Skip to main content

What is defined as sensitive personal data?

According to the GDPR and other privacy laws like the CCPA, PIPL, PIPEDA, etc, there is a distinction between sensitive personal data vs. personal data.

  • Personal data includes data that can be used to identify you as an individual; things like your name, date of birth, or email.
  • Sensitive data is a more specific set of categories.  These categories include health information, race or ethnic background, political opinions, religious or philosophical beliefs, membership of a trade union, sex life or sexual orientation, genetic data and biometric data. These data must be handled with great care, as a leak of this information may lead to discrimination.

However, there is some confusion about what data goes into what category.

Let’s look at the most frequently asked questions about sensitive data.


Is age sensitive data?

No. Age is data that can identify a person and is personal data that is expected to be found in a company’s database. Age falls under the category ‘personal data’ and is not sensitive in relation to the GDPR legislation.


Is email address sensitive data?

No. An email address is categorized as personal data, because it does concern the person and can identify them. However, it is not considered sensitive data because it does not in itself have a direct and serious impact on privacy.


Is name sensitive data?

No. Names are categorized as personal data, because they can lead to the identification of a person but they are not classified as sensitive data because on their own, names do not present a risk of serious violation of privacy. On the other hand, some types of identifying data like a person’s citizen service number may be considered sensitive, as it can have a larger impact on privacy.


Is photograph sensitive data?

Yes. A photograph is a direct proof of identity and falls under the category of sensitive personal data regarding race and ethnic background. This means that a company should not be in possession of a photograph of someone without their explicit consent, unless legislation provides an exception.


Is salary sensitive data?

Yes. Salary details are considered more sensitive. Although it does not fall squarely under the category defined as sensitive personal data according to GDPR, salary information is a special category, with a larger impact on privacy than other personal data like someone’s age, email or name.


Is nationality sensitive data?

Yes. Nationality is closely related to the sensitive data category of race and ethnic background. Be careful when storing this kind of data, as the rules of handling sensitive personal data are stricter, presenting a challenge if you include nationalities in the employee information stored in your database.

Is passport sensitive data?

Yes. A passport is a complete proof of your identity, including race and ethnic background. Companies should not access a person’s passport without explicit consent unless legislation allows for an exception.

Are initials sensitive data?

No. Initials are personal information that can basically be derived from the individual’s name. It does not in itself have a direct and serious implecation on privacy.


Is an address sensitive data?

No, address information is not sensitive. But an address is personal information as it can be used to identify a person. In itself it does not have a direct impact on privacy.


Is birthday sensitive data?

No. However, birthday is considered is personal information because it does not have a direct connection to privacy.


Is a social security number sensitive data?

According to the Personal Data Regulation, the social security number is not sensitive information. However, the social security number belongs to a category that falls outside the GDPR categories for sensitive personal data. Having said this, the social security number is treated as sensitive information because the number is only used to identify a person. Not all countries have a personal identification number.


How should you process sensitive data?

Before collecting personal information, you should know what type of data it is. Is it sensitive data, or is it just personal data? Best practices for storing and protecting data will differ for sensitive personal data vs. personal data.

If you are not sure whether you have this type of data in your systems, where it is, or how much of it you store, use Datamapper to find and track sensitive data across all your company’s storage locations.

Want more free data privacy tips?

Get the latest data privacy management news, trends and expert tips delivered straight to your inbox.

    Sebastian Allerelli

    Governance, risk, and compliance specialist