Category: Compliance & AML · Reviewed by Simon Temme, Account Executive · Last reviewed June 2026
The categories of personal data — racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life and sexual orientation — for which processing is prohibited unless one of the Article 9(2) exemptions applies.
Special category data is a subset of personal data considered to require heightened protection because of its sensitivity. The UK GDPR prohibits processing of special category data unless an Article 9(2) condition applies, alongside an Article 6 lawful basis. For insurance, the most commonly relied-on Article 9(2) conditions are explicit consent (Article 9(2)(a)) and substantial public interest, including insurance (Article 9(2)(g)).
UK GDPR, Article 9. Data Protection Act 2018, Schedule 1 — providing the supplementary conditions required for Article 9(2)(g) and similar bases.
For insurance underwriting, claims handling and policy administration involving health data, the Article 9(2)(g) substantial public interest condition combined with DPA 2018 Schedule 1 Part 2 paragraph 20 (insurance) is the typical basis. The condition requires the processing to be necessary for insurance purposes, with an appropriate policy document in place (Schedule 1 Part 4). For health insurance specifically, Article 9(2)(h) (provision of health or social care) may also be relevant. Where consent is the basis, it must be explicit — clearly given, specific, freely given, informed and able to be withdrawn.
Criminal offence data has its own regime under Article 10 UK GDPR and DPA 2018 sections 10–11, with conditions broadly equivalent to Article 9(2)(g) but requiring official authorisation or a Schedule 1 condition. Genetic, biometric and health data each receive specific treatment.
A motor insurer asking about previous criminal convictions for material assessment purposes processes Article 10 data under DPA 2018 Schedule 1 Part 2 paragraph 20 (insurance) with an Appropriate Policy Document on file. A travel insurance medical screening uses Article 9(2)(a) explicit consent or Article 9(2)(g) with paragraph 20.
UK GDPR, Article 9 and Article 10. Data Protection Act 2018, sections 10–11 and Schedule 1. ICO guidance on Special category data.
By Matt Bartlett, Director, on 2026-06-11.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-11. Apex Insurance Brokers Limited, FCA FRN 724952, Companies House 07014570. Not regulated advice — consult your broker on your specific position.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote