What is the Difference Between Personal Data and Sensitive Personal Data?
TRENDING
PUBLISHED on
22
July
2022
SUMMARY
There is some confusion about the difference between personal data and sensitive personal data and even whether sensitive personal data exists as a term! So, let’s see if we can clarify the situation. Under the old 1998 version of the Data Protection Act (DPA), there was a term ‘sensitive personal data’. Under the GDPR, this is now known as ‘special category personal data’, so we are now concerned with two categories of personal information i.e., personal data and special category data.
Personal data
The GDPR defines ‘personal data’ as any information relating to an identified or identifiable natural person (‘data subject’). At first glance, this is a simpler definition when compared to the definition of personal data in the DPA 1998. However, in effect, the GDPR definition brings a series of identifiers into play including name, online identifiers (such as an IP address) and location data.
Under the GDPR, personal data only includes information relating to natural persons who:
- Can be identified, or who are identifiable, directly from the information in question; or
- Can be indirectly identified from that information in combination with other information.
With the DPA 2018, however, the definition refers to identified or identifiable living individuals and goes on to clarify an ‘identifiable living individual’ as being a living individual who can be identified directly, or indirectly, in particular by reference to:
- An identifier such as a name, an identification number, location data or an online identifier, or
- One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(Note the word ‘natural’ rather than ‘living’ was used in the GDPR to aid the translation of the term into multiple European languages).
Special Category Data
Special category data, by its very nature, is more sensitive, and so needs more protection. For example, information about an individual’s:
- Racial or ethnic origin, political opinions, religious or philosophical beliefs
- Trade-union membership
- Genetic data, biometric data processed solely to identify a human being
- Health-related data
- Data concerning a person’s sex life or sexual orientation.
Under the GDPR, inclusion of genetic and biometric data is new.
In the UK, special category data previously included information about criminal convictions and alleged criminal offences – this is now treated separately, and its processing is subject to even tighter controls.
But why is it important to recognise the difference? Of course, any category of personal data can be ‘sensitive’ for an individual, but special category data receives additional protection under the legislation. Firstly, all categories of personal data can only be processed lawfully if certain conditions are met and the processing must, in all cases, be necessary. These conditions, commonly known as ‘lawful bases’ are set out in Article 6 of the GDPR and there are 6 to choose from.
If the type of personal data processed falls into the special category data group, its processing is prohibited unless a second condition (set out in Article 9) is also met, or an applicable exemption can be applied. Understanding the definitions is vital, as the processing of special category personal data is also subject to additional conditions, safeguards and exemptions set out in Schedule 1 of the DPA 2018.
So, first and foremost, whether the personal data is sensitive or not, you need to understand what categories of personal data you want to process, how and why. Then, before you begin, you need to determine your lawful basis conditions for processing both categories and ensure you have documented your decisions.
How URM can help?
Consultancy
Do you need assistance in improving your GDPR compliance position?
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, data retention schedules and training programmes etc.
Read more
Training
Gain a sound grounding and practical interpretation of the GDPR and the DPA 2018!
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
Read more
Consultancy
Does your organisation fully comply with the General Data Protection Regulation (GDPR)?
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
Read more
related BLog posts
Data Protection
Published on
6/2/2023
Analysis of Fines Imposed by the Information Commissioner’s Office in 2022When looking to comply with the General Data Protection Regulation (GDPR), it is always a worthwhile exercise....
Read more
Data Protection
Published on
3/4/2025
Privacy Policies Explained: Ensuring Transparency Under the GDPRURM’s blog explains the GDPR’s requirements for privacy policies, the common mistakes organisations make with these policies & how to avoid them.
Read more
Data Protection
Published on
22/7/2022
Supply Chain Compliance with the GDPRThis blog focuses on an aspect of the GDPR which can be particularly challenging for a number of organisations.
Read more
We would like to commend the customer service level provided by URM. The assistance and support have been consistently good, and it’s greatly appreciated. The professionalism and promptness with which our Account Manager handles inquiries and issues stands out. Each interaction has been marked by a genuine willingness to help, which has not gone unnoticed. He’s dedicated to providing top-notch service and ensuring customer satisfaction. I look forward to continuing our collaboration and am confident that we will achieve great results together.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.