Under the UK GDPR, special category data is personal data that needs extra protection because it is more sensitive. Organisations must usually identify both a lawful basis under Article 6 and a separate condition under Article 9 before processing it.
Under the UK GDPR, special category data is a more sensitive type of personal data. It includes information such as health data, biometric data used for identification, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, and sexual orientation. Organisations usually need both a lawful basis under Article 6 and a separate Article 9 condition before processing it.
Main point
Special category data needs extra protection because it can create higher risks for individuals
Legal structure
You usually need an Article 6 lawful basis and an Article 9 condition
Why it matters
Getting it wrong can create serious privacy, fairness, security, and accountability risks
Special category data is not just any information that feels private or sensitive. It is a specific legal category under Article 9 of the UK GDPR. The category covers particular types of personal data that can create greater risks for individuals if misused, disclosed, or handled without appropriate safeguards.
This can include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
Genetic data and biometric data are special category data where biometric data is used for the purpose of uniquely identifying someone.
A helpful first step is to check whether the information is personal data at all, and then ask whether it falls within one of the special category data types.
Special category data has an extra legal layer. Organisations normally need a lawful basis under Article 6 and a separate condition under Article 9. One does not replace the other.
This is the ordinary lawful basis question. For example, an organisation may consider consent, contract, legal obligation, vital interests, public task, or legitimate interests depending on the purpose.
The Article 6 lawful basis and Article 9 condition should be chosen because they genuinely fit the processing. They should not be selected just because they sound convenient.
In some cases, organisations may also need to meet conditions under the Data Protection Act 2018, such as having an appropriate policy document for certain substantial public interest or employment-related processing.
Consent is one possible route for processing special category data, but it is not the only route and it is not always the best fit. For special category data, the Article 9 condition is explicit consent, not ordinary consent.
Consent can be used as the lawful basis under Article 6 where the person has a genuine choice and control. It must be freely given, specific, informed, and unambiguous.
Explicit consent requires a clear express statement. It is usually more demanding than ordinary consent and should be documented carefully.
Do not assume that consent automatically solves special category data processing. The organisation still needs to check whether consent is appropriate, whether the individual can genuinely refuse or withdraw it, and whether another Article 9 condition is more suitable. See also Consent Under UK GDPR: When It Is Required and How to Get It Right.
Special category data mistakes often happen because organisations recognise that the information is sensitive, but do not complete the full legal and operational analysis before using it.
An Article 6 lawful basis is not enough on its own. Special category data also needs a valid Article 9 condition.
Some information may feel sensitive without falling within Article 9. The legal category matters because it affects the route to compliance.
Inferences can sometimes become special category data if an organisation intentionally draws or uses an inference about a protected characteristic or health-related matter.
Criminal offence data is not special category data under Article 9, but it has its own additional rules and should still be handled carefully.
If an organisation misidentifies special category data, it may choose the wrong legal route, provide incomplete transparency information, miss a DPIA trigger, or fail to put suitable safeguards in place.
This article is based on ICO guidance on special category data, Article 9 UK GDPR conditions, lawful basis requirements, DPIA expectations, and the Data Protection Act 2018 rules that may apply where UK law authorisation or an appropriate policy document is required. It should be read alongside wider guidance on lawful basis, consent, transparency, and DPIAs.
Use the glossary for key terms, or download the checklist if you want a practical starting point for reviewing whether your organisation has identified higher-risk data and documented the correct legal route.
