Is sensitive data the same as personal data?
No, sensitive data, or sensitive personal data, has more stringent requirements that must be met in order for your organisation to be able to process it. The requirements for processing personal data are different, and we’ll go into this in more depth later, as well as personal data and sensitive data examples.
What is sensitive data?
Sensitive data, or special category data has to be processed differently.
Special category data is personal data that needs a greater level of protection because it is sensitive.
GDPR makes a clear distinction between sensitive and non-sensitive personal data.
Article 9 of GDPR establishes special categories that require extra attention.
Sensitive data, or special category data, according to GDPR is any data that reveals a subject’s information.
Sensitive data examples:
- Racial or ethnic origin
- Political beliefs
- Religious beliefs
- Genetic or biometric data
- Mental health or sexual health
- Sexual orientation
- Trade union membership
Processing special category data
You need a lawful basis under articles 6 & 9 of GDPR in order to process special category data. These can include:
- If the party concerned has given his or her explicit consent (or subject has made the data public)
- Processing is necessary in order for the organisation to meet obligations in terms of employment, social security or social protections as is authorised by members state law
- Processing being carried out in pursuance of legitimate activities by a foundation or not-for-profit organisation
- Protecting data subject interests when the subject is unable or incapable of providing consent
- Substantial public health concerns
FREE WEBINAR: 5 Common Compliance Mistakes and How to Avoid Them
In order to understand the difference between personal data and sensitive data, it’s important to establish what we actually mean when we talk about these different types of data. Because, they’re not the same, and the distinction is important because it affects how data is processed.
What is non-sensitive personal data?
GDPR establishes a clear distinction between sensitive personal data and non-sensitive personal data. Examples of non-sensitive data would include gender, date of birth, place of birth and postcode.
Although this type of data isn’t sensitive, it can be combined with other forms of data to identify an individual. Pseudonymization is helpful here to prevent this happening.
So now you’ve got a thorough understanding of what sensitive data is, let’s move onto what personal data is.
What is personal data?
Personal data is any piece of information that can be used to identify someone, simple as that!
Information such as:
- Name & surname
- Location data
- Home address
- IP address
Each of these on their own does not necessarily classify as personal data, because they don’t clearly identify an individual (source, ICO). Your phone number is considered personal data, and on that note, we’ve got another interesting article on complying with GDPR when using WhatsApp for business, a useful read considering it’s one of the go to systems of workplace communication.
But back to the nuances of personal data!
Let’s use you as an example.
It’s likely that somebody, somewhere in the world has the same name as you, and as such, you are not easily identifiable by your name alone. However, when this is combined with your email or home address, this information is sufficient to clearly identify you as an individual.
GDPR makes a clear distinction between direct identification information and pseudonymized data. GDPR encourages the use of pseudonymized information and expressly states that:
“The use of pseudonymization in personal data may reduce the risk associated with data management and help controllers and processors to comply with their data protection obligations“.
Pseudonymization does not imply a complete anonymization or complete dissociation of the data or the impossibility of reversion of the same. This is because there is always the possibility of identifying the party concerned through additional information. Unlike anonymization, it is considered as personal data by GDPR.
This process is intended to ensure greater privacy for those affected, since the controller limits the access to certain authorized persons, and therefore minimizes risk of processing.
When can special category data be processed?
Article 9 lists the conditions for processing special category data:
(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest
(h) Health or social care
(i) Public health
(j) Archiving, research and statistics
Special considerations when processing special category data:
According to the ICO, when relying on conditions B, H, I or J, you will need to meet the associated condition in UK law, set out in Part 1 of Schedule 1 of the DPA 2018.
Personal Data vs Sensitive Data FAQ
Q1. Is name and address sensitive data?
A. Yes, because when combined, they can identify an individual.
Q2. Is sensitive data the same as personal data?
A. No, sensitive data is special category data under article 9 of GDPR and as such, differs from personal data in terms of process requirements.
Q3. Do I always have to obtain consent to process consumer data?
A. Unless you’re working in healthcare and need to share information for the good of the wider public (the recent pandemic for example) then yes, you need to obtain user consent.