I would like to explore Article 9(2)(e) of the GDPR further as the term "manifestly made public" appears to warrant more in depth discussion. An example for such a situation could be an event organizer processing the details of an openly known HIV positive individual to invite that individual to speak about living with HIV at the event. Since that individual has already publicly announced his/her HIV status and the main feature of that event is about hearing from the point of view of a HIV positive person, the event organizer should be allowed to process and include data about individual's HIV status when inviting that individual. In such a circumstance, the event organizer does not yet have consent from the individual, hence it cannot fall under Article 9(2)(a).
According to guidance from the ICO, it is important that the individual has made the information public voluntarily on his or her own accord [1], and the information was not made public due to a data leak. It is also important to consider whether the individual would reasonably expect that data to be processed in this circumstance [2]. For example, if that same HIV positive person was invited to speak about an unrelated topic, the event organizer will not have grounds to process data about his/her HIV status. Everyone plays multiple roles in life, one could be a part time student, working professional, parent or a child depending on the circumstances. We should not be applying a label to any individual across all facets of his or her life.
Lastly, it is also important to consider if the data can be "realistically accessed" by a member of the general public [3]. For example, if a teaching staff has formed a picket line outside a university building as part of industrial action called for by the Universities and College Union, such an action may not fall under Article 9(2)(e). This is because of its transient nature, only those present would have witnessed the event and a member of public cannot subsequently access this information. Hence, the university would not have any grounds to process such data.
I would argue that Article 9(2)(e) can be further refined and restricted to something along the lines of:
(e) processing relates to personal data which are manifestly made public on a permanent basis by the data subject voluntarily; where the data being processed is directly relevant to the purpose for which it is processed and where the data subject would reasonably expect that processing to take place.
[1] Information Comissioner's Office, 'What are the conditions for processing?' https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/special-category-data/what-are-the-conditions-for-processing/#conditions5 accessed 9 October 2023
[2] ibid
[3] ibid