Michelmores Michelmores
Michelmores Michelmores
Published June 5th 2025
Home > News & Insights > Article

Dealing with sensitive personal data

Women works on computer looking at data
Authors
Emily Aggett
Emily Aggett
Hannah Tucker
Hannah Tucker

In an era where data is central to service delivery, communication, and business operations, the responsibility of managing personal data lawfully and securely is critical. This is particularly true for special category data, which is subject to stricter protections under UK data protection legislation. Organisations of all sizes and sectors, whether controllers or processors, must ensure that they process this type of personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

Recent enforcement actions by the Information Commissioner’s Office (ICO) have reinforced the importance of these obligations. Understanding the legal framework, as well as common areas of risk, is essential for all controller organisations handling sensitive information.

Understanding special category data

Special category data refers to personal data which is particularly sensitive. If mishandled, it can put individuals at risk of significant harm of rights and freedoms. In order to lawfully process special category data, you must identify both a lawful basis under Article 6 UK GDPR and a separate condition for processing under Article 9 UK GDPR. Special category data includes:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic and biometric data (for identification purposes)
  • Health-related data
  • Data concerning an individual’s sex life or sexual orientation

In addition, criminal offence data, financial records, and children’s personal data also warrant a higher level of protection under UK data protection law, due to their sensitive nature.

Recent ICO enforcement action: DPP Law Ltd

A pertinent example of the risks involved in mishandling sensitive data is the recent enforcement action against DPP Law Ltd, a Liverpool-based legal services firm, specialising in practices such as crime, military, fraud and personal injury. In April 2025, the ICO imposed a £60,000 fine after the firm failed to secure a digital archive containing highly sensitive documents relating to their client cases, stored on an unencrypted server, impacting over 700 data subjects. It had been found that the threat actor had gained access through an administrator account that did not require MFA, following over 400 attempts to gain access to the network since February 2022.

As a result, in July 2022, the NCA found that over 32GB of DPP’s confidential data including court bundles, proceedings and police body cam footage relating to clients’ cases, had been published on the dark web.

The ICO found that DPP had also made a false statement in their notification letters to data subjects, explaining their personal data ‘is not in the public domain, but in a place on the dark web that is not indexed by search engines’. However, this is not necessarily accurate as the data exists on an online space and the dark web is accessible to anyone that can find the correct browser.

The ICO found that DPP Law had failed to implement basic technical and organisational security measures. This breach not only compromised client confidentiality but also contravened key data protection principles, particularly the duty to ensure integrity and confidentiality as in Articles 5 and 32 of the UK GDPR.

Key considerations for managing special category data

Organisations processing special category data must pay close attention to the following:

  1. Lawful Basis for Processing

Processing special category data requires a clear lawful basis under Article 6 UK GDPR, as well as a specific condition for processing under Article 9. In many cases, explicit consent or a legal obligation will apply, but these must be appropriately documented and justified in the organisation’s records.

  1. Data Minimisation

Organisations should only collect personal data that is necessary for their specified purpose. Excessive or irrelevant data processing can increase risk and lead to non-compliance.

  1. Security and Access Controls

Appropriate technical and organisational measures must be in place. This includes encryption, password protection, access controls, regular system audits, and secure disposal methods. Staff training is also crucial to ensuring daily adherence to policies.

  1. Retention and Deletion

Sensitive data must not be retained indefinitely. Organisations should implement tailored data retention schedules which set clear timelines for data review, archiving, and secure deletion, in line with legal and operational requirements.

  1. Policies, Procedures and Training

Written policies are vital, but they must be supported by regular training to ensure staff and third-party processors understand how to handle sensitive data appropriately and securely on behalf of the organisation. This is particularly important where multiple departments or third-party processors are involved.

  1. Supply Chain Security

Organisations should ensure that any processors of personal data in their supply chain are processing personal data securely and in line with their obligations under UK data protection law. These obligations should be reflected in controller-processor data processing or sharing agreements as required by Article 28 UK GDPR.  Given that processors are processing that personal data on behalf of a controller organisation, indemnity provisions to protect the controller against any loss arising from data breach incidents by the processors are also recommended practice.

Incident response planning

If a breach occurs, organisations must act quickly. Breaches involving sensitive data are more likely to require notification to the ICO and if so, must be reported within 72 hours of the breach and, in some cases, to the affected individuals. Having a robust data breach response plan can help mitigate the impact and demonstrate an organisation’s accountability.

The importance of proactive compliance

The ICO continues to take a firm stance on data protection failures, particularly where sensitive data is concerned. With respect to monetary penalty notices imposed by the ICO as a result of failures, the ICO highlighted in the recent DPP case that the level of fine at £60,000 was considered to be appropriate and necessary in the circumstances and intended to have a deterrent effect. Organisations that proactively review their data handling practices, security arrangements, and record-keeping are better positioned to avoid regulatory scrutiny and maintain the trust of their stakeholders.

How we can assist

The Data Protection and Privacy team at Michelmores supports organisations in fulfilling their data protection responsibilities through tailored legal advice and practical guidance. Whether you require assistance with data mapping, drafting a lawful processing strategy or data sharing agreement, developing robust retention schedules, training your internal team on data protection law or compliance, or protecting your organisation against data breach scenarios, our team is here to help.

Authors
Emily Aggett
Emily Aggett
Hannah Tucker
Hannah Tucker