What is sensitive personal data?
The GDPR (General Data Protection Regulation) makes a distinction between ‘personal data’ and ‘sensitive personal data’.
In this article, we look at the difference between those terms, and we begin by recapping the Regulation’s definition of personal data:
Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’).
In other words, any information that is clearly about a particular person. In certain circumstances, this could include anything from someone’s name to their physical appearance.
Sensitive Personal Data Examples
We’ve explained more about personal data and the circumstances where it applies to the GDPR in our earlier blog, so we’ll turn our focus now to sensitive personal data.
In its most basic definition, sensitive data is a specific set of “special categories” that must be treated with extra security. These categories are:
Racial or ethnic orgin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data (where processed to uniquely identify someone).
Encryption / Pseudonymised
Sensitive personal data should be held separately from other personal data, preferably in a locked drawer or filing cabinet.
As with personal data generally, it should only be kept on laptops or portable devices if the file has been encrypted and/or pseudonymised.
Pseudonymisation masks data by replacing identifying information with artificial identifiers. Although it is central to protecting data – being mentioned 15 times in the GDPR – and can help protect the privacy and security of personal data, pseudonymisation has its limits, which is why the GDPR also mentions encryption.
Encryption also obscures information by replacing identifiers with something else. But whereas pseudonymisation allows anyone with access to the data to view part of the data set, encryption allows only approved users to access the full data set.
Pseudonymisation and encryption can be used simultaneously or separately.
Processing Sensitive Personal Data
As you might expect, there are extra rules when processing sensitive personal data. Not only must you document a lawful basis for processing under Article 6 of the GDPR, you must also document a lawful basis under Article 9.
Article 6 states that organisations must invoke one of the following lawful bases:
- A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract.
- Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
- Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
- A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.
- Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.
- Consent: when the data subject agrees to the processing when presented with a clear explanation of the personal data that will be collected and what it will be used for.
Article 9 states that organisations must only process sensitive personal data if the organisation:
- Requires the information to carry out tasks and exercise specific rights of the data subject in the field of employment and social security and social protection law.
- Has gained explicit consent, a more rigorous form of consent in which organisations provide additional information, and make it clearer how the data will be used.
- Requires the information to protect vital interests (as in Article 6).
- Has a legitimate interest for processing the information (as in Article 6).
- Is using information that is manifestly made public by the data subject
- Requires the information to establish, exercise or defend legal claims.
- Requires the information to complete a public task (as in Article 6).
- Is using the information for the purposes of preventive or occupational medicine, health of social care or to carry out a medical diagnosis/assessment of an employee’s working capacity.
- Requires the information to complete tasks in public interest in the area of health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of healthcare.
- Requires the information for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Join Our Mailing List
Once Monthly Webinar
Free Webinar Once Per Month
Our free webinar runs once per month and is available to anybody who wants to know more about getting started on the road to data protection compliance.