Under the GDPR, the definition of ‘personal data’ means “any information relating to an identified or identifiable natural person”. Sensitive personal data relates to information which requires extra care.
A business cannot process any information falling within the list above without taking extra precautions. This is particularly relevant in relation to employees, as many personnel files will contain some of that information about employees, particularly in those industries that are unionised.
Personal data can be anything that allows a living person to be directly or indirectly identified. This may be a name, an address, or even an IP address. It includes automated personal data and can also encompass pseudonymised data if a person can be identified from it.
GDPR calls the definition of sensitive personal data as being in ‘special categories’ of information. These include trade union membership, religious beliefs, political opinions, racial information, and sexual orientation.
Both personal data and sensitive personal data are covered by the GDPR.
Personal data is anything that contains:
- Directly identifying information such as a person’s name, surname, phone numbers, etc.
- Pseudonymous data or non-directly identifying information, which does not allow the direct identification of users but allows the singling out of individual behaviours
Under the GDPR, personal data is ‘sensitive’ if it relates to:
- racial or ethnic origin
- political beliefs
- religious or philosophical beliefs
- trade union membership
- genetic or biometric data
- physical or mental health
- sex life or sexual orientation
In order to be compliant under the GDPR, you must firstly identify what sensitive data your business is already holding, and in relation to whom it is holding that data. And then ensure that your business is complying with those additional requirements that apply to sensitive data.
And secondly, identify if your business holds any genetic or biometric data, or any data about philosophical beliefs or sexual orientation, and simply begin to apply those additional requirements to those other types of data.
Anyone who processes personal information must make sure that the information is:
- adequate, relevant and not excessive
- processed fairly and lawfully
- obtained only for one or more specified and lawful purposes, and not further processed in any manner incompatible with that purpose or those purposes
- accurate and up to date
- processed in accordance with the rights of data subjects under the Data Protection Act 2018
- kept for no longer than is necessary
- secure (ie using appropriate technical or organisational measures to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data).