The difference between sensitive and personal data is crucial for organisations to understand, as this determines how data held should be treated, and what measures must be in place.
Personal data
Data can be broadly separated into two categories, identifiable and non-identifiable.
Personal data is data or personally identifiable information from which a person can be identified. It is important to understand what qualifies as personal data, as the UK General Data Protection Regulation (UK GDPR) regulates how this data can be used.
The UK GDPR defines personal data as ‘any information relating to an identified or identifiable natural person’. Personal data therefore includes an individual’s: name; ID number (such as an NHS number); email address; location; personal details or anything that can be used to identify someone with reasonable effort.
Special Category Data (what are sensitive personal data?)
Some personal data is subject to specific rules and safeguards due to its sensitivity. Sensitive data is a type of personal data which is more formally referred to as special category data, which is detailed in Article 9 of the UK GDPR. Special category data includes information concerning or revealing an individual’s:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data (where used for identification);
- Data concerning health or health data (like medical diagnosis); and
- Data concerning a natural person’s sex life or sexual orientation.
As sensitive personal data is of higher risk, it requires more safeguards and security measures than personal data.
Examples of special category data
It can sometimes be difficult to identify special category data. Below are some sensitive personal data examples where it would apply:
- An organisation records the ethnicity of their employees, and ensures the data is pseudonymised (the data is not identifiable without additional information). The organisation uses this pseudonymised data to measure internal diversity targets. Whilst the data in this case it is not identifiable to individuals without additional information, it is still considered personal data as a person could be identified with the additional information. Additionally, the data should be considered sensitive data as the information concerns individuals’ racial or ethnic origin.
- A social media platform is using the data collected about its users’ activity to make inferences about their political beliefs, and targeting those users with specific adverts as a result. In processing user data to target users depending on their politics, the platform is processing sensitive data concerning users’ political opinions.
- An organisation provides a service to users analysing their DNA, providing information on users ancestry and insights into their health. In processing DNA for the purpose of identifying individuals, the organisation is processing sensitive data. Users’ genetic data and data concerning health is processed in this activity.
Lawful Bases
In order to legally process personal or uniquely identifying data, the data controller (the party determining the means and purpose of the processing) will need a lawful basis to do so. Article 6 of the UK GDPR outlines six lawful bases, one of which must be relied upon:
- Consent – only to be used where another lawful basis does not apply
- Contract – with a person; such as an employment contract
- Legal obligation – where the data controller is legally obliged via legislation, such as social protection law to disclose or use the data
- Vital interests – necessary to protect the life of another
- Task in Public interest or exercising official authority
- Legitimate interests
The UK GDPR prohibits the processing of special category data unless an exemption applies. Therefore, in addition to the required lawful basis, special category data can only be processed by a controller when one of the following specific conditions in Article 9 of the UK GDPR[1] is met:
- Explicit consent (seek consent)
- Necessary for employment social security and social protection
- Necessary to protect somebody’s vital interests (not for profit body)
- Legitimate activities of political, religious, or charitable bodies
- Data is already manifestly made public by data subject
- Necessary for legal claims or judicial acts
- Substantial public interest
- Provision of health or social care
- Necessary in area of public health
- Necessary for scientific or historical research
If the data controller relies upon conditions (b), (h), (i) or (j), they also need to meet the associated condition set out in Part 1 of Schedule 1 of the Data Protection Act (DPA) 2018.
Similarly, if substantial public interest is relied upon, the controller must meet one of the specified public interest conditions set out in Part 2 of Schedule 1 of the DPA 2018.
Impact of unauthorised access
Given the kind of information sensitive personal data involves, and the additional protections it warrant from a lawful basis perspective, it is evident that special category data can have a greater impact on individuals than other personal data if misused.
The protection of this data should be of particular concern to organisations, as unauthorized access to sensitive personal data impacts the reputation and trust data subjects have in those who use data as well as data privacy.
When organisations process any data, breaches are always a potential risk. Processing sensitive data heightens this risk.
Unauthorised disclosures of personal data generally can result in enforcement action from (at least in the UK’s member state law) the Information Commissioner’s Office (ICO), including: monetary penalties, enforcement notices, legal action, and reputational damage.
When sensitive data rather than simply personal data or personally identifiable information is the subject of monetary penalties, the penalty is higher.
What to do when processing special category data?
Once you have identified special category data is being processed, and you have identified what lawful basis it falls under, it is necessary to take certain precautions beyond what would be necessary for processing personal data.
Before processing sensitive personal data, the ICO requires organisations to:
- Complete a Data Protection Impact Assessment (DPIA) for any high risk processing activity involving sensitive information. Special category data falls within this high risk data processing activity, requiring a DPIA.
- Identify whether they need an ‘appropriate policy document’ under the DPA 2018.
- Consider how the risks associated with special category data affect other obligations – such as obligations around data minimisation, security/social security, transparency, DPOs and rights related to automated decision-making.
While processing sensitive personal data, organisations should ensure that they:
- Keep records of special category data processing (including documenting the categories of data)
- Implement access controls, such as role-based access controls (RBAC), to limit access to sensitive personal data. This means that only those who need to have access to the data considered sensitive.
- Secure storage and transmission of sensitive personal data using encryption and pseudonymisation (this is a process to make the data un-identifiable).
- Train employees on how to recognise and handle special category data.
Confidential data
When considering the differences between personal data and sensitive data, it is important to consider the role of confidential data.
Unlike the legislation concerning personal and special category data, the common law duty of confidentiality (CLDC) is based on case law.
The CLDC can arise from a contract (express or implied) or through an ‘equitable principle of confidence’. This protection of confidential information through an equitable duty arises when two conditions are fulfilled:
- the information has a particular quality of confidence about it (meaning it was important to the confider that the information remained secret); and
- the information has been imparted in circumstances where an obligation of confidence arises (a reasonable man receiving the information would have realised it was given in confidence).
By understanding this distinction of what does/does not qualify as confidential, we can see that personal or sensitive data can fit within this criteria, but does not do so by virtue of being personal or sensitive.
Therefore, determining if data is personal or sensitive is separate to finding it is confidential.
Regardless, it is important to note when data could be confidential and classified information as it would be subject to specific rules and regulations. The courts have awarded the following remedies for a breach of confidence: injunction; damages; account of profits and other equitable.
Conclusion
In conclusion, there are vast differences in how special category data, and personal data are regulated, but it is important to remember that all special category data is personal data. And if it falls into malicious hands, it could lead to fraud, identity theft, or other types of harm.
As special category data represents a higher risk to organisations, its processing has additional requirements under the UK General Data Protection Regulation (UK GDPR). These include the Article 9 conditions for processing, the required completion of a DPIA, and the restrictions placed on access to this type of data.
Understanding what constitutes special category data is also crucial from a legal perspective, as the ICO has powers to ensure special category data is treated in accordance with the law.
[1] It should be noted that for a controller to rely on an Article 9 condition for special category processing, the Article 9 condition does not have to be linked to the Article 6 lawful basis.
