Understanding personal data vs special category data UK requirements is essential for any organisation that handles information about employees, patients, service users, pupils, customers or contractors. Under the UK General Data Protection Regulation (UK GDPR), not all personal data carries the same level of risk. Some information can identify a person, while other information reveals highly sensitive details about their health, identity, beliefs or private life.

For HR teams, healthcare managers and Data Protection Officers (DPOs), the distinction matters because special category data needs stronger protection and extra legal justification. A staff email address, for example, is personal data. An employee’s sickness record, disability information or occupational health report is likely to be special category data. A patient’s diagnosis, treatment notes or care plan is also special category data.

This guide explains the difference in plain English, with practical UK workplace examples. If you need a wider foundation first, read our UK GDPR overview, which explains how UK GDPR, the Data Protection Act 2018 and ICO guidance fit together.

What Is Personal Data Under UK GDPR?

Personal data is any information that relates to an identified or identifiable living person. A person can be identified directly, such as by their name, or indirectly, such as through a combination of details that point to them.

Common examples of personal data include:

• name;
• home address;
• email address;
• phone number;
• staff ID number;
• customer reference number;
• payroll number;
• online identifier;
• CCTV footage;
• location data;
• IP address;
• HR file notes;
• complaint records.

The key issue is identifiability. Information does not need to include someone’s name to be personal data. If the information can reasonably be linked back to a person, either on its own or with other information, it may still be personal data.

For example, “the finance assistant working at the Manchester office who was off sick last week” may identify someone even without naming them, especially in a small team. Similarly, a customer reference number may not mean much to the public, but if your organisation can use it to identify a customer, it is personal data.

UK GDPR also distinguishes between pseudonymised and anonymised data. Pseudonymisation means replacing or separating identifiers so that people are harder to identify without additional information. For example, a research file might replace names with codes, while the key linking codes to names is stored separately.

Pseudonymised data is still personal data if someone can be re-identified using additional information. It is a useful safeguard, but it does not remove UK GDPR obligations.

Anonymisation goes further. Data is only truly anonymised if individuals are no longer identifiable. If anonymisation is effective, the information is no longer personal data. However, organisations must be careful. Simply removing names does not automatically make a dataset anonymous if people can still be identified from combinations of details.

For HR, healthcare and education settings, this distinction is important. Staff absence trends, patient outcomes or pupil support data may still identify individuals if the dataset is small or contains unique details. Organisations should assess re-identification risk before treating data as anonymous.

What Is Special Category Data?

Special category data is a more sensitive type of personal data under UK GDPR. It receives extra protection because misuse could create significant harm, discrimination, distress or loss of privacy.

The term special category data GDPR UK refers to personal data that reveals or concerns highly sensitive characteristics or circumstances. This includes data about health, race or ethnic origin, political opinions, religious beliefs, trade union membership and other protected areas.

Special category data is sometimes informally called sensitive personal data UK GDPR, although UK GDPR uses the term “special category data”. The old phrase “sensitive personal data” was used under earlier UK data protection law, so some organisations and policies still use it. For current compliance, “special category data” is the more accurate term.

Special category data matters because processing it is generally prohibited unless a specific Article 9 condition applies. In practice, organisations usually need:

• a lawful basis under Article 6 of UK GDPR; and
  
  
• a special category condition under Article 9; and
  
  
• where required, a UK condition under Schedule 1 of the Data Protection Act 2018; and
  
  
• appropriate safeguards, such as access controls, policies, retention limits and staff training.

This is why HR and healthcare teams must be especially careful. They often process health data, disability information, occupational health reports, safeguarding details and equality monitoring data. These records can be necessary and lawful, but they must be handled with clear justification and strong controls.

If your organisation handles high-risk or sensitive data regularly, role-specific learning can help. Our DPO training supports those responsible for data protection governance, while our data protection training for health staff is designed for health and social care contexts where confidentiality and safeguarding are central.

For healthcare teams, our related healthcare data protection overview provides broader guidance on GDPR training for NHS and healthcare staff.

Examples of Special Category Data

UK GDPR identifies nine broad categories of special category data. These are personal data revealing or concerning:

• racial or ethnic origin;
• political opinions;
• religious or philosophical beliefs;
• trade union membership;
• genetic data;
• biometric data used for uniquely identifying a person;
• health data;
• sex life;
• sexual orientation.

These categories can appear in everyday workplace and service delivery situations.

In HR, examples of special category data include sickness absence records, fit notes, disability adjustment requests, occupational health reports, maternity-related health information and some equality monitoring data. A note saying an employee is off work with flu, anxiety or a back injury is health data. A record confirming that an employee needs reasonable adjustments because of a disability is also likely to involve special category data.

In healthcare, special category data is central to service delivery. Patient records, diagnoses, medication details, test results, treatment plans, care notes and referral letters all involve health data. Because health data can affect dignity, privacy, employment, insurance, relationships and personal safety, it is often among the highest-risk personal data an organisation handles.

In education, special category data may include pupil health information, disability support records, safeguarding-related health details, ethnicity data, and information about religious needs. For sector context, see our school data protection guide.

In biometric systems, special category data may arise where biometric data is used to uniquely identify someone. For example, fingerprint access systems, facial recognition systems or biometric attendance tools may involve special category data where the biometric data is used for identification.

Not all sensitive-feeling information is legally special category data. Financial hardship, performance concerns or disciplinary records may be highly confidential, but they are not automatically special category data unless they reveal one of the protected categories. However, they still require careful handling as personal data.

Why Does Special Category Data Need Extra Protection?

Special category data needs extra protection because misuse can create serious consequences for individuals. It can expose private details about someone’s body, health, beliefs, identity, background or personal life.

For example, accidental disclosure of a customer’s email address may be inconvenient and potentially harmful. Accidental disclosure of an employee’s cancer diagnosis, mental health condition or fertility treatment is likely to be far more intrusive and distressing.

Health data is particularly high-risk because it can affect many areas of a person’s life. It may influence workplace treatment, insurance decisions, family relationships, stigma, discrimination or personal safety. In healthcare and social care, poor handling of health data can also damage trust between professionals and service users.

Special category data also raises fairness risks. For example, equality monitoring data may be collected for legitimate diversity and inclusion purposes, but if access is poorly controlled, it could create discrimination or loss of trust. Similarly, disability information may be needed to make reasonable adjustments, but it should not be shared more widely than necessary.

The UK GDPR principles still apply to special category data. Organisations must process it lawfully, fairly and transparently; collect it for clear purposes; minimise what they collect; keep it accurate; retain it only as long as needed; protect it securely; and demonstrate accountability. For a deeper explanation, read our guide to the data protection principles explained.

Practical safeguards may include:

• limiting access to authorised staff only;
• using role-based permissions;
• keeping health records separate from general personnel files where appropriate;
• encrypting sensitive files;
• avoiding unnecessary email sharing;
• using secure portals for medical or care records;
• applying retention schedules;
• documenting lawful bases and Article 9 conditions;
• training staff on confidentiality and escalation routes.

Special category data should not become “everyone’s business” simply because it sits in an organisational system. Access should follow the need-to-know principle.

Lawful Basis and Additional Conditions

Processing special category data lawfully requires more than ordinary personal data processing. Organisations need to identify the correct legal route before processing begins.

First, you need a lawful basis under Article 6 of UK GDPR. Common lawful bases include contract, legal obligation, legitimate interests, vital interests, public task and consent. The right basis depends on the context.

Second, you need a special category condition under Article 9. These include conditions such as explicit consent, employment and social protection law, vital interests, data made public by the individual, legal claims, substantial public interest, health or social care, public health, and research or statistics.

Third, in some cases, the Data Protection Act 2018 provides additional UK conditions through Schedule 1. These are especially important for employment, health, social care, safeguarding, equality monitoring, preventing fraud and substantial public interest processing.

For HR teams, a common example is sickness absence management. The employer may need to process health data to manage sick pay, workplace adjustments, health and safety or employment obligations. The organisation must identify both the Article 6 lawful basis and the relevant Article 9 and DPA 2018 condition.

For healthcare providers, health or social care purposes may provide the relevant Article 9 route where processing is necessary for diagnosis, care, treatment or management of health and social care systems, subject to the correct legal and professional safeguards.

Consent needs careful handling in employment. Although explicit consent is one possible Article 9 condition, employee consent may not always be freely given because of the imbalance of power between employer and worker. In many HR contexts, legal obligation, employment law obligations or other conditions may be more appropriate than relying on consent. Organisations should assess this carefully rather than using consent as a default.

Some Schedule 1 conditions require an appropriate policy document. This document should explain how the organisation complies with data protection principles, how long the data is retained and what safeguards apply.

In short, special category data should always trigger a higher level of review. If a team cannot explain why it needs the data, what legal basis applies, who can access it and how long it will be kept, the process needs more work before it goes ahead.

Practical Steps for HR and Healthcare Teams

HR and healthcare teams handle some of the most sensitive data in any organisation. Practical controls are therefore essential.

1. Identify where special category data is held

Map where sensitive data appears across systems, forms, spreadsheets, emails, paper files and third-party platforms. HR teams should check recruitment, onboarding, absence management, occupational health, payroll, benefits, equality monitoring and disciplinary processes. Healthcare teams should review patient records, referral systems, care planning tools, appointment systems and messaging platforms.

2. Separate need-to-know access from general access

Not everyone in HR, management or administration needs access to all sensitive records. Restrict access based on role and purpose. For example, line managers may need to know that an adjustment is required, but not always the full medical details behind it.

3. Review forms and data collection points

Remove unnecessary questions. If a form asks for health, disability, ethnicity or other special category data, confirm why it is needed and whether the explanation is clear.

4. Document lawful bases and conditions

Record the Article 6 lawful basis, Article 9 condition and any relevant DPA 2018 Schedule 1 condition. This supports accountability and helps staff understand why the data is being processed.

5. Strengthen security controls

Use secure systems, strong passwords, multi-factor authentication, encryption where appropriate and role-based access. Avoid sending sensitive health or HR data through unsecured channels.

6. Apply clear retention rules

Do not keep special category data indefinitely. Define retention periods for sickness records, occupational health reports, patient records, equality monitoring data and safeguarding information.

7. Train staff regularly

Training is a practical safeguard. Staff should understand what special category data is, why it is higher risk, when to escalate concerns and how to avoid accidental disclosure. Training should be refreshed when systems, roles or legal requirements change.

For general staff awareness, our GDPR Essentials training provides a practical foundation. Organisations with more complex governance needs may also benefit from DPO training, especially where sensitive data is processed at scale.

FAQs

What counts as personal data under UK GDPR?

Personal data is any information relating to an identified or identifiable living person. This can include names, contact details, staff numbers, customer references, online identifiers, CCTV footage and any other information that can reasonably be linked to a person.

Is an employee’s sickness record special category data?

Yes, an employee’s sickness record is likely to be special category data because it contains health information. Employers must handle it carefully, restrict access and identify both a lawful basis and a special category condition for processing.

Can I process special category data with employee consent?

Sometimes, but employee consent can be difficult because of the power imbalance between employer and worker. In many employment situations, another lawful route may be more appropriate, such as processing necessary for employment law obligations, but this depends on the specific facts.

What are the extra conditions for processing health data?

In addition to an Article 6 lawful basis, organisations need an Article 9 special category condition. Depending on the context, they may also need to rely on a condition in Schedule 1 of the Data Protection Act 2018 and maintain an appropriate policy document.

Does CCTV footage count as personal data?

Yes, CCTV footage can be personal data if individuals are identifiable from it. It is not automatically special category data, but it may become more sensitive depending on what it reveals and how it is used.

Equip your team with the knowledge they need — explore our GDPR Essentials training and DPO training courses to strengthen how your organisation handles personal and special category data.