Why Trans rights are also data rights: Privacy, dignity and the impact of the Supreme Court ruling

The recent UK Supreme Court ruling clarifying that “sex” in the Equality Act refers to biological sex has triggered widespread discussion about legal protections, identity, and inclusion. Much of the focus has rightly been on the immediate implications for trans, non-binary, and intersex people. However, there is an important dimension that deserves more attention: data rights.‍

‍

Identity is Data‍

Information about a person’s gender identity, legal sex, or transition history is not just a social or personal matter. It is personal data. Under UK GDPR and the Data Protection Act 2018, this type of information is classified as special category data, requiring a higher level of protection due to its sensitivity.

When employers, service providers, or public bodies handle this information, they are bound by strict privacy laws. Respecting a person’s identity is therefore not only an inclusion issue. It is a legal obligation under data protection frameworks.‍

‍

The Supreme Court and the Risk to Privacy‍

While the Court’s ruling addressed legal definitions within the Equality Act, it left open serious questions about how organisations can comply without breaching privacy:

• How can someone’s “biological sex” be determined without intrusive or unlawful questioning?
• What happens when a person’s legal documents, lived identity, and personal history reflect different aspects of sex and gender?
• How do organisations balance anti-discrimination duties with data minimisation and confidentiality?

If employers or public bodies overreach by collecting unnecessary data or making assumptions, they risk breaching core principles of UK GDPR, including lawfulness, purpose limitation, and data minimisation.‍

‍

A European Perspective: Protecting Privacy and Dignity‍

In contrast to the UK’s binary legal interpretation, the Court of Justice of the European Union (CJEU) has consistently prioritised individual privacy. It has ruled that forcing disclosure of gender history or identity, where not strictly necessary, can violate both human rights and data protection law.

While the UK is no longer bound by EU decisions, these rulings set a benchmark for respecting dignity through data handling.‍

‍

The Bigger Picture: Data Adequacy at Risk‍

The UK currently enjoys data adequacy status with the European Union, allowing personal data to move freely across borders. This status depends on the UK maintaining privacy protections aligned with EU standards.

If policies emerging from this ruling lead to systemic privacy intrusions, particularly targeting trans, non-binary, or intersex people, there is a real risk that the EU could review this adequacy status.

Losing it would create significant disruption for businesses, public services, and the wider economy, adding compliance burdens and restricting data flows.‍

‍

Our Call to Action‍

Diversity Scotland urges all organisations to proceed with care:

• Do not rush policy changes without fully considering privacy obligations.
• Conduct both Equality Impact Assessments and Data Protection Impact Assessments before implementing guidance linked to sex and gender.
• Engage meaningfully with trans, non-binary, and intersex communities.
• Align practices not only with UK law but with internationally recognised human rights and privacy standards.

Inclusion, privacy, and compliance are interconnected. Protecting one should never come at the expense of the others.

For tailored advice on navigating these complexities, Diversity Scotland is here to support employers and public bodies with clarity, care, and confidence.

‍

#InclusionMatters #TransRights #DataPrivacy #EqualityAct #UKGDPR #HumanRights #DataAdequacy