Docaro

United Kingdom Personal Data Categories For Processing Schedules

Created:
Understand the key personal data categories used in processing schedules and why they matter for compliance, drafting, and risk assessment. This dataset supports clearer UK data processing documentation and complements our AI Generated British Data Processing Agreement resources.
Personal Data Category
Sensitivity Level
Example Data Items
Additional Safeguards Needed
Schedule Notes
Identity Data
Names and personal identifiers
Low
Full name, preferred name, title, customer ID
No
Describe common identifiers used to administer the service.
Contact Data
Contact details
Low
Email address, phone number, postal address
No
List business and personal contact channels separately if relevant.
Identity Data
Account credentials
High
Username, password hash, MFA secret, security answers
Yes
Specify hashing, access controls and incident notification expectations.
Usage Data
Authentication and access logs
Medium
Login times, IP address, failed login attempts, session ID
Sometimes
Note monitoring, retention period and security purpose.
Identity Data, Contact Data, Other
Customer account profile data
Medium
Profile photo, preferences, account settings, organisation name
Sometimes
Identify whether profile content is user-generated or imported.
Financial Data, Other
Transaction and order data
Medium
Order history, invoice number, purchase amount, delivery status
Sometimes
Separate payment card data from general transaction records.
Financial Data
Payment card data
High
PAN, expiry date, cardholder name, tokenised card reference
Yes
State if full card details are processed or only tokens.
Bank account details
High
Sort code, account number, IBAN, account holder name
Yes
Include fraud controls, restricted access and retention limits.
Financial Data, Contact Data
Billing and invoicing details
Medium
Billing address, VAT details, invoice contact, payment status
Sometimes
Identify accounting, tax and debt recovery purposes if applicable.
Financial Data
Credit and affordability data
High
Credit score, income, debts, repayment history
Yes
State if credit reference agency data is processed.
Employment Data
Employment records
Medium
Job title, start date, manager, work location
Sometimes
Describe HR administration and workforce management use.
Employment Data, Identity Data, Contact Data
Recruitment and applicant data
Medium
CV, application form, interview notes, references
Sometimes
Note if equality, health or background checks are included.
Employment Data, Financial Data
Payroll data
High
Salary, tax code, NI number, deductions, payslip data
Yes
Include payroll provider, HMRC reporting and strict access limits.
Identity Data, Employment Data, Financial Data
National Insurance numbers
High
National Insurance number and related payroll records
Yes
Treat as a high-value identifier and restrict disclosure.
Financial Data, Employment Data
Tax records
High
Tax code, UTR, P45, P60, benefits in kind
Yes
Identify statutory reporting and retention obligations.
Employment Data, Financial Data
Pension and benefits data
High
Pension contributions, beneficiary details, benefits elections
Yes
Note scheme administrators and beneficiary data flows.
Employment Data, Special Category Data
Sickness and absence records
High
Fit notes, absence reason, occupational health recommendations
Yes
Flag health data and state limited HR access.
Special Category Data, Employment Data
Occupational health data
High
Medical assessment, adjustments, fitness for work report
Yes
Keep clinical details separate from HR management records.
Contact Data, Other
Emergency contact data
Medium
Next of kin name, relationship, phone number, address
Sometimes
Note data about non-user third parties.
Employment Data
Performance and appraisal data
Medium
Objectives, ratings, feedback, disciplinary notes
Sometimes
Clarify whether monitoring or automated scoring is used.
Employment Data, Other
Disciplinary and grievance records
High
Complaint, investigation notes, warnings, outcome letters
Yes
Flag if allegations include criminal or special category data.
Identity Data, Employment Data
Right to work data
High
Passport copy, visa status, share code, work permit
Yes
State document verification, retention and restricted access controls.
Identity Data
Passport and identity document data
High
Passport number, driving licence, ID card, scanned copy
Yes
Avoid unnecessary copies and specify verification purpose.
Identity Data, Employment Data
Immigration and visa status data
High
Visa type, expiry date, share code, settled status result
Yes
Include lawful work checking and status update handling.
Criminal Offence Data, Employment Data
DBS and criminal records check data
High
DBS certificate number, conviction details, barred list result
Yes
Identify Article 10 data and relevant DPA 2018 condition.
Criminal Offence Data, Employment Data, Other
Allegations and internal investigation data
High
Witness statements, alleged misconduct, investigation evidence
Yes
Flag potential criminal offence data even before findings.
Special Category Data
Health and medical data
High
Diagnosis, treatment notes, prescriptions, medical history
Yes
Identify Article 9 condition and health confidentiality controls.
Mental health data
High
Counselling notes, stress assessments, mental health diagnosis
Yes
Use narrow wording and enhanced access restrictions.
Special Category Data, Employment Data
Disability and reasonable adjustments data
High
Disability status, adjustment request, accessibility needs
Yes
Separate adjustment outcome from detailed medical evidence.
Special Category Data, Identity Data
Biometric data for identification
High
Fingerprint template, facial recognition template, voiceprint
Yes
State if used for uniquely identifying a person.
Identity Data, Other
Images used for non-biometric purposes
Medium
Profile photo, ID badge image, event photo
Sometimes
Clarify that no biometric identification template is created.
Special Category Data
Genetic data
High
DNA profile, genetic test result, inherited condition marker
Yes
Use only if the processor actually handles genetic information.
Racial or ethnic origin data
High
Ethnicity monitoring form, diversity survey response
Yes
Usually include equality monitoring purpose and aggregation controls.
Religion or philosophical belief data
High
Religious affiliation, belief declaration, faith-based request
Yes
Specify if collected for accommodations or equality monitoring.
Political opinions data
High
Political affiliation, campaign preference, survey response
Yes
Avoid unless expressly required by the service.
Special Category Data, Employment Data
Trade union membership data
High
Union membership, subscription deduction, union representative role
Yes
Flag payroll deductions or employee relations use.
Special Category Data
Sex life or sexual orientation data
High
Sexual orientation survey response, relationship context, support notes
Yes
Use narrow wording and avoid unnecessary free-text collection.
Identity Data, Contact Data, Other
Children’s personal data
High
Child name, age, school, parent contact, learning records
Yes
State age range, parental controls and child-specific protections.
Education and student records
Medium
Attendance, grades, learning support, pupil ID
Sometimes
Flag children’s data and any health or safeguarding content.
Special Category Data, Criminal Offence Data, Other
Safeguarding and welfare records
High
Concern report, welfare notes, referral details, risk indicators
Yes
Identify strict access, escalation and retention rules.
Usage Data, Other
Location data
High
GPS coordinates, cell tower data, delivery location, geofence event
Yes
Distinguish precise tracking from coarse location data.
Usage Data, Identity Data
IP addresses and online identifiers
Medium
IP address, cookie ID, device ID, advertising ID
Sometimes
Mention cookies, analytics and security logging where relevant.
Usage Data
Cookie and tracking data
Medium
Cookie ID, pixel event, consent signal, browsing segment
Sometimes
Note PECR relevance and consent management responsibilities.
Website analytics data
Low
Page views, referrer, user journey, device type
Sometimes
State if data is aggregated, pseudonymised or user-level.
Device and browser data
Low
Device model, OS, browser version, screen size
No
Note if combined with identifiers for profiling.
Contact Data, Other
Communications content
Medium
Emails, messages, chat transcripts, call notes
Sometimes
Flag free-text fields that may contain sensitive data.
Usage Data, Other
Call recordings and voice data
Medium
Recorded calls, voicemail, call metadata, speaker voice
Sometimes
Clarify recording purpose, retention and transcription use.
Contact Data, Usage Data, Other
Customer support records
Medium
Ticket history, support messages, screenshots, troubleshooting logs
Sometimes
Warn that attachments may include unexpected sensitive data.
Contact Data, Usage Data
Marketing preference data
Low
Opt-in status, unsubscribe record, channel preference, campaign history
Sometimes
Record consent, suppression lists and PECR responsibilities.
Usage Data, Other
Behavioural profiling data
High
Predicted interests, risk score, propensity model, segment
Yes
Flag profiling and any automated decision-making.
Usage Data, Financial Data, Employment Data, Other
Automated decision-making data
High
Eligibility score, fraud score, ranking output, decision reason
Yes
Describe human review, contestation and model input categories.
Other, Usage Data
AI prompts and generated outputs
High
Prompt text, uploaded documents, model output, feedback rating
Yes
State if prompts may include confidential or special category data.
Other
User-uploaded documents and files
High
Contracts, forms, images, spreadsheets, supporting evidence
Yes
Treat as variable-risk data and restrict processing purposes.
Free-text notes and comments
Medium
Internal notes, comments, descriptions, case updates
Sometimes
Warn users not to enter unnecessary sensitive data.
Identity Data, Other
CCTV and video footage
Medium
Surveillance footage, timestamp, camera location, incident clip
Sometimes
State surveillance purpose, retention and disclosure controls.
Identity Data, Usage Data
Physical access and visitor logs
Medium
Entry time, badge ID, visitor name, host, access zone
Sometimes
Clarify if used for security monitoring or attendance.
Usage Data, Employment Data, Other
Vehicle and telematics data
High
Vehicle location, speed, driving behaviour, route history
Yes
Describe tracking granularity and worker monitoring limits.
Identity Data, Usage Data, Contact Data
Social media identifiers and activity
Medium
Handle, profile URL, posts, engagement, direct messages
Sometimes
Flag if social listening or screening is included.
Contact Data, Identity Data
Supplier and business contact data
Low
Business name, work email, role, phone number
No
Keep separate from consumer or employee datasets if helpful.
Identity Data, Contact Data, Financial Data
Shareholder and investor data
Medium
Shareholding, investor contact, dividend payment, register entry
Sometimes
Identify statutory register and payment processing elements.
Other, Special Category Data, Criminal Offence Data
Legal matter and claims data
High
Claim file, evidence, legal advice, settlement history
Yes
Flag privilege, litigation purpose and variable sensitive content.
Financial Data, Special Category Data, Other
Insurance policy and claims data
High
Policy details, claim history, injury details, beneficiaries
Yes
Separate routine policy data from health or claims evidence.
Criminal Offence Data, Usage Data, Financial Data, Other
Fraud prevention and security risk data
High
Fraud flags, device fingerprint, suspicious transaction, watchlist match
Yes
Identify fraud checks, data sharing and false positive controls.
Identity Data, Financial Data, Criminal Offence Data
KYC and anti-money laundering data
High
ID check, sanctions result, PEP status, source of funds
Yes
State screening providers, retention and restricted disclosure.
Sanctions and politically exposed person screening data
High
Sanctions match, PEP status, adverse media result, screening score
Yes
Describe match review process and audit trail.
Special Category Data, Financial Data, Other
Customer vulnerability data
High
Health vulnerability, financial difficulty, bereavement, support need
Yes
Use narrow labels and limit access to support teams.
Contact Data, Other, Financial Data
Complaint and dispute data
Medium
Complaint narrative, resolution notes, refund details, evidence
Sometimes
Flag if complaints may include health, vulnerability or offence data.
Identity Data
Age and date of birth data
Medium
Date of birth, age band, age verification result
Sometimes
Higher risk when used for children or identity verification.
Identity Data, Special Category Data
Gender, title and pronoun data
Medium
Gender, title, pronouns, gender identity information
Sometimes
Flag if data reveals sensitive identity or equality information.
Other, Contact Data
Family and relationship data
Medium
Marital status, dependants, family contacts, household members
Sometimes
Consider third-party notices and special category overlap.
Usage Data, Financial Data, Other
Household and utility usage data
Medium
Meter readings, energy use, occupancy indicators, tariff data
Sometimes
Flag if data can reveal occupancy patterns or vulnerability.
Contact Data, Financial Data, Other
Property and tenancy data
Medium
Tenancy agreement, rent payment, property address, guarantor details
Sometimes
Identify landlord, agent, tenant and guarantor data flows.
Travel and booking data
Medium
Itinerary, passport detail, booking reference, special assistance request
Sometimes
Flag passport, health or accessibility data if included.
Identity Data, Contact Data, Usage Data, Financial Data
Loyalty and rewards data
Medium
Membership number, points balance, redemption history, preferences
Sometimes
Mention profiling or direct marketing if used.
Contact Data, Usage Data, Other
Survey and feedback data
Medium
Sometimes
State if anonymous, pseudonymous or linked to users.
Usage Data, Contact Data, Other
Consent and permissions records
Medium
Consent timestamp, consent wording, withdrawal, preference setting
Sometimes
Record evidence of consent and withdrawal handling.
Identity Data, Contact Data, Other
Data subject request records
Medium
DSAR request, identity verification, response log, exemption note
Sometimes
Clarify processor assistance with UK GDPR rights requests.
Other, Usage Data, Identity Data
Security incident and breach records
High
Incident report, affected records, log evidence, notification status
Yes
Include breach cooperation, evidence preservation and rapid notice.
Usage Data, Identity Data
System audit logs
Medium
User ID, action taken, timestamp, record accessed
Sometimes
State audit purpose, retention and privileged access controls.
Other
Pseudonymised datasets
Medium
User key, tokenised ID, coded research record, hashed email
Sometimes
Explain who holds the re-identification key.
Aggregated or anonymised outputs
Low
Aggregate report, statistics, anonymised trend data
Sometimes
State anonymisation standard and re-identification restrictions.
Identity Data, Contact Data, Special Category Data, Other
Research participant data
High
Participant ID, consent form, study data, interview transcript
Yes
Describe pseudonymisation, ethics controls and reuse limits.
Special Category Data, Identity Data, Other
Clinical trial data
High
Trial ID, medical observations, adverse events, consent records
Yes
Specify sponsor, site, processor and coded data handling.
Employment Data, Usage Data
Workplace monitoring data
High
Productivity metrics, screenshots, keystroke logs, monitoring alerts
Yes
State monitoring scope, transparency and impact assessment controls.
Usage Data, Contact Data, Employment Data
Email and calendar metadata
Medium
Sender, recipient, subject line, meeting title, timestamp
Metadata may reveal sensitive patterns or confidential relationships.
Employment Data, Contact Data, Identity Data
Staff directory and organisation chart data
Low
Name, role, team, work email, reporting line
No
Note if externally visible or synced to third-party tools.
Employment Data, Identity Data
Professional qualifications and training data
Low
Certification, licence number, training record, CPD status
No
State if verification with professional bodies is included.
Identity Data, Contact Data, Financial Data, Other
Beneficiary and dependant data
Medium
Beneficiary name, relationship, contact details, allocation percentage
Sometimes
Note third-party personal data collected from employees or customers.
Employment Data, Special Category Data, Other
Health and safety incident data
High
Accident report, injury details, witness names, RIDDOR reference
Yes
Separate injury details from safety administration records.
Contact Data, Financial Data, Other
Donor and fundraising data
Medium
Donation history, Gift Aid declaration, supporter preferences
Sometimes
Include direct marketing, Gift Aid and suppression list use.
Identity Data, Contact Data, Financial Data, Other
Membership records
Medium
Member number, subscription status, membership tier, renewal date
Sometimes
Flag if membership reveals political, union or religious views.
Identity Data, Contact Data, Other
Event registration and attendance data
Low
Attendee name, ticket, dietary request, attendance status
Sometimes
Dietary or accessibility requests may reveal sensitive data.
Special Category Data, Other
Dietary and accessibility request data
Medium
Allergy, dietary restriction, mobility need, assistance request
Sometimes
May imply health or religion
collect only necessary detail.
Usage Data, Other
IoT and smart device data
Medium
Sensor reading, device status, usage event, home automation log
Sometimes
Flag household inference, location or health-related data.
Other
Backup and archive data
High
Database backup, file archive, disaster recovery copy
Yes
Describe encryption, restoration access and deletion timing.

What Personal Data Categories Should A UK Data Processing Schedule Identify?

A UK data processing schedule should separate routine categories such as identity, contact, employment, usage and financial data from higher-risk categories such as health data, biometric identifiers, criminal offence data, children’s data and government identifiers. This helps show the processor’s instructions, security measures and sub-processing limits are proportionate to the data being handled.

Which Categories Need Extra Safeguards In A UK DPA?

Special category data under UK GDPR Article 9, such as health, racial or ethnic origin, political opinions, religion, trade union membership, genetic data, biometric data for identification, sex life and sexual orientation, normally needs enhanced safeguards. Criminal offence data under UK GDPR Article 10 and Data Protection Act 2018 safeguards should also be identified separately. Schedules should describe these categories narrowly and avoid broad wording such as all sensitive data.

How Should Data Categories Be Drafted In A Processing Schedule?

  • Use practical labels such as payroll data, customer support records, device identifiers or employee sickness records, rather than only legal labels.
  • Flag categories that may include special category or criminal offence data, even if processed only occasionally.
  • State examples of data items, because a vague category can make Article 28 processor obligations harder to evidence.
  • For high-risk categories, align the schedule with access controls, encryption, audit logging, retention limits and any UK international transfer safeguards.
Personal Data Categories for Processing Schedules
Want to Generate Your own Data Processing Agreement?
Docaro AI can help you write your own Data Processing Agreement for use in the United Kingdom in minutes.
Generate Your Document Now

FAQs

Personal data categories are the types of information processed under a data processing agreement, such as names, contact details, identifiers, employment data, financial data, or usage data.
Show All FAQs

You Might Also Be Interested In

UK Data Processing Agreement Clause Types
Explore UK data processing agreement clause types for compliance, risk management, and clearer contract drafting.
Controller and Processor Obligations Matrix
UK guide to controller and processor obligations, helping clarify data protection duties, contracts, and compliance responsibilities.
Learn when a Data Processing Agreement is needed in the United Kingdom and how a simple flowchart can guide your compliance steps.
Controller or Processor Decision Tree for Data Processing Agreements in the United Kingdom
United Kingdom guide to deciding controller or processor roles for clear, compliant Data Processing Agreements under UK GDPR.
What Clauses Should a Data Processing Agreement Include in the United Kingdom?
Learn what clauses a Data Processing Agreement in the United Kingdom should include for UK GDPR compliance and risk management.

References and Information Sources