Personal Information vs. Sensitive Personal Information

If your business collects and processes personal data, it’s important to know the difference between personal information and sensitive personal information, since the latter involves additional requirements and security measures.

In this guide, we’ll explain the difference between personal and sensitive personal information, show you examples of sensitive information under different privacy laws, and give you tips on handling sensitive data.

What is Personal Information?

When we talk about personal information in the context of data protection laws, we generally refer to information that relates to an identified or identifiable individual. This definition also includes partial information that, when collected together, can lead to the identification of a person.

Examples of personal information are:

• Full name
• Email address
• Telephone number
• ID numbers
• Unique identifiers
• IP address

and more.

Even pseudonymized or encrypted data can be considered personal information, if the the encryption/anonymization is reversible.

What is the Difference Between Personal Information and Sensitive Personal Information?

As you understand, the main difference between personal information and sensitive personal information lies in their nature and risk level.

Personal information is any data that could lead to the identification of a person, and it’s generally considered lower risks. On the other hand, sensitive personal information includes data that, if disclosed, could cause harm or discrimination. For this reason, sensitive data is subject to stricter legal requirements and needs higher protection.

Sensitive Personal Information Under Different Privacy Laws

Though very similar, privacy laws around the world have different definitions of what is considered sensitive personal information. Let’s take a closer look.

🇪🇺 The EU’s General Data Protection Regulation (GDPR)

The GDPR, defines sensitive data in Article 9 under “special categories of personal data”, as:

• Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
• Genetic and biometric data, data concerning health, or a natural person’s sex life or sexual orientation.

🇬🇧 The UK’s Data Protection Act 2018

The DPA 2018 sets out the framework for data protection law in the UK. According to the ICO, it sits alongside and supplements the UK GDPR. Its definition of special category data is the same as the GDPR (listed above).

🇺🇸 US Privacy Laws

The California Privacy Rights Act (CPRA)

The CPRA is an amendment to the CCPA, which was initially developed to regulate the collection and sale of consumers’ personal information in California.

Amongst other things, a new category of protected data was introduced by the CPRA, sensitive personal information (SPI). This idea is similar to the GDPR’s special categories mentioned above and requires a higher level of protection.

The Virginia Consumer Data Protection Act (VCDPA)

The VCDPA is the privacy law in the Commonwealth of Virginia. It states that a business cannot process sensitive data concerning a consumer, without obtaining the consumer’s prior consent (opt-in).

It defines sensitive data as a category of personal data that includes:

• Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status.
• The processing of genetic or biometric data for the purpose of uniquely identifying a natural person.
• The personal data collected from a known child.
• Precise geolocation data.

The Colorado Privacy Act (CPA)

The Colorado Privacy Act governs the processing of personal and sensitive data in the State of Colorado. Like in Virginia, consent (opt-in) is required before processing any sensitive data and controllers are required to conduct data protection assessments.

The definition of sensitive data under the CPA is very similar to the VCDPA :

• Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship, or citizenship status.
• Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual.
• Personal data from a known child.

🇧🇷 The Brazilian Lei Geral de Proteção de Dados Pessoais (LGPD)

The LGPD identifies sensitive data as a special category of personal data. Sensitive data is any data related to racial or ethnic origin, religious belief, political opinion, health or sexual life data; or data that allows the unequivocal and persistent identification of the user, such as genetic or biometric data.

How to Handle Sensitive Data

If your business collects and processes sensitive data, you may need to take extra steps to make sure you’re storing them securely.

Here’s what you may need to do:

1. Make sure that you absolutely need the data

A key principle of data privacy laws is data minimization, that is limiting your processing to only the data you truly need for your purposes.

The first thing you need to do, before you start collecting sensitive data, is to have a precise idea of your processing activities. This step is useful because it clarifies exactly how you’re going to use the data. Keeping accurate records of your processing activities can help you here, because you can go back to them whenever you need to.

After going through your records, you will know the amount of data you need to fulfill your purposes, and how long you’ll need to store them.

If you’ve determined that you do need to process sensitive personal information, then continue to point 2.

2. Define what law applies to you and meet its specific requirements

Each privacy law has different requirements, even when it comes to sensitive information.

• For example, under the GDPR you need to fully inform your users that you collect their sensitive data, get explicit consent to be able to process it, appoint a Data Protection Officer (DPO), and carry out a Data Protection Impact Assessment (DPIA) if you also perform processing on a large scale.
• On the other hand, under the CPRA, you still need to fully inform your users that you collect their sensitive personal information, and you must provide a clear and visible link, “Limit the use of my Sensitive Personal Information”, on your homepage.

If you’re not sure what to do, the safest approach would be to follow the strictest requirements.

3. Provide the highest levels of security legally required

Storing personal data safely it’s key to compliance with privacy laws, especially when we talk about sensitive personal data.

Here are a few tips:

• Encrypt your data: Encrypted data is very difficult to decipher without the proper key. In this way, if a data breach were to happen, it would be difficult to understand what the data is about. Of course, remember to always keep your encrypted data and their encryption keys stored in different places, otherwise, the encryption is useless.
• Invest in your security system and train your staff: Everyone involved in the process should know how to handle sensitive data.
• Be careful when using external storage platforms: If you use external storage platforms like Google Drive or Dropbox, it is considered a best practice to add extra layers of security to your files before uploading them.
• Consider hiring a security expert, especially if you’re performing large-scale processing of sensitive data.

Conclusion

Sensitive personal information needs to be processed in the safest way possible, to avoid its unwanted disclosure. Remember that sharing this information could potentially lead to harm and discrimination, so make sure that you really need this data before starting to process it.

How iubenda can help

Complying with data protection laws can be challenging, but not with the right tools!

Here’s how iubenda can help if you’re processing sensitive data:

• Our Privacy and Cookie Generator makes it easy to add legally required disclosures and add information related to your assigned Data Protection Officer and much more.
• Our Register of Data Processing Activities also helps you to keep track of your processing activities and the purposes and legal bases attached to them, as legally required.