Recruiter Accreditation Scheme

All MRS websites use cookies to help us improve our services. Any data collected is anonymised. If you continue using this site without accepting cookies you may experience some performance issues. Read about our cookies here.

Accept and continue

Cookie Settings

Understanding the DE&I legal and ethical framework in the UK including protected characteristics

You are currently not logged in. Any progress made will be lost.

GDPR and the Data Protection Act including Collecting Special Category Data

The EU General Data Protection Regulation (GDPR) came into effect in the UK and all EU Member States on 25 May 2018. Following the departure of the UK from the EU, a UK GDPR was introduced which mirrors many aspects of the EU GDPR. The UK GDPR is enforced in the UK together with the UK Data Protection Act 2018 (DPA 2018) and a new piece of legislation, the Data Protection and Digital Information bill which is due to be introduced in 2023.

This section should be read in conjunction with the RAS data protection module.

The Data Protection Act 2018 and the UK GDPR requires a legal basis for processing of personal data. Some personal data is categorised as ‘special category data’ and is subject to additional requirements when being collected.

Personal data categorised as special category data is data on:

religious or philosophical beliefs
health
racial or ethnic origin
trade union membership
political beliefs
sex life or sexual orientation
genetic data
biometric data (including photos when used for the purpose of uniquely identifying a natural person) of data subjects

Data collected about health (including gender reassignment data and physical disabilities and /or mental health conditions), sexual orientation and ethnicity is categorised as special category.

The presumption is that special category data needs to be treated with greater care because collecting and using it is more likely to interfere with these fundamental rights or open someone up to discrimination. This is part of the risk-based approach of the UK GDPR.

A legal basis (or processing ground) must be identified before personal data can be processed. In all cases the processing must be necessary but there is no hierarchy of processing grounds and data controllers must ensure that the right legal basis is chosen for the data processing activity.

The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever personal data is processed:

Consent: individuals have given clear consent to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract with an individual, or because individuals have asked for specific steps to be taken before entering into a contract.
Legal obligation: the processing is necessary to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for a controller’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply to public authorities processing data to perform official tasks.)

Of the six different legal grounds available “consent” of data subjects, “performance of a contract” for example for participants who have agreed to be part of a panel and the “legitimate interests” of the data controller, or a third party, are particularly relevant to research recruitment. Additionally, “public task” for public sector research projects may be used for research purposes.

Researchers processing special category data as well as personal data will need to have a legal basis for all categories of data being processed. When processing special category data practitioners must have a lawful basis under Article 6 of the GDPR in addition to meeting a special condition under Article 9 of the GDPR but these grounds do not have to be linked.

The full list, detailed in Article 9, for processing special category data are:

Explicit consent
Employment, social security and social protection (if authorised by law)
Vital interests
Not-for-profit bodies
Made public by the data subject
Legal claims or judicial acts
Reasons of substantial public interest (with a basis in law)
Health or social care (with a basis in law)
Public health (with a basis in law)
Archiving, research and statistics (with a basis in law)

Commonly used processing conditions in research projects are explicit consent and scientific research in the public interest.

When processing special category data practitioners must have a lawful basis under Article 6 of the GDPR in addition to meeting a special condition under Article 9 of the GDPR but these grounds do not have to be linked.

The important point to note is that there is no restriction on processing any special category data as long as the requirements of Article 6 and Article 9 are being met, and practitioners fully document what they do when collecting special category data and how they do it.

Checklist for Processing Special Category Data

If you are a recruiter and are collecting special category inclusive data as a Data Controller:

I have checked the processing of the special category data is necessary for the purpose we have identified and are satisfied there is no other reasonable and less intrusive way to achieve that purpose.
I have identified a lawful basis for processing the special category data.
I have identified an appropriate condition for processing the special category data.
I have documented which special categories of data we are processing.

If you are a recruiter and are collecting special category inclusive data as either a Data Controller or a Data Processor:

Where required, I have an appropriate policy document in place setting out how we process special category data.
I have considered whether we need to do a Data Protection Impact Assessment for processing special category data.
I include specific information about our processing of special category data in our privacy information supplied to participants and potential participants.
If we use special category data for automated decision making e.g., selected specific panellists for research projects, we have checked I comply with Article 22 of the UK GDPR.
I have considered whether the risks associated with our use of special category data affect our other obligations around data minimisation, security, and appointing Data Protection Officers (DPOs) and representatives.

For more detail see: