When to use this
Use this prompt set before you collect, retain, or share any gender-history information — that is, information that reveals, or could be used to infer, a person’s gender history or transition. Under the UK GDPR and Data Protection Act 2018, gender-history information is special-category personal data. It attracts a higher threshold of protection and can only be processed where a separate condition for processing is met alongside a lawful basis.
How to use this template
Work through the prompts as a team — ideally involving your data protection officer. Answer each question in writing before you collect or use the data. If you cannot answer a prompt, that is itself a signal that the processing is not yet defensible. Do not collect gender-history information “just in case”: absence of disclosure is not a gap to close, and curiosity is not a lawful basis.
What data, and why
What data will you collect? (List each field — e.g. previous name, sex assigned at birth, gender marker, medical details.) Why is each field needed? (Tie each field to a specific purpose.) Is there a less intrusive way to achieve that purpose? (Could you collect category-level data, or no data at all?)
Lawful basis for special-category data
What is your lawful basis under Article 6? (e.g. consent, legitimate interests, legal obligation.) What is your condition for processing special-category data under Article 9 and Schedule 1 of the DPA 2018? (Explicitly identify it — not all conditions will apply.) Is the condition valid for this purpose? If relying on consent, is it freely given, specific, informed, and withdrawable?
Purpose limitation
Can this data be reused for another purpose? (If so, what, and is that purpose compatible?) Who might want to reuse it later, and would that be lawful? Have you documented the purpose so that reuse outside it is flagged?
Minimisation
Is each field necessary? (Test each one. If you removed it, what would you lose?) Could you collect less and still achieve the purpose? Are you collecting data you do not yet know how to use? (If yes, do not collect it.)
Access and security
Who can access this data, and on what basis? (Role-based access, not blanket access.) How is it stored? (Encryption, access logs, segregation.) How is it transmitted or shared, if at all?
Retention and deletion
How long will you keep it? (Tie the retention period to the purpose.) What triggers deletion? Who is responsible for deletion, and how is it verified?
Transparency to the data subject
What have you told the data subject? (Privacy notice, collection notice.) Do they know what is collected, why, who sees it, and how long it is kept? Can they exercise their rights — access, rectification, erasure, objection?
Risks to data subjects
What is the risk of outing? (Could disclosure cause distress, harassment, or harm?) What is the risk to dignity and trust? What is the impact if the data is lost, leaked, or misused?
Mitigations
Mitigation: Owner: Residual risk after mitigation:
Residual risk and sign-off
Residual risk level: (Low / medium / high — and the reasoning.) Decision: (Proceed, proceed with mitigations, or do not proceed.) Sign-off: (Data protection officer, accountable lead, date.)
Review
Review date: Review owner: Trigger for earlier review: (e.g. a change in processing, a breach, or a change in law.)
This template provides general information and does not constitute legal advice. It is a scaffold to support your own documented, proportionate decision-making. Adapt it to your context and take specialist advice where your decision warrants it.