Skip to content

What Does the GDPR Classify as ‘Special Categories of Data’ in England?

Table of Contents

Your business creates and records large amounts of sensitive data which you must handle carefully. Data protection laws in England classify sensitive and highly personal data as special category data. This article will explain the meaning and limits of special category data to ensure your company is aware of the extra duties in handling these types of sensitive information.

What is the GDPR?

The General Data Protection Regulation (GDPR) encapsulates England’s primary data protection laws alongside the Data Protection Act. As such, it significantly impacts how your business can collect, record and distribute information. The Information Commissioner’s Office (ICO) is the main body responsible for enforcing the GDPR and can issue your organisation a fine for any data protection breach. Financial penalties occur when the ICO feel that your business has acted contrary to the public interest and data protection rules.

What Are Special Categories of Data?

Special category data is limited to very sensitive and personal information. This includes:

  • personal data revealing political opinions or trade union membership;
  • personal data revealing racial or ethnic origin or religious beliefs;
  • any data relating to a person’s sex life or sexual orientation;
  • health data;
  • genetic data; and
  • biometric data (such as fingerprint recognition or iris scanning).

Because of the sensitivity of these types of data, it has a higher level of protection under the GDPR and is prone to higher fines from the ICO. This is relevant to your organisation because the ICO can issue a financial penalty of up to £17.5m or 4% of annual global turnover. 

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Processing Special Category Data

A starting point would be completing a data protection impact assessment (DPIA). DPIAs are required when your company is likely to engage in high risk data processing. For example, processing special category data is high risk due to the sensitive nature of the information.

The ICO website also provides other suggested steps, which include:

  • identifying a lawful basis for processing that information (for example, a legal basis for recording the sexual orientation of staff is to aid equality in the workplace);
  • processing high risk data under the remit and control of a data protection officer, if your organisation has appointed one; and
  • documenting your business’ reasons and purpose of processing sensitive information.

Handling and Storing Special Category Data

Your company must take decisive steps to ensure that it stores special category data securely and safely. It must keep the information for a reasonable period of time for the specified purpose. Following this, once the information is no longer useful, you must swiftly and safely delete the sensitive data.

Avoiding keeping information beyond its useful lifespan is one of the primary purposes of the GDPR (and ICO). This is especially so for sensitive personal data.

Reporting Data Breaches to the ICO

Your company must report any special category data breach to the ICO within 72 hours.

For example, suppose you accidentally send a word document containing your employees’ racial and ethnic origin and religious beliefs to the whole workforce. The document itself may be permitted if it was to record the make-up of the workplace to try and encourage a more diverse workforce in the future. However, mistakenly disclosing this to multiple individuals would constitute a severe data breach.

Key Takeaways

Your business must handle special category data carefully. Any failure to treat the information safely or securely can quickly lead to the ICO investigating and penalising your organisation. Additionally, disclosing sensitive personal information without consent can be highly upsetting to the data subject. If the breach becomes publicised, it can pose a reputational risk to your organisation. Therefore, ensuring that special category data is identified and handled with care is good practice.

If you need help with data protection requirements and the safe handling of special category data, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

Aside from achieving equality, what other reasons can my business use to justify handling data?

Other suitable reasons include compliance with the law, preventing unlawful acts or fraud, enabling the support of staff members with a disability and aiding the administration of occupational pensions.

Is it advisable to try and avoid handling special categories of data?

As far as possible, yes. The ICO recommends that your business only record special category data where it is unavoidable and impossible not to do so. For example, your company must store health-related information within a staff member’s personnel file concerning any periods of sickness absence.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards