ProvePrivacy Logo | Blue Green

Back to home
Contact us
ProvePrivacy | PP Logo
ProvePrivacy | PP Logo

Back to home
  1. Home
  2. Knowledge Base
  3. Record of Processing Acivities
  4. Sensitive Personal Data

Sensitive Personal Data

What is Sensitive Personal Data Under the Data Protection Act 2018?

Sensitive Personal Data, also known as Special Category Data, is personal information that is inherently more private and requires higher levels of protection. Under the Data Protection Act (2018) and GDPR, processing this data is prohibited unless an organization meets specific legal conditions, as its misuse could significantly impact an individual’s fundamental rights and freedoms.

Which Categories of Information are Classified as Special Category Data?

The law identifies specific types of Special Category Data:

  • racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs,
  • trade union membership,
  • genetic data or biometric data for identification,
  • health data, and
  • information concerning an individual’s sex life or sexual orientation.

These categories require a dedicated lawful basis for processing under Article 9.

How Do You Legally Process Sensitive Personal Data and Criminal Offence Data?

To legally process sensitive information, a Data Controller must identify both a lawful basis under Article 6 and a specific condition for processing under Article 9 of the GDPR. For criminal offence data, processing is even more restricted and must generally be carried out under the control of an official authority or when authorized by specific UK law.

    Mistreatment of this type of data might result in additional harm to the data subject, for example it could be the cause of additional discrimination, embarrassment or even result in harm through blackmail or ransom.

    In order to process special categories of personal data the organisation needs an additional lawful basis over and above those specified for personal data not deemed sensitive:

    1. Processing is required for carrying out obligations under employment, social security or social protection law, or a collective agreement
    2. Processing is required to protect the vital interests of a Data Subject or another individual where the Data Subject is legally or physically unable to give consent
    3. Processing carried out by a not-for-profit body with a philosophical, religious, political or trade union aim, provided the processing relates only to members or former members (or those who have regular contact with it regarding those purposes) and provided there is no disclosure to a third party without consent
    4. Processing relates to personal data manifestly made public by the Data Subject
    5. Processing is required for the establishment, exercise, or defence of legal claims or where courts are acting in their judicial capacity
    6. Processing is required for reasons of significant public interest on the basis of Union or Member State law which is equivalent to the aim pursued, and which contains suitable safeguards
    7. Processing is required for the purposes of preventative or occupational medicine, for evaluating the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
    8. Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or guaranteeing high standards of healthcare and of medicinal products or medical devices
    9. Processing is required for archiving purposes in the public interest, or historical and scientific research purposes or statistical purposes
    10. Explicit consent of the Data Subject, unless dependence on consent is prohibited by EU or Member State law

    There are also further concerns where additional risks arise as part of the same activity processing the sensitive data, for example if sensitive personal data is processed in an activity which also processes data on a large scale, then there is no doubt that this would be a high risk activity and a Data Protection Impact Assessment would be required.

    How Can ProvePrivacy Help Manage Special Category Data?

    ProvePrivacy simplifies the management of sensitive information by providing a Record of Processing Activities (RoPA) module that highlights special category data across your organization. The platform ensures that the correct Article 9 conditions are mapped to your processing activities and provides built-in risk assessments to help maintain the high level of security required for sensitive data governance.

    BOOK A DEMO

    Sources

    Was this article helpful?
    Yes No

    About The Author

    Mark Roebuck
    Mark Roebuck (MBA, MSc) is a Data Protection Consultant specializing in scalable GDPR and Information Governance solutions. With nearly two decades of experience, he helps organizations bridge the gap between complex technology and regulatory compliance.

    Related Articles

    Need Support?

    Can't find the answer you're looking for?
    Contact Support
    Scroll to Top

    Contact us

    If you would like to ask more questions or to arrange training, complete the form below and we will respond shortly.

    Prefer to schedule a 15 minute call? Schedule call today >>

    See our Privacy Statement for more details.
    Contact us