Getting Started

What is Sensitive Personal Data?

Sensitive personal data needs extra protection. Learn what counts, why it matters, and the higher bar for handling it.

Beginner 10 min
This module is general information, not legal advice, and is being reviewed by our legal team. For your specific situation, consult the official Data Protection Act, 2020 or seek professional advice.

What you will learn

  • What sensitive personal data is
  • Why it carries a higher level of risk
  • The stronger conditions for handling it
  • Practical examples across industries

Overview

Some personal data is more sensitive than the rest. If it leaks or is misused, it can expose someone to discrimination, distress, or real harm. The Act recognises this and sets a higher bar for handling it.

This is usually called sensitive personal data (some laws call it special category data).

Why this matters

The consequences of mishandling sensitive data are far more serious than for ordinary contact details. A leaked phone number is a nuisance. A leaked HIV status, religious affiliation, or criminal record can change someone's life. That is why the Act asks you to clear a higher bar before you collect or use it.

Watch out. Holding sensitive data you do not really need is a risk, not an asset. If you do not need it, do not collect it, and securely dispose of what you no longer need.

What the law says

Under the Act (see the definitions in ), sensitive personal data includes information about a person's:

  • physical or mental health
  • racial or ethnic origin
  • religious or other beliefs
  • political opinions
  • membership of a trade union
  • biometric or genetic data used to identify them
  • criminal record or alleged offences
  • sex life

Processing this kind of data generally requires a stronger and more specific justification than ordinary personal data, and stronger security around it.

Legal note. The exact conditions for processing sensitive personal data are detailed in the Act. Where your use is unusual or high-risk, confirm the lawful basis before you proceed.

Real-world examples

  • Healthcare. Diagnoses, test results, and treatment notes are sensitive personal data.
  • Schools. A child's medical conditions, learning needs, or religion are sensitive.
  • Employers. Sick notes, disability information, and union membership are sensitive.
  • Security firms. Fingerprint or facial-recognition systems process biometric data.

Common mistakes

  • Collecting date of birth, religion, or health details "just in case".
  • Storing sensitive data in the same loosely-protected place as ordinary records.
  • Forgetting that photographs and CCTV can reveal sensitive information (for example, someone's race or health condition).

Best practices

  • Identify where sensitive data lives in your business and minimise it.
  • Apply stronger access controls and encryption to it.
  • Be explicit in your privacy notice about any sensitive data you handle and why.

Put this into practice

If you handle health, biometric, or other sensitive data, your privacy notice should say so clearly.

Generate your privacy notice

Frequently asked questions

Yes. Information about a person's physical or mental health is sensitive personal data and needs extra protection.

Key takeaways

  • Sensitive personal data is a special category that can cause greater harm if mishandled.
  • It includes health, race, religion, political views, biometric data, and criminal records.
  • You need a stronger justification to collect or use it, not just a general reason.
  • When in doubt, treat data as sensitive and protect it accordingly.

Related

Ask the Privacy Assistant

Beta