At a glance

  • Special category data is personal data that needs more protection because it is sensitive.

  • In order to lawfully process special category data, you must identify both a lawful basis under Article 6 of the GDPR and a separate condition for processing under Article 9. These do not have to be linked.

  • There are 10 conditions for processing special category data in Article 9 of the GDPR.

  • Five of these require you to meet additional conditions and safeguards set out in UK law, in Schedule 1 of the DPA 2018.

  • You must determine your condition for processing special category data before you begin this processing under the GDPR, and you should document it.

  • In many cases you also need an ‘appropriate policy document’ in place in order to meet a UK Schedule 1 condition for processing in the DPA 2018.

  • You need to complete a data protection impact assessment (DPIA) for any type of processing which is likely to be high risk. You must therefore be aware of the risks of processing the special category data.

Checklist

☐ We have checked the processing of the special category data is necessary for the purpose we have identified and are satisfied there is no other reasonable and less intrusive way to achieve that purpose.

☐ We have identified an Article 6 lawful basis for processing the special category data.

☐ We have identified an appropriate Article 9 condition for processing the special category data.

☐ Where required, we have also identified an appropriate DPA 2018 Schedule 1 condition.

☐ We have documented which special categories of data we are processing.

☐ Where required, we have an appropriate policy document in place.

☐ We have considered whether we need to do a DPIA.

☐ We include specific information about our processing of special category data in our privacy information for individuals.

☐ If we use special category data for automated decision making (including profiling), we have checked we comply with Article 22.

☐ We have considered whether the risks associated with our use of special category data affect our other obligations around data minimisation, security, and appointing Data Protection Officers (DPOs) and representatives.

In brief

What is special category data?

The GDPR defines special category data as:

• personal data revealing racial or ethnic origin;
• personal data revealing political opinions;
• personal data revealing religious or philosophical beliefs;
• personal data revealing trade union membership;
genetic data;
biometric data (where used for identification purposes);
• data concerning health;
• data concerning a person’s sex life; and
• data concerning a person’s sexual orientation.

This does not include personal data about criminal allegations, proceedings or convictions, as separate rules apply. For further information, please see our separate guidance on criminal offence data.

Special category data includes personal data revealing or concerning the above types of data. Therefore, if you have inferred or guessed details about someone which fall into one of the above categories, this data may count as special category data. It depends on how certain that inference is, and whether you are deliberately drawing that inference.

What are the rules for special category data?

You must always ensure that your processing is generally lawful, fair and transparent and complies with all the other principles and requirements of the GDPR. To ensure that your processing is lawful, you need to identify an Article 6 basis for processing.

In addition, you can only process special category data if you can meet one of the specific conditions in Article 9 of the GDPR. You need to consider the purposes of your processing and identify which of these conditions are relevant.

Five of the conditions for processing are provided solely in Article 9 of the GDPR. The other five require authorisation or a basis in UK law, which means you need to meet additional conditions set out in the DPA 2018.

You must also identify whether you need an ‘appropriate policy document’ under the DPA 2018. Our template appropriate policy document shows the kind of information this should contain.

You must do a DPIA for any type of processing that is likely to be high risk. This means that you are more likely to need to do a DPIA for processing special category data. For further information, please see our guidance on DPIAs.

If you process special category data you must keep records, including documenting the categories of data. You may also need to consider how the risks associated with special category data affect your other obligations – in particular, obligations around data minimisation, security, transparency, DPOs and rights related to automated decision-making.

What are the conditions for processing special category data?

Article 9 lists the conditions for processing special category data:

(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
(j) Archiving, research and statistics (with a basis in law)

If you are relying on conditions (b), (h), (i) or (j), you also need to meet the associated condition in UK law, set out in Part 1 of Schedule 1 of the DPA 2018.

If you are relying on the substantial public interest condition in Article 9(2)(g), you also need to meet one of 23 specific substantial public interest conditions set out in Part 2 of Schedule 1 of the DPA 2018.

What are the substantial public interest conditions?

The 23 substantial public interest conditions are set out in paragraphs 6 to 28 of Schedule 1 of the DPA 2018:

6. Statutory and government purposes
7. Administration of justice and parliamentary purposes
8. Equality of opportunity or treatment
9. Racial and ethnic diversity at senior levels
10. Preventing or detecting unlawful acts
11. Protecting the public
12. Regulatory requirements
13. Journalism, academia, art and literature
14. Preventing fraud
15. Suspicion of terrorist financing or money laundering
16. Support for individuals with a particular disability or medical condition
17. Counselling
18. Safeguarding of children and individuals at risk
19. Safeguarding of economic well-being of certain individuals
20. Insurance
21. Occupational pensions
22. Political parties
23. Elected representatives responding to requests
24. Disclosure to elected representatives
25. Informing elected representatives about prisoners
26. Publication of legal judgments
27. Anti-doping in sport
28. Standards of behaviour in sport

You should identify which of these conditions appears to most closely reflect your purpose. Our detailed guidance gives you some further advice on how the conditions generally work, but you always need to refer to the detailed provisions of each condition in the legislation itself to make sure you can demonstrate it applies.

For some of these conditions, the substantial public interest element is built in. For others, you need to be able to demonstrate that your specific processing is “necessary for reasons of substantial public interest”, on a case-by-case basis.

The public interest covers a wide range of values and principles relating to the public good, or what is in the best interests of society. It needs to be real and of substance. Given the inherent risks of special category data, it is not enough to make a vague or generic public interest argument. You should be able to make specific arguments about the concrete wider benefits of your processing.

For some of the conditions, you also need to justify why you cannot give individuals a choice and get explicit consent for your processing. In most cases, you must have an ‘appropriate policy document’ in place.

In more detail – ICO guidance

We have produced more detailed guidance on special category data.