What makes personal data “sensitive”?
What’s personal data?
The Data Protection Act 1998 (DPA) says that personal data is that which relates to a living individual who can be identified from: (1) that data; or (2) that data and any other information the data controller has in their possession. For DPA purposes, an employer is classed as the data controller and employees as data subjects.
As well as information, personal data can include any expression of opinion or intentions that an employer makes about an employee.
In a nutshell. Any information that relates to an employee and from which they can somehow be identified is always classed as personal data under the DPA.
Sensitive personal data
In addition to personal data, the DPA covers sensitive personal data - which often causes much confusion. Sensitive personal data is really a subcategory of personal data; however, due to its nature, it must be treated with far greater care.
Sensitive personal data can include information about a data subject’s:
- racial or ethnic origin
- political opinions
- trade union membership
- religious beliefs
- other beliefs of a similar nature
- physical or mental health, illness or condition
- sexual orientation
- commission or alleged commission of any criminal offence(s).
Your obligations
There’s a legal presumption that due to its nature sensitive personal data can easily be used against the data subject in a discriminatory way. It’s for this reason that it must be treated with much greater care when it’s being processed. Processing personal data means “obtaining, recording or holding the information or data or carrying out any operation on it, including the organisation, alteration, retrieval, use, disclosure or destruction of the information or data” .
Processing data
If you process any sensitive personal data:
- this activity must be absolutely necessary
- you must satisfy at least one or more of the conditions for processing which apply specifically to sensitive data; and
- satisfy one of the general conditions for processing which apply to all types of personal data. The nature of the sensitive personal data is also a factor in deciding what security is appropriate for you to protect it.
Tip. All of the processing conditions for both types of data are set out in our guidance notes (see The next step ). When it comes to sensitive personal data always consider if it’s absolutely necessary for you to hold it, e.g. must you really know about an employee’s sexual orientation, religion or ethnic origin? The less sensitive personal data you hold about your staff the better.
For free guidance notes on data protection processing conditions, visit http://tipsandadvice-personnel.co.uk/download (PS 17.15.06).