Basic personal identifiers – information, such as name, email address, or address, that can identify an individual. This does not include information that is of a more sensitive nature.
Criminal convictions, offences – information about any illegal behaviour an individual may have been suspected or convicted of. This could include information about appearances on the sexual offences register, for example. Article 10 of the UK GDPR contains safeguards for this data.
Data revealing racial or ethnic origin – information that reveals a person’s or group of people’s race or ethnicity. This information is considered special category data in accordance with Article 9 of the UK GDPR.
Economic and financial data – data relating to an individual’s or group of individual’s credit card, bank account, or other financial data. This could include information such as pay or rates of benefits they receive. Although people are usually very sensitive about this information and it can be used by criminals for theft or fraud, it is not classed as special category data.
Gender reassignment data – information about those who have transitioned or are transitioning between genders. If this includes specific information or inference about someone's health (or any other specific category such as sexual orientation or sex life), it is considered special category data in accordance with Article 9 of the UK GDPR. Even where it is not special category data, this information should be treated very carefully. There could also be requirements for handling this type of information under other legislation such as the Gender Recognition Act 2004.
Genetic or biometric data – this includes two types of data:
- Genetic data - information about someone’s genes, usually generated by analysing a biological sample. For example, genetic analysis, genetic profiling or genetic test results. This information is special category data under Article 9 of the UK GDPR.
- Biometric data - information from specific technical analysis of physical, physiological or behavioural characteristics that can uniquely identify an individual. This can include data such as fingerprints, iris scans, or other biological data. If it’s used to uniquely identify people, this information is considered special category data in accordance with Article 9 of the UK GDPR.
Health data – information relating to the physical or mental health of an individual. This includes information about health services that an individual may have accessed and that may reveal details of their health. This information is considered special category data in accordance with Article 9 of the UK GDPR.
Identification data – information that is used to identify an individual. This may not be a name, but could also be a customer number or username that can be combined with other information to uniquely identify a person.
Location data – information such as geolocation data that can identify where a person lives, works or otherwise spends their time. As this data can be used to track someone’s movements, it can in turn help identify individuals and can therefore be personal data.
Multiple – where more than one type of data is potentially involved in a breach.
Official documents – copies of paperwork such as driver’s licenses, birth certificates and passports that can be used as proof of identification.
Political opinions – details about an individual’s voting history or political party membership. This information is considered special category data in accordance with Article 9 of the UK GDPR.
Religious or philosophical beliefs – details of the belief systems that an individual or group of individuals have. This could be whether they are a member of a particular religious group or whether they are atheist. This information is considered special category data in accordance with Article 9 of the UK GDPR.
Sex life data – Any data on a person’s sex life which does not specifically relate to orientation or health. This could include whether they have signed up to dating apps or a period tracker, for example.
Sexual orientation data – Information about someone’s sexual preferences, such as whether they identify as gay, straight, bisexual, asexual, or any other sexual orientation that they feel describes them best. This information is considered special category data in accordance with Article 9 of the UK GDPR.
Trade union membership – whether someone holds or has held membership to a union. This information is considered special category data in accordance with Article 9 of the UK GDPR.