What is defined as sensitive personal information?
According to the GDPR and other privacy laws like the CCPA, PIPL, PIPEDA, etc, sensitive personal information includes two types of information that should be distinguished. There is personal information and sensitive information.
- Personal data includes data that can be used to identify you as an individual; things like your name, date of birth, or email.
- Sensitive data is a more specific set of categories. These categories include health information, race or ethnic background, political opinions, religious or philosophical beliefs, membership of a trade union, sex life or sexual orientation, genetic data and biometric data. These data must be handled with great care, as a leak of this information may lead to discrimination.
However, there is some confusion about what data goes into what category. Let’s look at the most frequently asked questions about sensitive data.
Is age sensitive information?
No. Age is data that can identify a person and is personal data that is expected to be found in a company’s database. Age falls under the category ‘personal data’ and is not sensitive in relation to the GDPR legislation.
Is email address sensitive information?
No. An email address is categorized as personal data, because it does concern the person and can identify them. However, it is not considered sensitive data because it does not in itself have a direct and serious impact on privacy.
Is name sensitive information?
No. Names are categorized as personal data, because they can lead to the identification of a person but they are not classified as sensitive data because on their own, names do not present a risk of serious violation of privacy. On the other hand, some types of identifying data like a person’s citizen service number may be considered sensitive, as it can have a larger impact on privacy.
Is photograph sensitive data?
Yes. A photograph is a direct proof of identity and falls under the category of sensitive personal data regarding race and ethnic background. This means that a company should not be in possession of a photograph of someone without their explicit consent, unless legislation provides an exception.
Is salary sensitive data?
Yes. Salary details are considered more sensitive. Although it does not fall squarely under the category defined as sensitive personal data according to GDPR, salary information is a special category, with a larger impact on privacy than other personal data like someone’s age, email or name.
Is nationality sensitive personal information?
Yes. Nationality is closely related to the sensitive data category of race and ethnic background. Be careful when storing this kind of data, as the rules of handling sensitive personal data are stricter, presenting a challenge if you include nationalities in the employee information stored in your database.
Is passport sensitive information?
Yes. A passport is a complete proof of your identity, including race and ethnic background. Companies should not access a person’s passport without explicit consent unless legislation allows for an exception.
Are initials sensitive information?
No. Initials are personal information that can basically be derived from the individual’s name. It does not in itself have a direct and serious implecation on privacy.
Is an address sensitive information?
No, address information is not sensitive. But an address is personal information as it can be used to identify a person. In itself it does not have a direct impact on privacy.
Is birthday sensitive information?
No. However, birthday is considered is personal information because it does not have a direct connection to privacy.
Is a social security number sensitive information?
According to the Personal Data Regulation, the social security number is not sensitive information. However, the social security number belongs to a category that falls outside the GDPR categories for sensitive personal data. Having said this, the social security number is treated as sensitive information because the number is only used to identify a person. Not all countries have a personal identification number.
The smart way to process sensitive personal information?
Before you collect information, you should know whether it is sensitive personal information. The practice for storing and protecting this information will be different depending on whether it is sensitive personal data or not.
If you are not sure if you have this type of data in your systems, where it is, or how much of it you store, I would suggest using a Data Discovery tool like Datamapper to find it across of all your company’s data systems.