Everything you need to know about: Special Category data - Tacita (2025)

  • Jan 31, 2022
  • Useful articles

Everything you need to know about: Special Category data

Everything you need to know about: Special Category data - Tacita (1)

In this edition of ‘Everything you need to know about’ we will be looking at Special Category Data: What it is? How is it separate from standard personal data?, and How can you manage it in a secure and legal manner?

What is Special Category Data?


Special category data is a subset of personal data defined in the GDPR. This data is typically of a far more sensitive nature than standard personal data and has often historically been used to persecute individuals. If special category data is compromised, it has the potential for greater financial, physical, emotional, or reputational harm.

The GDPR has identified the following categories of information as being special category data:

  • Personal data revealing racial or ethnic origin;
  • Personal data revealing political opinions;
  • Personal data revealing religious or philosophical beliefs;
  • Personal data revealing trade union membership;
  • Genetic data;
  • Biometric data (where used for identification purposes);
  • Data concerning health;
    Data concerning a person’s sex life; and
  • Data concerning a person’s sexual orientation.

If you are processing any of these categories of information, you are processing Special Category Data.

Note: Children’s Data and Criminal Records are not classified as special category data under the GDPR. The GDPR gives extra protection to personal data relating to criminal convictions and offences, and children’s data.

How can I process this data lawfully?

Because the use of this data could create significant risks to the rights and freedoms of the data subjects involved, the GDPR states special requirements must be met before this data can be processed. Article 9 of the UK GDPR states that, alongside one of the 6 lawful bases, you must identify one of 10 conditions before you can process special category data.

The 10 conditions are as follows:

  1. Explicit Consent – The data subject has given their explicit consent to your processing of this data.
  2. Employment, Social Security and social protection – Processing is required for either of the three stated reasons. This has to be authorized by Union or Member state law or by collective agreement.
  3. Vital Interests – This generally only applies to matters where the processing is necessary to preserve life.
  4. Not-for-profit bodies – Processing carried out in the course of a not-for-profit’s legitimate activities and that body has the appropriate safeguards in place. This ONLY can be used for bodies with a political, philosophical, religious or trade-union aim and relates ONLY to the processing of its members/former members/close connections and that the personal data is not disclosed outside that body.
  5. Manifestly made public – Relates to personal data which has been manifestly been made public by the data subject. This covers information which the individual themselves has made public, such as political or religious beliefs. It does NOT cover information which they have not made public, such as any lost in a data breach.
  6. Legal claims or judicial acts – Processing is needed for the establishment, exercise, or defense of legal claims and/or where a court is acting in its judicial capacity.
  7. Substantial public interest – This condition requires further clarification. You must also meet a relevant basis in UK law and one of 23 specific public interests conditions. For further information see Schedule 1 of the UK DPA 2018.
  8. Health or Social Care – Processing is required for the provision of health care or treatment, or social care. For a full list of professions included in this, see section 204 of the DPA 2018.
  9. Public Health – Processing necessary for reasons of public interest in the area of public health. This processing can only be undertaken by a health professional or by someone else who in the circumstances owes a legal duty of confidentiality.
  10. Archiving, research and statistics – Processing necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Should I be worried about processing special category data?

No!

If done correctly, processing special category data should be as easy as standard processing activities. You must always be clear around the necessity of this processing and ensure that the security and protection is your primary concern. Because of the increased risk associated with this information you will have to ensure that you employ the appropriate safeguards for these processing activities, such as greater access controls or encrypted transfers.

The best practice approach to managing this risk is to undertake a Data Protection Impact Assessment (DPIA). This internal risk assessment will identify potential risks and provide the opportunity to assign remedial actions to rectify these.

About Us: Tacita are GDPR compliance experts. Tacita help clients achieve and maintain GDPR compliance. Get in touch to explore our range of GDPR services including the Tacita GDPR Audit, GDPR Consultant Service and the GDPR Toolkit.

Share this article:

More articles

Schrems II Shakes Up Data Privacy: A Landmark Legal Battle for the Digital Age

Industry news

The Importance of Assessing Organizations’ GDPR Compliance

Useful articles

Privacy Shield 2.0 – An exercise in lessons NOT learned?

Industry news

A lack of Truss – Why the Government’s plans to replace the UK GDPR are a threat to businesses and data subjects

Industry news, Useful articles

Tacita Tips: What are the principles of the GDPR?

Useful articles

Tacita Tips: Audit your website cookies

Useful articles

‘No More excuses’ – Sephora receives first fine of California Consumer Privacy Act

Industry news

Deterrent rather than punishment: What does Instagram’s $403m fine mean for children’s data privacy

Industry news

Roe v Wade and The Erosion of Women’s data privacy

Industry news

Southern Co-Op face complaints over use of Biometric scanners

Industry news

Game of Phones – How Apple might kneecap their rivals using device user personal data

Industry news

What is a Record of Processing Activities (ROPA)?

Useful articles

Everything you need to know about: Special Category data - Tacita (2025)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Laurine Ryan

Last Updated:

Views: 6174

Rating: 4.7 / 5 (57 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Laurine Ryan

Birthday: 1994-12-23

Address: Suite 751 871 Lissette Throughway, West Kittie, NH 41603

Phone: +2366831109631

Job: Sales Producer

Hobby: Creative writing, Motor sports, Do it yourself, Skateboarding, Coffee roasting, Calligraphy, Stand-up comedy

Introduction: My name is Laurine Ryan, I am a adorable, fair, graceful, spotless, gorgeous, homely, cooperative person who loves writing and wants to share my knowledge and understanding with you.