Data Protection Policy

12. Processing sensitive personal data

12.1 On some occasions we may collect information about individuals that is defined by the GDPR as special categories of personal data, and special rules will apply to the processing of this data. In this policy we refer to “special categories of personal data” as “sensitive personal data”. The categories of sensitive personal data are set out in the definition in Section 3.9.

12.2 Purely financial information is not technically defined as sensitive personal data by the GDPR. However, particular care should be taken when processing such data, as the ICO will treat a breach relating to financial data very seriously.

12.3 In most cases, in order to process sensitive personal data, we must obtain explicit consent from the individuals involved. As with any other type of information we will also have to be absolutely clear with people about how we are going to use their information.

12.4 It is not always necessary to obtain explicit consent. There are a limited number of other circumstances in which the GDPR permits organisations to process sensitive personal data. If you are concerned that you are processing sensitive personal data and are not able to obtain explicit consent for the processing, please contact the IAP Secretary

Click on the links below for other sections of the IAP Data Protection Policy:

1. Purpose of the policy

2. About this policy

3. Definitions of data protection terms

4 Data protection principles

5. Processing data fairly and lawfully

6. Processing data for the original purpose

7. Personal data should be adequate and accurate

8. Not retaining data longer than necessary

9. Rights of individuals under the GDPR

10. Data security

11. Transferring Data Outside the EEA

12. Processing sensitive personal data

13. Notification

14. Monitoring and review of the policy