What is sensitive data?
Sensitive data, also known as special category data or sensitive personal data, is confidential information that should only be made available to those with specific access permissions.
Data is not considered sensitive if it is:
- Already publicly known and available, or
- Organisational information that is regularly shared within and outside the organisation.
There may be some confusion as to the types of data that are classified as sensitive – a step further than personal data – so let us learn what they are.
What are some examples of sensitive data?
- Racial or ethnic origin
- Political beliefs or religious beliefs
- Genetic or biometric data
- Mental health or sexual health
- Sexual orientation and sex life
- Possession of lack of trade union membership
- Financial information
- Criminal convictions and offences
Sensitive data, such as the above, must be stored away from other personal data and in the case of digital storage, must be encrypted or made free of personally identifiable markers.
While the latter can also be said of personal data, the two types of data differ in some ways which are explored below.
Is sensitive data and personal data the same thing?
In short, no. Sensitive data must be processed and stored under more stringent requirements than personal data.
Personal data is simply any information that can be used to identify an individual or establish their physical presence at a location. Some examples of personal data include CCTV footage, fingerprints, physical addresses, and phone numbers. If certain pieces of information can be used to arrive at the identity of a data subject, the gathered information is considered to be personal data.
Sensitive data is a step further than personal data; its disclosure could cause harm to the data subject and must be protected for legal or ethical reasons.
What are some examples of non-sensitive data?
Though not sensitive on their own, the following pieces of data – when combined – can be used to identify an individual:
- Gender
- Date of birth
- Postcode
- Birthplace
- Employment status
- Level of education
The above list is not exhaustive — non-sensitive personal data can apply to any type of personally identifiable information that does not qualify as special category data.
Once you have identified sensitive data, you need to determine how sensitive it is and, ultimately, the level of protection it requires.
How do you assess data sensitivity?
A key step in measuring the sensitivity of data is to consider its confidentiality, integrity and availability; to what extent would your organisation and its data subjects be impacted if this data were to be released?
Confidentiality
Ensure data is protected from unauthorised access but easily accessible to permitted parties. Some confidentiality countermeasures are:
- Data encryption
- Two-factor authentication
- Passwords
- Biometric verification
Integrity
Ensure that data remains consistent and accurate throughout its lifecycle and is not tampered with. Some integrity countermeasures are:
- User access controls
- Audit logs
- Backups
- File permissions
Availability
Ensure data is available when needed and stored under relevant security controls. Some availability countermeasures are:
- Regular software patch management
- Maintaining a business continuity management system (BCMS) for effective disaster recovery
- Conducting repairs to hardware as soon as needed
- Maintaining firewalls and other additional security measures
Once you have assessed the sensitivity of the data your organisation collects, you must consider the legalities of processing it.
What are the conditions for processing sensitive data?
There are six lawful grounds for processing personal and sensitive data: consent, contractual obligations, legal obligations, vital interest, public interest and legitimate interest. These grounds determine whether or not you have a legal basis for processing sensitive data.
Article 6 and 9 of the UK GDPR lay down these requirements, and they are as follows:
- The data subject must have either:
- Already made the data public, or
- Given their explicit consent for its collection/processing
- Processing must be in the data subject’s best interests if they are unable of incapable of giving explicit consent
- Processing is required due to a significant public health concern
- Processing is necessary for the data controller (organisation) to adhere to employment-related, social security or other obligations
- Processing is necessary to verify the legitimacy of activities carried out by not-for-profit organisations or foundations
If you do not stay unpdated on the compliance requirements for processing sensitive data, your organisation could be liable to damages.
What are the consequences of the unauthorised disclosure of sensitive data?
You are required to clearly notify individuals about the data being collected, along with the reason for its collection and intended use. The UK GDPR requires that you have the explicit consent of the data subject. Additionally, you are required to
- Notify individuals in case of a data breach
- Appoint a data-protection officer (DPO)
- Maintain the anonymity of collected data for the privacy of the data subject
Failing to do so could result in lasting damage to your organisation’s reputation and the resulting loss of customers, as well as regulatory fines and legal action.
Conclusion
Sensitive data requires a higher level of consideration and protection than personal data because its release could potentially harm the data subject.
To avoid compromising the privacy of data subjects, it is important to be familiar with the compliance requirements outlined by the UK GDPR and uphold countermeasures that protect the confidentiality, integrity and availability of sensitive data.
Perhaps an outsourced DPO may be the best option for reducing data breach risks and your liability. Connect with one of our experts and improve your approach to processing sensitive data!
