What is Sensitive Personal Data?

Information on health, race/ethnic origin, sexual orientation, and religious and political beliefs are among a special category of data that have been classified as sensitive personal data under the EU’s General Data Protection Regulation (GDPR) and are given a higher degree of protection. This installment of The eData Guide to GDPR discusses how sensitive personal data is defined, under what conditions it can be processed, and what steps businesses can take to ensure compliance with the GDPR’s special protections of sensitive personal data.

Sensitive personal data is a special category of data identified under Article 9 and Recital 51 in the GDPR. This data requires a higher degree of protection due to the nature of the information and because the processing of the information could create “significant risks to the fundamental rights and freedoms” of the data subject. [1]

Specifically, Article 9 identifies the following categories of data that merit special protection as sensitive personal data: health information, race/ethnic origin, sex life or sexual orientation, religious and political beliefs, genetic and biometric data, and trade union membership. (Note that this is the first time biometric and genetic data are given special protection in the European Union. The other categories of data listed in Article 9 were previously protected as sensitive personal data in the EU’s superseded 1995 Data Protection Directive). Processing of these categories of data is therefore prohibited, absent the specific exceptions identified in Article 9.

Lawful processing of sensitive personal data is only permitted under Article 9 in one of the following circumstances:

• The data subject gives explicit consent, pursuant to individual member state laws
• Processing is necessary for the purposes of carrying out the obligations in the field of employment, social security or social protection, or collective agreement authorized by individual member state law
• Processing is necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent
• Processing is carried out in the course of the legitimate activities (with appropriate safeguard) of a foundation, association or any other not-for-profit body with a political, philosophical, religious, or trade union aim[2]
• The data subject previously made the data at issue public
• Processing is necessary for the establishment, exercise, or defense of legal claim either brought by or defended against by the data subject
• Processing is necessary in furtherance of a substantial public interest with specific protections[3]
• Processing is necessary for the purposes of preventive or occupational medicine, to assist in medical determinations or more general health issues as permitted by law or through a contract with medical provider
• Processing is necessary to protect the public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety in health care, etc.
• Processing is necessary to protect public interest in the area of scientific or historic research purposes[4]

The European Commission provides a few example scenarios of what type of data falls within the sensitive personal information data categories, and when processing that data would be lawful:

A doctor logging a patient’s visit and including descriptions of symptoms and medications prescribed. The description of symptoms and medication in this example are sensitive personal health data, and the physician’s office would need to meet one of the exceptions listed in Article 9 in order to lawfully process this data. The commission explains that processing sensitive personal data in this scenario is lawful because it meets the medical exception. The processing of that information is necessary to treat the person and is “carried out under the responsibility of a doctor who is subject to an obligation of professional secrecy”.

The National Statistics Office (a state entity) conducting a public census where a person is obliged to respond by completing an online survey that includes fields such as sex and racial or ethnic origin. Race and ethnic origin information clearly falls within the special category of sensitive personal information. The commission explains that collection of this information is lawful in this situation because it meets the Article 9 public interest exception. “The survey is based on a law which serves a public interest aim and contains safeguards to protect your sensitive data (for example, the data is only accessed by authorised recipients working on the census) your sensitive personal data can be processed by the National Statistics Office.”

A dress company, in order to tailor its services to the specific interests of its clients, asks customers to fill out an online form providing information about sizes, preferred color, payment method, and name and address for delivery. The company also includes a section asking about the customer’s political beliefs. Political belief information clearly falls within the special category of sensitive personal information. The commission explains that it would not be lawful to process that information in this scenario. While the business needs the majority of the information listed in order to fulfill its side of the contract, “the clients’ political views are not a requirement to make and deliver their dresses” and therefore the company cannot lawfully process that information.

A car sharing company can require a customer’s name, address, credit card, and possibly even whether the person has a disability (the disability information would be considered sensitive personal health information under Article 9). However, the company cannot lawfully require a person to disclose his or her racial origin (also considered sensitive personal information under Article 9). The commission explains that, like the example above, the racial origin of a customer is irrelevant to the service being provided by the company, and therefore cannot be lawfully processed as sensitive personal information. “It’s your company/organisation's responsibility as controller to assess how much data is needed and ensure that irrelevant data isn’t collected.”

While these are somewhat straightforward examples using easily identifiable sensitive personal information (race, political beliefs, etc.), the GDPR’s addition of biometric and genetic data to the sensitive personal data category may blur the boundary between specially protected information and regularly protected personal data. The GDPR defines biometric data as “any personal data relating to the physical, physiological, or behavioral characteristics of an individual which allows their unique identification.”[5] Recital 51 provides some guidance on the subject by explaining that the processing of photographs, for example, “should not systematically be considered to be processing of special categories of personal data, as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.” Conceivably, though, other types of data may now fall into the “sensitive personal information” category via the inclusion of biometric and genetic data. For example, geo-location data collected by a phone application might be considered biometric data because it relates to the physical and, depending on whether the application is tracking a person’s location patterns, behavioral characteristic of an individual. To add to the confusion, Article 9(4) states that member states can maintain or introduce further conditions and restrictions with regard to the processing of genetic, biometric, and health data. Thus, businesses should be aware that the law in this area is vague and may vary among countries.

However, businesses that collect personal data can generally take steps to ensure compliance with Article 9’s special protections of sensitive personal data:

• Identify any type of activity that may result in the collection of information identified in Article 9 as sensitive personal data (for example, questions posed to customers via a survey or online form that ask about the customer’s health or religious beliefs)
• If that information is not necessary to achieve one of the lawful processing exceptions identified in Article 9, that data should not be collected or processed (i.e., a question related to health or religious beliefs should be removed from a customer survey if there is no lawful reason to process that data under Article 9)
• If the business entity concludes that it can lawfully collect and process specific sensitive personal data under Article 9, it must explicitly identify the Article 9 exception with which the processing complies.[6] It must also ensure that only the type of data that fits within the exception is processed (i.e., if the business believes it is necessary to collect the health data of an employee in order to carry out its employment duties under the law, it should explicitly identify that reason upon collection. It should also ensure that only the specific data that is needed to perform its employment duties is processed)
• If sensitive personal data is lawfully collected under Article 9, the entity should ensure that it is safely encrypted while it has possession and that it is destroyed immediately after the reason for its collection has ended, in concordance with Recital 51’s call for special protection and risks related to this special category of data