What is classified as sensitive personal data?
Before collecting personal information, you should know what type of data it is. Is it sensitive personal data, or is it just personal data? Depending on the category it falls into, best practices for storing and protecting data will differ. This article aims to help you understand what data goes where and optimise your processes for storing personal data.
What is defined as sensitive personal data?
According to current GDPR legislation, there is a distinction between personal data and sensitive personal data. Personal data includes data that can be used to identify you as an individual; things like your name, date of birth, or email.
Sensitive personal data is a more specific set of categories that must be handled with greater care, as a leak of this information may lead to discrimination, for example. These categories include health information, race or ethnic background, political opinions, religious or philosophical beliefs, membership of a trade union, sex life or sexual orientation, genetic data and biometric data.
These distinctions identify data that should be handled with special care. However, there is some confusion about what data goes into what category. Let’s look at the most frequently asked questions about sensitive personal data. If you are not sure whether you have this type of data in your systems, where it is, or how much of it you store, use Datamapper to find and track sensitive data across all your company’s storage locations.
Is age sensitive personal data?
No. Age is data that can identify a person and is personal data that is expected to be found in a company’s database. Age falls under the category ‘personal data’ and is not sensitive in relation to the GDPR legislation.
Is an email address sensitive personal data?
No. An email address is categorized as personal data, because it does concern the person and can identify them. However, it is not considered sensitive data because it does not in itself have a direct and serious impact on privacy.
Are names sensitive personal data?
No. Names are categorized as personal data, because they can lead to the identification of a person but they are not classified as sensitive data because on their own, names do not present a risk of serious violation of privacy. On the other hand, some types of identifying data like a person’s citizen service number may be considered sensitive, as it can have a larger impact on privacy.
Is a photograph sensitive personal data?
Yes. A photograph is a direct proof of identity and falls under the category of sensitive personal data regarding race and ethnic background. This means that a company should not be in possession of a photograph of someone without their explicit consent, unless legislation provides an exception.
Is salary information sensitive personal data?
Yes. Salary details are considered more sensitive. Although it does not fall squarely under the category defined as sensitive personal data according to GDPR, salary information is a special category, with a larger impact on privacy than other personal data like someone’s age, email or name.
Is nationality sensitive personal data?
Yes. Nationality is closely related to the sensitive personal data category of race and ethnic background. Be careful when storing this kind of data, as the rules of handling sensitive personal data are stricter, presenting a challenge if you include nationalities in the employee information stored in your database.
Is a passport sensitive personal data?
Yes. A passport is a complete proof of your identity, including race and ethnic background. Companies should not access a person’s passport without explicit consent unless legislation allows for an exception.