Division of General Counsel, Governance and Compliance

Special category and criminal offence data

What are the ‘special categories of personal data’?

While all types of personal data require secure and proper handling, data protection legislation specifies some types of personal data which are likely to be more sensitive and which require a greater level of security and governance. These are called ‘special categories of personal data’.

The University process these categories of personal data for a limited range of purposes and only where necessary. These types of data are listed below:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • biometric data (where used for identification purposes);
  • data concerning health;
  • data concerning a person’s sex life; and
  • data concerning a person’s sexual orientation.

What is ‘criminal conviction data’?  

We also process some criminal offence data (although we only do this for limited purposes). This type of data includes information about criminal allegations, convictions, and proceedings. It also includes information linked to security measures and restrictions, such as bail conditions, cautions, and restraining orders, and less obvious types of information, such as personal data relating to witnesses, victims of crime, and the absence of any criminal record or convictions, and details of allegations (proven and unproven). It may also include information about civil measures which may lead to a criminal conviction if not adhered to.

How do we process these types of data and remain compliant with legislation?  

Due to the sensitive and impactful nature of these categories of data, we need to have additional security measures in place to keep it safe. We take steps to stop this data being lost, stolen or disclosed inappropriately, and we make sure that the correct controls are in place before we start to process the data. For example, we may consider completing a Data Protection Impact Assessment, or we may use differing handling methods as appropriate. Other measures include breach management, contract reviews, up to date record keeping and reviews of data protection legislation in advance of new processing. We must also consider the implications of publishing data about specific individuals, even for legitimate purposes, as there could be a risk of inadvertently disclosing or processing special category data as a result. This might affect the individual directly, or another person, so we need to think about the implications of publication at all times.

In addition to these measures, we must also identified a specific reason for processing each of these types of data, when we process them. We must also meet the conditions set out in legislation to ensure our processing is lawful.  

The conditions that we, as a Data Controller, need to meet are detailed in the UK General Data Protection Regulation (‘UK GDPR') and the Data Protection Act 2018. In the UK GDPR there are ten conditions for processing special categories of personal data in Article 9, and in the Data Protection Act 2018 they can be found detailed in Schedule 1, where you can also find details of the conditions for processing criminal conviction data.

Not all of the conditions for processing which are listed out in the legislation apply to us, so we do not use all of them. Those that we commonly use are listed below:

  • The lawful basis that we often rely on to process such data is consent. Put simply, consent means “any freely given, specific, informed and unambiguous indication” of an individual’s wishes / agreement to the processing of their personal data;
  • We also process special categories of data for employment, social security and social protection purposes;
  • For health or social care purposes;
  • To ensure equality of opportunity or treatment;
  • For the prevention or detection of unlawful acts;
  • So that we can protect the public against dishonesty
  • So that facilitate the provision of counselling and other support;
  • So that we can manage legal claims and proceedings.

You can find out more about our processing of criminal conviction data and the special categories of personal data by reading our Appropriate Policy Document.

Any further questions or concerns about the way we process special categories of personal data or criminal offence data should be referred to the University's Data Protection Officer.

Last updated 01 March 2024