DATA PROTECTION - 02.09.2015

What makes personal data “sensitive”?

Under the Data Protection Act 1998 there are two types of data - “personal data” and “sensitive personal data”. What’s the difference between the two and how can you be sure that you’re handling each type correctly?

What’s personal data?

The Data Protection Act 1998 (DPA) says that personal data is that which relates to a living individual who can be identified from: (1) that data; or (2) that data and any other information the data controller has in their possession. For DPA purposes, an employer is classed as the data controller and employees as data subjects.

As well as information, personal data can include any expression of opinion or intentions that an employer makes about an employee.

In a nutshell. Any information that relates to an employee and from which they can somehow be identified is always classed as personal data under the DPA.

Sensitive personal data

In addition to personal data, the DPA covers sensitive personal data - which often causes much confusion. Sensitive personal data is really a subcategory of personal data; however, due to its nature, it must be treated with far greater care.

Sensitive personal data can include information about a data subject’s:

  • racial or ethnic origin
  • political opinions
  • trade union membership
  • religious beliefs
  • other beliefs of a similar nature
  • physical or mental health, illness or condition
  • sexual orientation
  • commission or alleged commission of any criminal offence(s).

Your obligations

There’s a legal presumption that due to its nature sensitive personal data can easily be used against the data subject in a discriminatory way. It’s for this reason that it must be treated with much greater care when it’s being processed. Processing personal data means “obtaining, recording or holding the information or data or carrying out any operation on it, including the organisation, alteration, retrieval, use, disclosure or destruction of the information or data” .

Processing data

If you process any sensitive personal data:

  • this activity must be absolutely necessary
  • you must satisfy at least one or more of the conditions for processing which apply specifically to sensitive data; and
  • satisfy one of the general conditions for processing which apply to all types of personal data. The nature of the sensitive personal data is also a factor in deciding what security is appropriate for you to protect it.

Tip. All of the processing conditions for both types of data are set out in our guidance notes (see The next step ). When it comes to sensitive personal data always consider if it’s absolutely necessary for you to hold it, e.g. must you really know about an employee’s sexual orientation, religion or ethnic origin? The less sensitive personal data you hold about your staff the better.

For free guidance notes on data protection processing conditions, visit http://tipsandadvice-personnel.co.uk/download (PS 17.15.06).

Personal data is any information which can be used to identify an individual. It becomes classed as sensitive where it can be used in a discriminatory way, e.g. it relates to sexual orientation, health, religion, etc. Our guidance notes explain how to handle each type lawfully.

© Indicator - FL Memo Ltd

Tel.: (01233) 653500 • Fax: (01233) 647100

subscriptions@indicator-flm.co.ukwww.indicator-flm.co.uk

Calgarth House, 39-41 Bank Street, Ashford, Kent TN23 1DQ

VAT GB 726 598 394 • Registered in England • Company Registration No. 3599719