The differences between personal and sensitive information are very subtle. While the accidental disclosure of either type of data will cause fear and inconvenience, the impacts arising from revealed sensitive data are particularly grave.
Australia, the EU, and the UK all recognize this fact and have designed privacy laws to give special consideration and protection to sensitive data. It is a good compliance practice to assess whether you collect sensitive data, and if you do, to give it adequate protection.
Here are the differences between personal and sensitive information, the laws affecting it, and how the handling of sensitive information affects your Privacy Policy.
The subtle differences
Personal information includes data that identifies an individual. Full names, home addresses, telephone numbers, birthdays, email addresses and bank account details all fall under personal information. This is more commonly collected since apps and websites often need these details to run payments or maintain subscriptions.
Sensitive information is a type of personal information. If revealed, it can leave an individual vulnerable to discrimination or harassment. Laws protect personal information as a whole, but add extra focus to sensitive information because of possible impacts to a person's livelihood, quality of life, and ability to participate in daily activities.
Race or ethnic origin, religion, political affiliations, sexual orientation, criminal history, and trade union or association memberships are all considered sensitive information. Any information about biometrics, genetics or medical history is also treated as sensitive information.
If you collect details that are more personal to your users or request medical history, it is likely that you handle sensitive information.
Laws addressing them
Most laws address only personal information without a specific mention to sensitive information. The protection of that data is assumed and there are no provisions that require different treatment for it.
However, there are laws and regulations that mention sensitive information specifically and grant it enhanced protection. If you serve users in Australia, the EU or UK, you need to be careful with your handling of sensitive data.
Australian Privacy Act
Within its 13 Principles, the Australian Privacy Act places stringent obligations on entities which handle sensitive information. The act's definition of sensitive information is line with the description of sensitive information noted above and includes the collection of information regarding sexual orientation, trade union memberships, race and ethnicity, and other personal details.
The enhanced protection of sensitive information arises with Principles 3, 6, and 7. These principles note that mishandling sensitive information may lead to adverse effects against an individual. Besides the impacts of harassment and discrimination, the principles also note "humiliation or embarrassment" as impacts to avoid.
Under Principle 3, an entity may only collect sensitive information if it is necessary to provide a service to the individual or advance the entity's functions. With personal information, it may be collected if the reasons meet this standard. However, with sensitive information, the individual must consent to the collection using an "opt in" direct approach rather than a passive acceptance.
Principle 6 re-emphasizes that the entity must have the consent of the individual before sensitive information is collected or disclosed. This collection must be necessary for the entity's primary purpose unless an exception applies.
Exceptions include a summons from a court or tribunal, sharing information for health reasons, and a reasonable expectation from the user that the information would be shared.
The exceptions are broad enough that the safest course of action is to always secure opt-in consent for collecting or sharing sensitive information unless law enforcement or the courts are involved.
Principle 7 prohibits the collection and use of sensitive information for direct marketing purposes. Personal information may be distributed if the entity secures a person's consent first, but there are no exceptions for sensitive information and marketing.
EU Privacy Directive
The EU Privacy Directive does not mention sensitive data specifically, but it notes that particular data is subject to greater protection.
It starts by defining "personal data" in Article 2 as any information that can identify an individual directly or indirectly. In this description, it includes physical appearance, economic status, and cultural or social identity--aspects that are often described as sensitive data.
In Article 8, it mentions special categories of data. It states clearly that member states may not process personal data regarding race, ethnic origin, political opinions, religion, trade-union membership or health without securing explicit consent from the individual first. Another exception is if sharing this data is necessary to serve the vital interests of the person, such as in medical or law enforcement situations.
While it does not use the term "sensitive data," the directive is still clear that certain aspects of a person can leave them vulnerable.
If you are handling data regarding health, race or ethnicity or even political opinions, consider that sensitive data whenever you transact business in an EU member state.
Data Protection Act 1998
The Data Protection Act 1998 in the UK specifically references sensitive data. Section 2 describes sensitive data as information concerning:
- Racial or ethnic origin
- Political opinions
- Religious or spiritual beliefs
- Trade union membership
- Mental health details
- Sex life
- Accusations of or prosecution for any criminal offense.
This is presented in a separate section from the other definitions because sensitive data requires particular protection. While other personal data may not require explicit consent for collection, no entity may collect sensitive information without that consent.
The only exceptions to explicit consent include legal process, protecting safety and other vital interests, activities related to securing employment, life-saving medical treatment, and situations where the data subject has already made their sensitive information public. Even then, the data collection must be linked to fundamental function in the app or software or necessary to provide a service.
Since the penalties in the Data Protection Act are harsh, most entities err on the side of explicit consent, even with less-protected personal information. That is likely a good precaution if you collect personal or sensitive data from UK citizens.
Privacy Policy examples
Privacy Policies that address sensitive information specifically are more likely to arise from the UK or Australia. They also generally affect services and entities that provide medical research or treatment referrals.
Since the collection and disclosure of sensitive information may lead to unwanted impacts, it is a good idea to address it separately even if the laws affecting you do not address it directly. This assures compliance if laws change to better protect sensitive data and may reassure your users.
Information collection
Privacy Policies start by indicating that they collect sensitive information. While a section regarding personal information may be fairly general, sections addressing sensitive information are often detailed.
The first example specifically mentions the collection of sensitive information and the exact data requested for research and services.
National Diabetes Service Scheme (NDSS) takes this approach and emphasizes that the data collection only occurs with explicit user consent.
KPMG, a consulting firm offering services throughout many industries also mentions sensitive information. However, it only collects it for specific purposes, such as recruitment.
Those first two examples come from Australian organizations.
Companies with an international presence are also careful with sensitive information.
One of them is Google.
Google starts by defining sensitive information in a separate page addressing Privacy Terms.
In its Privacy Policy, Google continues to explain that it only collects and shares sensitive information if the user consents. Notice that this is explicit "opt in" consent rather than passive consent that is secured by a user merely surfing Google websites.
Mentioning sensitive information specifically communicates that you are extra careful with this data. That can help with compliance issues and leave users less hesitant to share it.
Disclosure
Disclosure of sensitive data also requires explicit consent.
Your Privacy Policy should reflect your commitment to this policy when explaining the disclosure of data.
NDSS has a practice of avoiding the disclosure of personal and sensitive information unless the user gives consent. It also makes it clear that this disclosure is only performed to provide services.
Mind is a mental health services organization in England. It contains a section regarding sensitive information and addresses its disclosure there. The organization collects sensitive information voluntarily and only discloses it to protect the health and safety of the patient and those around them.
This is consistent with the Data Protection Act and clearly communicated in the Privacy Policy.
Protection
Since many users may be worried about sharing personal and sensitive information, it is a good idea to be detailed about how you protect this data. Privacy Policies involving websites and apps that do not collect much data are often general in this section, e.g. "all reasonable security measures."
If you collect sensitive data, you must be more reassuring.
Offer details and explain security measures. Also, explain that data is destroyed once it is no longer needed.
A good example is offered by NDSS.
Google also gives details on information protection. It explains encryption, two-step verification options, and its dedication to security.
Mind is less detailed regarding information security. It focuses primarily on data deletion once it is not necessary.
The best course of action is to avoid collecting sensitive data.
If you can design your app or website so you can offer services with a minimum amount of personal information, that is likely to appeal to consumers and reduce your obligations when it comes to data management.
However, when you offer a health or research service, this option may not be available. In that case, you must be as careful as possible. Consider a thorough Privacy by Design approach and make your practices clear in your Privacy Policy. This will maintain legal compliance in those nations that demand special treatment for sensitive data and put you ahead of trends as other jurisdictions start creating more laws focused on consumer privacy.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.
