Personal information is information that can be used to identify an individual. Sensitive information is a type of personal information that is more highly protected by laws due to its more vulnerable nature. For example, personal information can be your last name or email address. Sensitive information can be your political affiliation or criminal history.
The differences between personal and sensitive information are very subtle. While the accidental disclosure of either type of data will cause fear and inconvenience, the impacts arising from revealed sensitive data are particularly grave.
This article will explore the differences between personal and sensitive information, the laws affecting this, and how the handling of sensitive information affects the content of your Privacy Policy.
Personal information includes data that identifies an individual. Full names, home addresses, telephone numbers, birthdays, email addresses and bank account details all fall under personal information. This is more commonly collected since apps and websites often need these details to run payments or maintain subscriptions.
Sensitive information is a type of personal information. If revealed, it can leave an individual vulnerable to discrimination or harassment. Laws protect personal information as a whole, but add extra focus to sensitive information because of possible impacts to a person's livelihood, quality of life, and ability to participate in daily activities.
Race or ethnic origin, religion, political affiliations, sexual orientation, criminal history, and trade union or association memberships are all considered sensitive information. Any information about biometrics, genetics or medical history is also treated as sensitive information.
If you collect details that are more personal to your users or request medical history, it is likely that you handle sensitive information.
Most laws address only personal information without a specific mention to sensitive information. The protection of that data is assumed and there are no provisions that require different treatment for it.
However, there are laws and regulations that mention sensitive information specifically and grant it enhanced protection. Let's look at a few of them.
The GDPR considers sensitive personal information to be the following:
The processing of this type of data must only be done in very specific circumstances, according to the GDPR. These are laid out in detail in Article 9 of the GDPR and include but are not limited to the following:
Within its 13 Principles, the Australian Privacy Act places stringent obligations on entities which handle sensitive information. The act's definition of sensitive information is line with the description of sensitive information noted above and includes the collection of information regarding sexual orientation, trade union memberships, race and ethnicity, and other personal details.
The enhanced protection of sensitive information arises with Principles 3, 6, and 7. These principles note that mishandling sensitive information may lead to adverse effects against an individual. Besides the impacts of harassment and discrimination, the principles also note "humiliation or embarrassment" as impacts to avoid.
Under Principle 3, an entity may only collect sensitive information if it is necessary to provide a service to the individual or advance the entity's functions. With personal information, it may be collected if the reasons meet this standard. However, with sensitive information, the individual must consent to the collection using an "opt in" direct approach rather than a passive acceptance.
Principle 6 re-emphasizes that the entity must have the consent of the individual before sensitive information is collected or disclosed. This collection must be necessary for the entity's primary purpose unless an exception applies.
Exceptions include a summons from a court or tribunal, sharing information for health reasons, and a reasonable expectation from the user that the information would be shared.
The exceptions are broad enough that the safest course of action is to always secure opt-in consent for collecting or sharing sensitive information unless law enforcement or the courts are involved.
Principle 7 prohibits the collection and use of sensitive information for direct marketing purposes. Personal information may be distributed if the entity secures a person's consent first, but there are no exceptions for sensitive information and marketing.
The EU Privacy Directive does not mention sensitive data specifically, but it notes that particular data is subject to greater protection.
It starts by defining "personal data" in Article 2 as any information that can identify an individual directly or indirectly. In this description, it includes physical appearance, economic status, and cultural or social identity--aspects that are often described as sensitive data.
In Article 8, it mentions special categories of data. It states clearly that member states may not process personal data regarding race, ethnic origin, political opinions, religion, trade-union membership or health without securing explicit consent from the individual first. Another exception is if sharing this data is necessary to serve the vital interests of the person, such as in medical or law enforcement situations.
While it does not use the term "sensitive data," the directive is still clear that certain aspects of a person can leave them vulnerable.
If you are handling data regarding health, race or ethnicity or even political opinions, consider that sensitive data whenever you transact business in an EU member state.
The Data Protection Act 1998 in the UK specifically references sensitive data. Section 2 describes sensitive data as information concerning:
This is presented in a separate section from the other definitions because sensitive data requires particular protection. While other personal data may not require explicit consent for collection, no entity may collect sensitive information without that consent.
The only exceptions to explicit consent include legal process, protecting safety and other vital interests, activities related to securing employment, life-saving medical treatment, and situations where the data subject has already made their sensitive information public. Even then, the data collection must be linked to fundamental function in the app or software or necessary to provide a service.
Since the penalties in the Data Protection Act are harsh, most entities err on the side of explicit consent, even with less-protected personal information. That is likely a good precaution if you collect personal or sensitive data from UK citizens.
Since the collection and disclosure of sensitive information may lead to unwanted impacts, it is a good idea to address it separately even if the laws affecting you do not address it directly. This assures compliance if laws change to better protect sensitive data and may reassure your users.
Here are some types of clauses where you can disclose your collection or use of sensitive information.
Indicate whether or not you collect sensitive information. While a section regarding personal information may be fairly general, sections addressing sensitive information are often more detailed.
Here's how the National Diabetes Service Scheme includes a list of sensitive personal information that it may collect, as a section within a clause titled "What personal information may be collected:"
KPMG, a consulting firm offering services throughout many industries, also mentions sensitive information in a separate paragraph at the end of its clause that discloses what information it collects. It includes examples of what it may collect, and what it may be used for:
Google defines sensitive information on its Privacy Policy Key Terms page:
In its Privacy Policy, Google explains that it will ask for explicit consent before ever sharing any sensitive information of its users:
Mentioning sensitive information specifically communicates that you are extra careful with this data. That can help with compliance issues and leave users less hesitant to share it.
If you share or disclose sensitive information, you must disclose this in your Privacy Policy and also get consent to do so.
Your Privacy Policy should reflect your commitment to this policy when explaining the disclosure of data.
Mind is a mental health services organization in England. It contains a section regarding sensitive information and addresses its disclosure there:
Since many users may be worried about sharing personal and sensitive information, it is a good idea to be detailed about how you protect this data. Privacy Policies involving websites and apps that do not collect much data are often general in this section, e.g. "all reasonable security measures."
If you collect sensitive data, you must be more reassuring.
Offer details and explain security measures. Also, explain that data is destroyed once it is no longer needed.
A good example is offered by NDSS:
Google also gives a good amount of details on information protection. It mentions its use of encryption, two-step verification options, and other methods of keeping data as secure as possible:
The best course of action is to avoid collecting sensitive data if possible.
If you can design your app or website so you can offer services while collecting a minimum amount of personal information, that is likely to appeal to consumers and reduce your obligations when it comes to data management.
However, when you offer a health or research service, this option may not be available and you may have to collect some forms of sensitive personal information. In that case, you must be as careful as possible.
Consider a thorough Privacy by Design approach and make your practices regarding the collection, use, sharing and securing of sensitive information very clear in your Privacy Policy.
This will maintain legal compliance in those nations that demand special treatment for sensitive data and put you ahead of trends as other jurisdictions start creating more laws focused on consumer privacy.