Special Category Data Under UK GDPR Explained

Handling personal data comes with responsibilities, but some types of personal data are especially sensitive. Under UK GDPR, this is called “special category data”, and it attracts stricter rules.

If your small business ever records health details, biometrics, religious beliefs, or similar information, you need stronger safeguards. The good news? With the right processes and documents in place, you can stay compliant and protect your customers, team and brand from day one.

In this guide, we’ll explain what counts as special category data, when you’re allowed to process it, and the practical steps to build a compliant framework around it.

What Is Special Category Data Under UK GDPR?

Special category data is personal data that reveals particularly sensitive information about a person. UK GDPR Article 9 lists these categories:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Biometric data used for identification (e.g. fingerprints, facial recognition)
• Health data (physical or mental health information)
• Sex life or sexual orientation

These categories are treated as higher risk because misuse could cause discrimination or serious harm. As a result, the law sets a higher threshold for processing, extra documentation, and stronger security controls.

Note: Criminal offence data sits outside special category data and has its own rules under the Data Protection Act 2018 (DPA 2018). If you handle criminal records or allegations, you’ll need separate safeguards.

It’s easy for small businesses to collect special category data without realising it. A wellness intake form, a dietary questionnaire that includes allergy details, or a staff sickness record all count. Even modern biometric time and attendance systems can involve special category data if used to uniquely identify staff.

When Can Your Business Process Special Category Data?

To process special category data lawfully, you need two things:

1. A lawful basis under Article 6 UK GDPR (e.g. consent, contract, legal obligation, legitimate interests); and
2. An additional condition under Article 9 (plus Schedule 1 DPA 2018 where required).

Common Article 9 conditions used by UK small businesses include:

• Explicit consent: You’ve obtained clear, explicit consent for a specific purpose. This is stronger than ordinary consent and requires a clear statement (often a signed or recorded affirmative declaration) that can be evidenced. You must allow withdrawal at any time.
• Employment and social security law: Processing is necessary to comply with your obligations as an employer (e.g. managing sick pay, reasonable adjustments). You’ll usually need an appropriate policy document and documented safeguards under Schedule 1 DPA 2018.
• Vital interests: Processing is necessary to protect someone’s life where the individual is incapable of consent (e.g. a medical emergency).
• Legal claims: Necessary for establishing, exercising or defending legal claims, or when courts act in their judicial capacity.
• Made public by the individual: The data subject has clearly made the information public themselves (be cautious - this is a narrow test).
• Substantial public interest: A limited set of purposes defined in DPA 2018 Schedule 1, with additional documentation and safeguards (e.g. preventing fraud, safeguarding of children and individuals at risk). This is tightly controlled.
• Health or social care: Necessary for providing health or social care services (mainly for regulated providers and professionals).

In practice, most small businesses rely on explicit consent or the employment law condition. Whichever condition you use, you must document your decision-making, limit use to the stated purpose, and apply proportionate security.

If you plan to process special category data on a large scale, or the processing is likely to be high risk (e.g. biometrics, profiling, or systematic monitoring), a Data Protection Impact Assessment (DPIA) is strongly recommended - and often mandatory.

Common Small Business Scenarios Involving Special Category Data

Here are examples where special category data often pops up in small businesses:

Recruitment, HR And Sickness Management

• Recording sickness absences and fit notes (health data)
• Workplace adjustments or occupational health referrals (health data)
• Equality and diversity monitoring forms (race, religion, sexual orientation)
• Drug and alcohol testing (health data, potentially criminal offence data)

If you handle health details or testing results, ensure you’re using the correct Article 9 condition and have clear processes. It’s also wise to educate managers about boundaries when discussing medical information at work.

Biometric Access And Timekeeping

Using fingerprints, facial recognition or voiceprints for unique identification is special category data. Beyond strong security, you’ll need explicit consent or another valid condition, alternatives for staff who object, and a DPIA to assess risks.

Our guide to biometric time and attendance highlights key compliance steps and common pitfalls.

Health, Wellness And Hospitality

• Gyms, salons and wellness businesses collecting injuries, allergies or medical history
• Event organisers gathering dietary needs that reveal religious beliefs or health conditions
• Clinics and therapists processing health data as part of service delivery

Even seemingly harmless questions (“Any allergies?”) can reveal health data. Only collect what’s necessary, store it securely, and set a short, justified retention period.

Security And Monitoring

CCTV with audio, or systems that capture biometric identifiers, can increase the risk profile and may touch special category data in certain contexts. Be transparent, use signage, and be proportionate in your approach. If you record conversations alongside video, review your risk posture and policies carefully.

What Should Be In Your Compliance Toolkit?

If you process special category data, your compliance “stack” needs to go a little further. Consider the following documents and controls.

Privacy Policy

Be clear about what you collect, why, your lawful bases, Article 9 conditions, retention periods, and people’s rights. If you process special category data, say so plainly. A tailored, UK GDPR-compliant Privacy Policy sets the tone for transparency and trust.

Data Processing Agreement (DPA) With Suppliers

If a supplier processes special category data for you (e.g. HR platform, health screening provider, cloud host), you must have a written Data Processing Agreement. This contract sets mandatory UK GDPR terms, including security, sub-processing, audit rights, and breach reporting.

Data Sharing Agreement Between Controllers

If you exchange special category data with another organisation as independent controllers (for example, with an occupational health provider or a partner venue), a Data Sharing Agreement helps align lawful bases, Article 9 conditions, security expectations and individual rights handling.

DPIA, Lawful Basis And Policy Documents

• DPIA: Document risks and mitigations for high-risk processing (biometrics, large-scale health data, monitoring).
• Appropriate policy document: Required for certain Schedule 1 DPA 2018 conditions (e.g. employment law or substantial public interest).
• Lawful basis assessments: Keep a record showing how Article 6 and Article 9 conditions apply.

Security, Access Controls And Retention

• Role-based access and least-privilege permissions
• Encryption at rest and in transit for sensitive datasets
• Clear deletion/archiving rules and short retention for special category data
• Supplier due diligence (security certifications, data location, breach history)

Cookie And Tracking Compliance

If your site uses tracking that could infer special category attributes (e.g. health interests from page views), tighten your consent experience. Make sure your Cookie Policy is up to date and your cookie banners give users a genuine choice before non-essential cookies load.

Incident Response And DSARs

Have a tested data breach response plan - the threshold for reporting breaches involving special category data is lower because harm is more likely. Also prepare for requests from individuals to access their data: build workflows that meet UK GDPR subject access request deadlines and redact third-party or privileged information where appropriate.

How To Collect, Use And Store Special Category Data Lawfully

Here’s a step-by-step approach you can adapt to your business.

1) Decide If You Really Need It

Start with data minimisation. If you can achieve your aim without special category data, don’t collect it. For example, a “nut allergy? yes/no” tick box is safer than free-text medical histories.

2) Pick Your Lawful Basis And Article 9 Condition

Map the purpose to Article 6 and Article 9. For HR sickness records, you may rely on “legal obligation” or “legitimate interests” under Article 6 plus the “employment and social security law” condition under Article 9, supported by an appropriate policy document. For optional wellness services or biometrics, consider explicit consent and offer a clear, non-biometric alternative.

3) Be Transparent And Obtain Valid Consent Where Needed

If you use explicit consent, make it a clear, unambiguous, opt-in statement that names the purpose(s) and data types. Keep auditable records and provide simple withdrawal mechanisms.

4) Complete A DPIA For High-Risk Processing

For biometrics, large-scale health data or systematic monitoring, conduct a DPIA early. Involve your supplier and IT team to identify risk mitigations such as encryption, pseudonymisation, and access controls.

5) Put Contracts And Policies In Place

Ensure your Data Processing Agreement covers special category data requirements (e.g. enhanced security, restrictions on sub-processing) and your Data Sharing Agreement sets expectations when exchanging data with other controllers. Update your Privacy Policy to reflect the processing.

6) Lock Down Security And Access

Restrict staff access to a strict need-to-know basis, enforce MFA, enable encryption, and keep audit logs. Train staff on handling special category data and implement a clean desk and secure device policy.

7) Set Short Retention Periods

Keep special category data only as long as necessary for your stated purpose and legal obligations. For HR files, align retention with employment law and limitation periods, then securely delete or anonymise.

8) Plan For Incidents And Requests

Build a breach playbook with roles, timelines, and communication templates. Practice it. Create DSAR procedures so your team can meet timelines and properly identify and extract special category data without over-disclosing third-party information.

Employment Law Touchpoints You Shouldn’t Miss

Because many small businesses collect special category data in an employment context, it’s worth calling out a few common situations:

• Sick pay and adjustments: You may need health information to meet legal obligations. Limit collection to what’s necessary and store it in segregated HR files with restricted access.
• Equality monitoring: If you gather diversity data, use anonymous or aggregated forms where possible and avoid using it for any decisions about an individual.
• Drug and alcohol testing: Use only where necessary and proportionate (e.g. safety-critical roles). Ensure lawful basis and Article 9 condition, provide clear notices, and keep results strictly confidential.
• Biometrics in the workplace: If you deploy biometrics for building access or timekeeping, offer a reasonable alternative and complete a DPIA. See our guidance on biometric time and attendance.
• Communication boundaries: Educate managers about confidentiality and limit who can access or discuss health and other sensitive data. Our article on medical information at work explains rights and obligations in plain English.

Remember, where you rely on employment-related conditions under Schedule 1 DPA 2018, you’ll usually need an “appropriate policy document” and to maintain additional records about retention and safeguards.

International Transfers, Profiling And Marketing

Special category data can crop up in less obvious places:

• International transfers: If your HR platform or CRM stores data outside the UK, ensure adequacy decisions or appropriate safeguards (e.g. International Data Transfer Agreement). Test vendor claims - don’t just take a sales deck at face value.
• Inferred sensitivities: Adtech and analytics can infer health or religious beliefs based on behaviour. Treat any such profiling as high risk - make your consent experience robust and be ready to disable non-essential trackers until users opt in. Your cookie banners should reflect this.
• Retention in backups and logs: Work with IT to ensure deletions propagate to backups in line with policy, or that backups are encrypted with strict access and time-limited restoration processes.

What Are The Risks If You Get It Wrong?

Processing special category data without a valid Article 9 condition, or without proportionate safeguards, increases the chance of:

• Regulatory action: The ICO can investigate, mandate changes and issue fines. Failures involving sensitive data are more likely to be reportable and attract scrutiny.
• Civil claims: Individuals may claim compensation for material and non-material damage (including distress) arising from mishandling their data.
• Reputational harm: Trust takes years to build and seconds to lose - breaches involving health or biometric data are particularly damaging.
• Operational disruption: Remediation, notifications, system hardening and data mapping exercises can be costly and time-consuming.

Practical preparation goes a long way. Clear documents, good vendor contracts, robust access controls and a rehearsed incident plan will drastically reduce your risk profile.

Key Takeaways

• Special category data includes health, biometrics (for identification), genetic data, beliefs, orientation and similar sensitive details - it attracts stricter UK GDPR rules.
• You need both a standard lawful basis under Article 6 and an Article 9 condition (often explicit consent or an employment-related ground) before processing.
• Map your use cases, complete a DPIA for high-risk activities, and keep clear records of your lawful bases, Article 9 conditions and retention periods.
• Put the right toolkit in place: a transparent Privacy Policy, strong supplier contracts like a Data Processing Agreement, controller-to-controller Data Sharing Agreement, robust security and a tested data breach response plan.
• In employment, limit collection to what’s necessary, secure HR files, and treat biometrics and health data as high risk; consider reasonable alternatives and clear staff notices.
• Be cautious with cookies and tracking that might infer sensitive traits - ensure your cookie banners and consent flows are up to scratch.
• Prepare for individual rights requests with workflows that meet UK GDPR subject access request deadlines and avoid over-disclosure.

If you’d like help setting up compliant processes for special category data - from policies to contracts and DPIAs - our team can guide you through it. You can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.