couples) Act 2013, have same-sex couples been allowed to marry, since 2005 has it been possible for trans people to secure full legal recognition of their male or female gender, and since 2010 that the Equality Act extended protection from discrimination to protected characteristics including sexual orientation, or perceived sexual orientation, and gender reassignment. The LGBTQIA+ community can therefore be affected to a greater extent by the processing of their personal data and any personal data breach or unlawful processing. These additional risks, and steps to mitigate them and any resulting harm, should be reflected in any Data Protection Impact Assessment (DPIA), as well as any Data Transfer Impact Assessment.

Inferred personal data

It is important to recognise that the definition of personal data at Article 4(1) UK GDPR encompasses any information relating to an identified or identifiable natural person, whether that information is factual or an opinion or inference. In issuing a fine of approximately €6.5 million against Grindr LLC, the operator of the location-based social networking and online dating application targeted towards members of the gay, bisexual, transgender, and queer community, the Norwegian data protection authority, Datatilsynet, determined that “We consider that data revealing the fact that someone is a Grindr user strongly indicates that they belong to a sexual minority”, and therefore constituted special category personal data. Which had been unlawfully shared with third parties for behavioural advertising purposes. A similar approach was taken by the Information Commissioner in the reprimand he issued against Grindr.

Employees

One of the first steps to supporting your workforce is to understand them. Article 9(1) UK GDPR / GDPR define special category personal data - previously referred to under the Data Protection Act 1998 as sensitive personal data - as including “data concerning a natural person’s sex life or sexual orientation” and prohibit its processing unless certain conditions apply. Personal data pertaining to gender does not fall within this category of personal data automatically warranting additional protection.

Grounds for processing special category personal data include where the individual has given their explicit consent to the processing, the personal data has been manifestly made public by the individual, to comply with rights or obligations under field of employment and social security and social protection law or, for reasons of substantial public interest specified in domestic legislation.

Section 10 and Schedule 1 to the Data Protection Act 2018 identify processing situations falling within the scope of these exemptions.

Where processing of special category personal data is for   employment, social security and social protection purposes, an appropriate policy document is required to be in place, detailing the measures in place to secure compliance with the data protection principles and for the retention and erasure of personal data.

Part 2 of Schedule 1 to the Data Protection Act 2018 identifies processing situations which meet the substantial public interest threshold, which include identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people, including people of different sexual orientation, with a view to enabling such equality to be promoted or maintained (see para.8). Again, an appropriate policy document is required to be in place.

Health and wellbeing

Part 2 of Schedule 1 to the Data Protection Act 2018 also establishes a lawful basis for non-profit organisations which provide support to individuals with a medical condition, which would include gender dysphoria, to process special category personal data including health data and/or personal data concerning an individual's sex life or sexual orientation regarding its members who have or at significant risk of developing that the relevant medical condition or is their relative or carer, where the processing is necessary to raise awareness of the condition or to provide support to or facilitate the support of such individuals and the data controller is not aware of the data subject withholding consent to processing and the controller cannot reasonably be expected to obtain consent (see para.16). Again, an appropriate policy document is required to be in place.

Processing of personal data for the purpose of the provision of confidential counselling or similar advice or support is also authorised under Part 2 of Schedule 1 where consent cannot be given, can’t reasonably be expected to be obtained or would prejudice the provision of the service (see para.17).

Accuracy and erasure

Article 5(1)(d) UK GDPR / GDPR establishes the principle that personal data must be accurate and, where necessary, kept up to date. Coupled with this, individuals have the right to request the erasure of their personal data, under the so-called ‘Right to be Forgotten’ under Article 17 UK GDPR / GDPR in certain circumstances, including where the individual objects to the processing of their personal data under Article 21 UK GDPR / GDPR in connection with processing for direct marketing purposes, they object to processing and there are no overriding legitimate grounds to justify continuing, consent is withdrawn or processing is no longer necessary for the purpose. Individuals in the process of gender transitioning, for example, may therefore seek to rely on these rights in order to require the updating of records to reflect their gender identity. Similarly, individuals may wish to accurately reflect their sexual orientation, which may be different to what was originally recorded. Designing systems which allow this and, where appropriate, offer individuals the opportunity to choose whether and how to record their gender (including the use of titles and pronouns) and/or sexual orientation, perhaps offering free text responses, can support compliance with the obligation to implement data protection by design and default under Article 25 UK GDPR / GDPR , the accuracy principle, as well as the data minimisation principle under Article 5(1)(c) UK GDPR / GDPR.

Should you require support in establishing a lawful basis for processing special category personal data, drafting an appropriate policy document, conducting a data protection impact assessment or data transfer impact assessment or implementing data protection by design, don’t hesitate to contact us.

A donation has been made to a UK LGBTQIA+ charity on behalf of Handley Gill Limited.