The UK General Data Protection Regulation (UK GDPR) contains rules for the way you collect and process sensitive data. But what is sensitive data and how does it differ from personal data?
Read on to identify some examples of sensitive data and learn some key differences between sensitive and personal data. We’ll also look at the legal grounds for processing it and how to avoid data breaches. Let’s dive in...
What is sensitive data?
Sensitive data—also known as special category data or sensitive personal data—is confidential information that you should only make available to people who have the right permissions to access it.
Data is not considered sensitive if it’s:
- Already publicly known and available, or
- Organisational information that you regularly share in or outside your organisation
But what types of personal data are considered sensitive? Let’s find out.
What are some examples of sensitive data?
- Racial or ethnic origin
- Political beliefs or religious beliefs
- Genetic or biometric data
- Mental health or sexual health
- Sexual orientation and sex life
- Possession of lack of trade union membership
- Financial information
- Criminal convictions and offences
You’ll need to store sensitive data like this separately from other personal data. And, when you store it digitally, you’ll also need to encrypt it or remove any personally identifiable markers.
This last point also applies to personal data, but there are also some important differences between the two types of information.
Is sensitive data and personal data the same thing?
In short, no. There are much tougher rules that apply to processing and storing sensitive data.
Personal data is any information that someone could use to identify an individual or establish their physical presence at a location. Things like CCTV footage, fingerprints, physical addresses and phone numbers, for example. So, if you can use a piece of information to identify a data subject, you’re dealing with personal data.
But sensitive data is whole different level. It’s the type of information that could cause harm to an individual if you disclosed it. As such, the regulations protect it on legal, ethical or other relevant grounds.
What are some examples of non-sensitive data?
Even when exploring non-sensitive data, you’ll still need to exercise some caution. Because although some pieces of data aren’t individually sensitive, when combined they could help someone to identify a data subject. Things like:
- Gender
- Date of birth
- Postcode
- Birthplace
- Employment status
- Level of education
This isn't an exhaustive list — non-sensitive personal data can apply to any type of personally identifiable information even if it doesn’t qualify as special category data.
Once you’ve identified sensitive data, you’ll need to determine how sensitive it is. Only then can you work out the level of protection that it needs.
How do you assess data sensitivity?
There are several ways to do this. A key first step when measuring the sensitivity of data is to consider its confidentiality, integrity and availability. In other words, how bad would it be for your data subject (and your business) if this data were released?
Confidentiality
Make sure data is protected from unauthorised access but easily accessible to permitted parties. Some confidentiality countermeasures include:
- Data encryption
- Two-factor authentication
- Passwords
- Biometric verification
Integrity
Ensure data remains consistent and accurate throughout its lifecycle and that information isn’t changed or tampered with. Some integrity countermeasures are:
- User access controls
- Audit logs
- Backups
- File permissions
Availability
Make data available when people need it. And make sure you protect it with relevant security controls and using countermeasures like these:
- Regular software patch management
- Maintaining a business continuity management system (BCMS) for effective disaster recovery
- Conducting repairs to hardware as soon as needed
- Maintaining firewalls and other additional security measures
Okay, great. You’ve assessed the sensitivity of the data your organisation collects! But have you considered the legalities involved when you process it?
What are the conditions for processing sensitive data?
There are six lawful grounds for processing personal and sensitive data: consent, contractual obligations, legal obligations, vital interest, public interest and legitimate interest. These grounds determine if you have a legal basis for processing sensitive data or not.
Article 6 and 9 of the UK GDPR lay down these requirements, and here they are:
- The data subject must have either:
- Already made the data public, or
- Given their explicit consent for its collection/processing
- Processing must be in the data subject’s best interests if they're unable or incapable of giving explicit consent
- Processing is required due to a significant public health concern
- Processing is necessary for the data controller (your organisation) to adhere to employment-related, social security or other obligations
- Processing is necessary to verify the legitimacy of activities carried out by not-for-profit organisations or foundations
If you don’t stay up to date with the compliance requirements for processing sensitive data, your organisation could be liable for damages.
What are the consequences of the unauthorised disclosure of sensitive data?
You need to clearly notify individuals about the data you're collecting, the reasons why, and what you intend to do with it. The UK GDPR states that you have to get the explicit consent of the data subject. You’ll also need to:
- Notify individuals in case of a data breach
- Appoint a data-protection officer (DPO)
- Maintain the anonymity of collected data for the privacy of the data subject
If you don’t, you run the risk of lasting damage to your organisation’s reputation, and regulatory fines and legal action.
Conclusion
Sensitive data requires a higher level of consideration and protection than personal data because its release could potentially harm the data subject.
To avoid compromising the privacy of data subjects, it’s important to be familiar with the compliance requirements outlined by the UK GDPR. By doing so, you’ll be better able to uphold countermeasures that protect the confidentiality, integrity and availability of sensitive data.
Perhaps an outsourced DPO may be the best option for reducing data breach risks and your liability. Connect with one of our experts and improve your approach to processing sensitive data!