There is some uncertainty regarding the distinction between personal data and sensitive personal data, and there are even doubts about the existence of sensitive personal data as a defined term. Let's try to bring clarity to the matter by considering the GDPR principles. In the previous version of the Data Protection Act (DPA) from 1998, there was a term used called 'sensitive personal data.' However, with the implementation of the General Data Protection Regulation (GDPR), this term has been replaced with 'special category personal data,' aligning with GDPR principles. Therefore, our focus now lies on two categories of personal information: personal data and special category data.
Personal data
The GDPR provides a definition of 'personal data' as any information that relates to a natural person (referred to as a 'data subject') who can be identified directly or indirectly. This definition may appear simpler compared to the definition in the DPA 1998. However, the GDPR expands the scope by including various identifiers such as name, online identifiers (like an IP address), and location data.
Under the GDPR, personal data encompasses information about individuals who can be directly identified from the data itself or indirectly identified when combined with other information.
On the other hand, the DPA 2018 defines personal data as information about identified or identifiable living individuals. It further explains that an 'identifiable living individual' refers to a person who can be identified directly or indirectly through identifiers like name, identification number, location data, online identifiers, or specific factors related to their physical, physiological, genetic, mental, economic, cultural, or social identity.
(Note: The term 'natural' instead of 'living' was used in the GDPR to facilitate its translation into multiple European languages.)
Special Category Data
Data classified as special category data requires enhanced protection due to its sensitive nature. This includes personal information pertaining to an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data processed solely for identification purposes, health-related data, and data regarding a person's sex life or sexual orientation. The inclusion of genetic and biometric data as special category data is a new provision under the GDPR.
In the UK, special category data used to encompass information about criminal convictions and alleged criminal offenses. However, this type of data is now treated separately and subject to even stricter controls.
Recognizing the distinction between special category data and other personal data is important because special category data receives additional protection under the law. All categories of personal data can only be processed lawfully if specific conditions, known as "lawful bases," are met and if the processing is deemed necessary. Article 6 of the GDPR outlines six lawful bases for processing personal data.
If the personal data f.alls within the special category data group, its processing is generally prohibited unless a second condition outlined in Article 9 is met or an applicable exemption applies. It is crucial to understand the definitions because the processing of special category personal data is also subject to additional conditions, safeguards, and exemptions specified in Schedule 1 of the DPA 2018.
Regardless of whether the personal data is considered sensitive or not, it is essential to determine the categories of personal data that will be processed, along with the how and why of the processing. Prior to commencing any processing activities, the lawful basis conditions for both categories of data must be established, documented, and adhered to, which may require the expertise of data protection consulting.