Getting Started
What is Sensitive Personal Data?
Sensitive personal data needs extra protection. Learn what counts, why it matters, and the higher bar for handling it.
What you will learn
- What sensitive personal data is
- Why it carries a higher level of risk
- The stronger conditions for handling it
- Practical examples across industries
Overview
Some personal data is more sensitive than the rest. If it leaks or is misused, it can expose someone to discrimination, distress, or real harm. The Act recognises this and sets a higher bar for handling it.
This is usually called sensitive personal data (some laws call it special category data).
Why this matters
The consequences of mishandling sensitive data are far more serious than for ordinary contact details. A leaked phone number is a nuisance. A leaked HIV status, religious affiliation, or criminal record can change someone's life. That is why the Act asks you to clear a higher bar before you collect or use it.
What the law says
Under the Act (see the definitions in ), sensitive personal data includes information about a person's:
- physical or mental health
- racial or ethnic origin
- religious or other beliefs
- political opinions
- membership of a trade union
- biometric or genetic data used to identify them
- criminal record or alleged offences
- sex life
Processing this kind of data generally requires a stronger and more specific justification than ordinary personal data, and stronger security around it.
Real-world examples
- Healthcare. Diagnoses, test results, and treatment notes are sensitive personal data.
- Schools. A child's medical conditions, learning needs, or religion are sensitive.
- Employers. Sick notes, disability information, and union membership are sensitive.
- Security firms. Fingerprint or facial-recognition systems process biometric data.
Common mistakes
- Collecting date of birth, religion, or health details "just in case".
- Storing sensitive data in the same loosely-protected place as ordinary records.
- Forgetting that photographs and CCTV can reveal sensitive information (for example, someone's race or health condition).
Best practices
- Identify where sensitive data lives in your business and minimise it.
- Apply stronger access controls and encryption to it.
- Be explicit in your privacy notice about any sensitive data you handle and why.
Put this into practice
If you handle health, biometric, or other sensitive data, your privacy notice should say so clearly.
Generate your privacy noticeFrequently asked questions
Key takeaways
- Sensitive personal data is a special category that can cause greater harm if mishandled.
- It includes health, race, religion, political views, biometric data, and criminal records.
- You need a stronger justification to collect or use it, not just a general reason.
- When in doubt, treat data as sensitive and protect it accordingly.
