Many of the laws on data privacy mention special categories of personal data, which should be more carefully handled if you’re collecting or processing users’ data. This typically refers to “sensitive data”.
As you may need to apply extra layers of security when it comes to sensitive data, it’s important to know what is exactly considered sensitive personal information, and what it’s not.
In this post, we’ll give you examples of sensitive data and show you what you may need to do to process it in accordance with data privacy laws.
What are sensitive data?
Sensitive data are typically defined as personal information whose processing could potentially lead to the user’s discrimination. They include information such as race or ethnic origin, sexual orientation, religious beliefs, but also information about the user’s health, for instance.
International laws on data privacy may have different views on sensitive data. Anyway, there is also a common ground: all the laws agree that you should collect and process sensitive data only if they are really necessary to your activity. If you do need to collect sensitive information, then you should store it securely and with the utmost care.
Examples of sensitive data
As we mentioned, what is considered sensitive data may differ from law to law. Anyway, we can find some examples of sensitive data in Article 9 of GDPR, that can apply more broadly.
According to GDPR, sensitive data can be:
racial or ethnic origin;
religious or philosophical beliefs;
trade union membership;
biometric data: biometrics are human measurements that can lead to a person’s identification. They include things like fingerprints, face recognition, DNA, etc.;
data concerning health;
data concerning a natural person’s sex life or sexual orientation.
Can I process sensitive data?
In general, the collection and processing of sensitive data is allowed but with additional requirements such as higher levels of security, transparency, and accountability. With that said, various laws may have specific requirements – we’ll take a look at the main ones below.
GDPR: under the GDPR, you may only process sensitive data if the user has given explicit and informed consent or if the data is of vital importance in matters of public interest, social security, health, ect. If you collect and process personal data, and particularly if it’s a large scale processing, you need to appoint a Data Protection Officer (DPO) and to carry out a Data Protection Impact Assessment (DPIA).
CCPA & CalOPPA: even though for the CCPA the category of sensitive data falls under the category of regular personal data, you may need to ask the user to opt-in when sensitive information is at stake, especially when there are minors involved.
LGPD: as the GDPR, the Brazilian LGPD allows the processing of personal data only if users have given their consent or if consent exceptions apply.
So, here’s what you may need to do to process sensitive information:
Make sure that you absolutely need the data. A key principle of data privacy laws in data minimization – i.e. limiting your processing to only the data you truly need for your purposes. If you’ve determined that you do really need to process this data, then continue to point 2.
Make sure that you’re able to provide the higher levels of security legally required to process this data.
Ensure that you have a proper legal basis to process the data. Under the GDPR this may mean fully informing the user, getting explicit consent from the person, and assigning a DPO – under other laws, it may mean other things.