The GDPR essentials: Special category data

28th November 2024

What is special category data?

Under the UK GDPR, certain types of personal data are considered more sensitive and are granted additional protection. This is often referred to as special category data and includes the following types of personal information:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Genetic data
  • Biometric data
  • Health data
  • Sex life and sexual orientation

The reason this data merits extra protection is because it could create significant risks to the individuals’ fundamental rights and freedoms.

What should we do if we intend to process this data?

The fist step to undertake if you intend to process special category data would be to confirm whether you need to conduct a DPIA for your planned activities using special category data. DPIA’s are mandatory for any type of processing which is likely to be high risk which means a DPIA is more likely to be needed when handling special category data. This does not mean it will always be essential, it will depend on the necessary, nature, scale, and your purpose for using this data.

After the DPIA, if you still intend to process special category data you must determine a lawful basis for processing that data under Article 6 of the UK GDPR and then meet one of the exceptions of Article 9 (which lists when the situations you can rely on to process special category data).

Whilst we won’t go through all the exceptions in this article, some examples of where an organisation would be able to process special category data would be where explicit consent has been obtained from the individual, or if it is necessary for the purposes of preventative or occupational medicine, to assess the working capacity of an employee, to provide a medical diagnosis or other health care or treatment, or if it is necessary for the purposes of carrying out the obligations and exercising rights of the controller or of the data subject in employment, social security and social protection law.

What if we suffer a data breach of this data?

You must record all data breaches internally including what caused it, what happened, the data affected, the effects of the breach and any action taken and rationale. In certain circumstances, you are required to report the breach to the ICO, this is only if the breach is likely to result in a risk to the rights and freedoms of individuals which can be physical, material or non-material. As special category data is considered higher risk data, if a breach involves data of this nature, it is more likely to reach the bar for reporting.

If you have suffered a data breach and are unsure whether to report it to the ICO or need advice on handling special category data, we’re here to help – get in touch with Sophie at sophiebrazier@schofieldsweeney.co.uk.

We’re here for you – contact us today

0300 124 0406
enquiries@schofieldsweeney.co.uk

Contact Us

Bradford office

Church Bank House
Bradford
West Yorkshire
BD1 4DY

What3words - names.frosted.broke
Phone: 01274 350 800 Fax: 01274 306 111

Leeds office

Centura
76 Wellington Street
Leeds
West Yorkshire
LS1 2AY

What3words - crass.makes.store
Phone: 0113 849 4000 Fax: 0113 243 9326

Huddersfield office

30 Market Street
Huddersfield
West Yorkshire
HD1 2HG

What3words - eaten.salads.case
Phone: 01484 915 000 Fax: 0800 368 8449

London office

33 Bedford Row
London
WC1R 4JH
Phone: 020 8146 5119
Copyright © Schofield Sweeney Solicitors. All Rights Reserved.

Schofield Sweeney LLP is authorised and regulated by the Solicitors Regulation Authority.

Website by Tall
Conveyancing Quality