Sensitive personal data
What is sensitive personal data?
Any data that relates to an identified or identifiable living individual is known as personal data. Certain categories under personal data require extra protection, have special processing requirements, and are termed as sensitive personal data.
Types of sensitive data
According to the GDPR, sensitive personal data can be:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data relating to a person's inherited or acquired genetic characteristics
- Biometric data such as fingerprints
- Sexual orientation or sex life
- Data concerning a person's physical or mental health
GDPR sensitive personal data definition
The General Data Protection Regulation (GDPR) is a set of guidelines mandated by the European Commission for the collection and processing of personal data of all European Union (EU) citizens. The GDPR aims to protect the privacy of all European citizens and regulate how the data should be handled by organizations. All personal data including racial, political, religious, trade union membership, genetic, biometric, sexual orientation, and health details of individuals from the EU falls under the GDPR's sensitive data list.
How is sensitive personal data different from personal data?
The major difference between personal and sensitive personal data is how it's processed and stored. The below table summarizes the critical differences between personal and sensitive personal data.
|Personal data||Sensitive personal data|
|What is it?||Information related to an identified or identifiable living human being.||Distinct personal information that is more sensitive than personal data.|
|How is it processed?||As per the GDPR, all details under personal data can be processed if certain conditions like consent from data subject, relevant security measures, etc. are complied with.||The GDPR has prohibited the processing of all kinds of sensitive personal data unless the data subject has already made their sensitive data public along with a few other conditions.|
|Examples||John@abccompany.com gives information such as name, company, location, IP address.||An individual's racial origin, political opinion, and genetic or biometric information.|
How should sensitive personal data be stored?
The Data Protection Act (DPA) 2018 issued special guidelines to regulate sensitive personal data storage. Hard copies must be stored separately in a locked drawer or a filing cabinet. All digital files must be encrypted and stored in a folder with minimum access controls. These additional conditions, safeguards, and exemptions for sensitive personal data are mentioned in Schedule 1, Part 1 of the UK DPA 2018.