How to Handle Special Category Data | LegalVision UK (2025)

Your business creates and records large amounts of sensitive data which you must handle carefully. Data protection laws in England classify sensitive and highly personal data as special category data.This article will explain the meaning and limits of special category data to ensure your company is aware of the extra duties in handling these types of sensitive information.

What is the GDPR?

The General Data Protection Regulation(GDPR) encapsulates England’s primary data protection laws alongside the Data Protection Act. As such, it significantly impacts how your business can collect, record and distribute information. The Information Commissioner’s Office (ICO) is the main body responsible for enforcing the GDPR and can issue your organisation a fine for any data protection breach. Financial penalties occur when the ICO feel that your business has acted contrary to the public interest and data protection rules.

What Are Special Categories of Data?

Special category data is limited to very sensitive and personal information. This includes:

• personal data revealing political opinions or trade union membership;
• personal data revealing racial or ethnic origin or religious beliefs;
• any data relating to a person’s sex life or sexual orientation;
• health data;
• genetic data; and
• biometric data (such as fingerprint recognition or iris scanning).

Because of the sensitivity of these types of data, it has a higher level of protection under the GDPR and is prone to higher fines from the ICO. This is relevant to your organisation because the ICO can issue a financial penalty of up to £17.5m or 4% of annual global turnover.

Processing Special Category Data

A starting point would be completing a data protection impact assessment (DPIA). DPIAs are required when your company is likely to engage in high risk data processing. For example, processing special category data is high risk due to the sensitive nature of the information.

Handling and Storing Special Category Data

Your company must take decisive steps to ensure that it stores special category data securely and safely. It must keep the information for a reasonable period of time for the specified purpose. Following this, once the information is no longer useful, you must swiftly and safely delete the sensitive data.

Avoiding keeping information beyond its useful lifespan is one of the primary purposes of the GDPR (and ICO). This is especially so for sensitive personal data.

Reporting Data Breaches to the ICO

Your company must report any special category data breach to the ICO within 72 hours.

For example, suppose you accidentally send a word document containing your employees’ racial and ethnic origin and religious beliefs to the whole workforce. The document itself may be permitted if it was to record the make-up of the workplace to try and encourage a more diverse workforce in the future. However, mistakenly disclosing this to multiple individuals would constitute a severe data breach.

Key Takeaways

Your business must handle special category data carefully. Any failure to treat the information safely or securely can quickly lead to the ICO investigating and penalising your organisation. Additionally, disclosing sensitive personal information without consent can be highly upsetting to the data subject. If the breach becomes publicised, it can pose a reputational risk to your organisation. Therefore, ensuring that special category data is identified and handled with care is good practice.

If you need help with data protection requirements and the safe handling of special category data, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions