Is sensitive data the same as personal data?
No, sensitive data, or sensitive personal data, has more stringent requirements that must be met in order for your organisation to be able to process it. The requirements for processing personal data are different, and we’ll go into this in more depth later, as well as personal data and sensitive data examples.
What is sensitive data?
Sensitive data, or special category data has to be processed differently.
Special category data is personal data that needs a greater level of protection because it is sensitive.
GDPR makes a clear distinction between sensitive and non-sensitive personal data.
Article 9 of GDPR establishes special categories that require extra attention.
Sensitive data, or special category data, according to GDPR is any data that reveals a subject’s information.
Sensitive data examples:
- Racial or ethnic origin
- Political beliefs
- Religious beliefs
- Genetic or biometric data
- Mental health or sexual health
- Sexual orientation
- Trade union membership
Processing special category data
You need a lawful basis under articles 6 & 9 of GDPR in order to process special category data. These can include:
- If the party concerned has given his or her explicit consent (or subject has made the data public)
- Processing is necessary in order for the organisation to meet obligations in terms of employment, social security or social protections as is authorised by members state law
- Processing being carried out in pursuance of legitimate activities by a foundation or not-for-profit organisation
- Protecting data subject interests when the subject is unable or incapable of providing consent
- Substantial public health concerns
FREE WEBINAR: 5 Common Compliance Mistakes and How to Avoid Them
In order to understand the difference between personal data and sensitive data, it’s important to establish what we actually mean when we talk about these different types of data. Because, they’re not the same, and the distinction is important because it affects how data is processed.
What is non-sensitive personal data?
GDPR establishes a clear distinction between sensitive personal data and non-sensitive personal data. Examples of non-sensitive data would include gender, date of birth, place of birth and postcode.
Although this type of data isn’t sensitive, it can be combined with other forms of data to identify an individual. Pseudonymization is helpful here to prevent this happening.
So now you’ve got a thorough understanding of what sensitive data is, let’s move onto what personal data is.
What is personal data?
Personal data is any piece of information that can be used to identify someone, simple as that!
Information such as:
- Name & surname
- Location data
- Home address
- IP address
Each of these on their own does not necessarily classify as personal data, because they don’t clearly identify an individual (source, ICO). Your phone number is considered personal data, and on that note, we’ve got another interesting article oncomplying with GDPR when using WhatsApp for business, a useful read considering it’s one of the go to systems of workplace communication.
But back to the nuances of personal data!
Let’s use you as an example.
It’s likely that somebody, somewhere in the world has the same name as you, and as such, you are not easily identifiable by your name alone. However, when this is combined with your email or home address, this information is sufficient to clearly identify you as an individual.
GDPR makes a clear distinction between direct identification information and pseudonymized data. GDPR encourages the use of pseudonymized information and expressly states that:
“The use of pseudonymization in personal data may reduce the risk associated with data management and help controllers and processors to comply with their data protection obligations“.
Pseudonymization does not imply a complete anonymization or complete dissociation of the data or the impossibility of reversion of the same. This is because there is always the possibility of identifying the party concerned through additional information. Unlike anonymization, it is considered as personal data by GDPR.
This process is intended to ensure greater privacy for those affected, since the controller limits the access to certain authorized persons, and therefore minimizes risk of processing.
When can special category data be processed?
Article 9 lists the conditions for processing special category data:
(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest
(h) Health or social care
(i) Public health
(j) Archiving, research and statistics
Special considerations when processing special category data:
According to the ICO, when relying on conditions B, H, I or J, you will need to meet the associated condition in UK law, set out in Part 1 of Schedule 1 of the DPA 2018.
Personal Data vs Sensitive Data FAQ
Q1. Is name and address sensitive data?
A. Yes, because when combined, they can identify an individual.
Q2. Is sensitive data the same as personal data?
A. No, sensitive data is special category data under article 9 of GDPR and as such, differs from personal data in terms of process requirements.
Q3. Do I always have to obtain consent to process consumer data?
A. Unless you’re working in healthcare and need to share information for the good of the wider public (the recent pandemic for example) then yes, you need to obtain user consent.
As an expert in data protection and privacy regulations, I bring a wealth of knowledge to the discussion surrounding sensitive data and personal data. My expertise is grounded in a comprehensive understanding of the General Data Protection Regulation (GDPR) and its implications for organizations handling personal information. I have actively navigated the nuances of data protection laws, staying abreast of updates and best practices.
Now, let's delve into the concepts discussed in the provided article:
Sensitive Data vs. Personal Data:
Definition of Sensitive Data:
Sensitive data, also known as special category data, requires more stringent processing requirements according to GDPR. This type of data demands a higher level of protection due to its sensitivity. Examples of sensitive data include racial or ethnic origin, political beliefs, religious beliefs, genetic or biometric data, mental health or sexual health information, sexual orientation, and trade union membership.
GDPR Distinction:
GDPR makes a clear distinction between sensitive and non-sensitive personal data. Article 9 of GDPR establishes special categories that necessitate extra attention in processing.
Processing Special Category Data:
For processing special category data, organizations must have a lawful basis under Articles 6 and 9 of GDPR. This includes explicit consent, processing necessary for employment or legal obligations, activities by foundations or not-for-profit organizations, protection of data subject interests, and addressing substantial public health concerns.
Non-sensitive Personal Data:
Definition:
Non-sensitive personal data, as per GDPR, includes information like gender, date of birth, place of birth, and postcode. While not inherently sensitive, this data can, when combined, identify an individual.
Pseudonymization:
To prevent the identification of individuals, pseudonymization is encouraged. It involves replacing identifying information with pseudonyms. GDPR recognizes that pseudonymized data still qualifies as personal data, as it can potentially be linked back to the individual.
Personal Data:
Definition:
Personal data encompasses any information that can identify an individual. This includes basic details like name and surname, email, location data, home address, and IP address.
Distinction from Sensitive Data:
GDPR emphasizes the difference between direct identification information and pseudonymized data. Pseudonymization is encouraged to reduce the risk associated with data management while recognizing that it doesn't achieve complete anonymization.
Conditions for Processing Special Category Data:
Article 9 of GDPR outlines conditions for processing special category data. These include explicit consent, employment and legal obligations, vital interests, not-for-profit activities, data made public by the subject, legal claims, substantial public interest, health or social care, public health, and purposes such as archiving, research, and statistics.
FAQ:
Q1. Is name and address sensitive data?
A. Yes, when combined, they can identify an individual.
Q2. Is sensitive data the same as personal data?
A. No, sensitive data is special category data under Article 9 of GDPR, differing in terms of processing requirements.
Q3. Do I always have to obtain consent to process consumer data?
A. Yes, except in specific situations like healthcare emergencies where sharing information is for the greater public good, consent is generally required for processing consumer data.
