What is classed as Sensitive Personal Data?

Under the GDPR, ‘personal data’ means “any information relating to an identified or identifiable natural person”, and the existing definition under the DPA isn’t much narrower. But there’s another type of personal data, called ‘sensitive’ personal data, in relation to which extra care must be taken.

Definition under the DPA

Personal data is ‘sensitive’ if it relates to:

  • racial or ethnic origin
  • political beliefs
  • religious beliefs
  • trade union membership
  • physical or mental health
  • sex life
  • criminal offences and court proceedings

What does the DPA definition really mean?

A business cannot process any information falling within the list above without taking extra precautions. This is particularly relevant in relation to employees, as many personnel files will contain some of that information about employees, particularly in those industries that are unionised.

Definition under the GDPR

Personal data is ‘sensitive’ if it relates to:

  • racial or ethnic origin
  • political beliefs
  • religious or philosophical beliefs
  • trade union membership
  • genetic or biometric data
  • physical or mental health
  • sex life or sexual orientation

What does the GDPR definition really mean?

There is no difference in the legal principle – ‘sensitive’ data cannot be processed without complying with extra precautions (and we will cover those additional requirements in next week’s bulletin) – there is simply a slightly different list of information that businesses must keep an eye out for.

What are the significant differences between the DPA and the GDPR?

Information about a data subject’s criminal past will no longer be considered as ‘sensitive’, but information relating to his/her philosophical beliefs and sexual orientation will be. And for the first time, genetic and biometric data will also be considered as ‘sensitive’.

What effect will this have on UK businesses?

Probably very little – the steps that businesses should already be taking in relation to ‘sensitive’ personal definition will merely need to be expanded in relation to any genetic or biometric data that the business holds, and any information in its databases relating to philosophical beliefs and sexual orientation.

What will my business need to do?

First, identify what ‘sensitive’ data your business is already holding, and in relation to whom it is holding that data. And then ensure that your business is complying with those additional requirements that apply to sensitive data.

And secondly, identify if your business holds any genetic or biometric data, or any data about philosophical beliefs or sexual orientation, and simply begin to apply those additional requirements to those other types of data.

Q&As

All my employees have the right to join a trade union – does that mean this applies to me?
Yes. The fact that you record your employees’ trade union membership in a filing system (eg. personnel files, or a database) means that you will be processing ‘sensitive’ personal data and, in relation to that information, you will need to ensure that you are complying with those additional requirements that we’ll explain next week.

To ensure we comply with diversity requirements, I ask all my employees to indicate their ethnic status on job application forms – do I need to do anything with that?
Yes, racial or ethnic origin is considered to be ‘sensitive’ personal data, and the GDPR will not change that. Upon receipt of that information, you must apply those additional requirements.

Can I deliberately try not to collect any ‘sensitive’ personal data from my employees?
If your business can properly function without you holding any ‘sensitive’ data, then yes, that would be one way to avoid having to comply with those additional requirements. However, many businesses would find it hard to properly look after their employees without recording at least one of those categories of ‘sensitive’ data (eg. allergies or known medical issues).

So if an employee tells me that she’s allergic to penicillin, and I note that in their personnel file, that’s ‘sensitive’ data?
Yes, as it relates to physical health.

But surely if my employee agrees that I can retain this information, that’s ok?
Yes, provided you have explained to the employee why you will retain the information, and the employee has given explicit consent, then you need do nothing more to satisfy the requirements of the DPA or the GDPR.

But what happens if I cannot get my employee to agree?
Fortunately, there are other options.

Notes

This briefing is based on the law as it stands in April 2017. It is possible (and, indeed, likely) that, before the GDPR comes into force in May 2018, the Information Commissioner’s Office will release a number of guidance notes that will help to interpret the GDPR. These guidance notes may offer additional advice for UK businesses, and may even cause some of the information in this briefing to become incorrect. As a result, this briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.