There is some uncertainty regarding the distinction between personal data and sensitive personal data, and there are even doubts about the existence of sensitive personal data as a defined term. Let's try to bring clarity to the matter by considering the GDPR principles. In the previous version of the Data Protection Act (DPA) from 1998, there was a term used called 'sensitive personal data.' However, with the implementation of the General Data Protection Regulation (GDPR), this term has been replaced with 'special category personal data,' aligning with GDPR principles. Therefore, our focus now lies on two categories of personal information: personal data and special category data.

Personal data

The GDPR provides a definition of 'personal data' as any information that relates to a natural person (referred to as a 'data subject') who can be identified directly or indirectly. This definition may appear simpler compared to the definition in the DPA 1998. However, the GDPR expands the scope by including various identifiers such as name, online identifiers (like an IP address), and location data.

Under the GDPR, personal data encompasses information about individuals who can be directly identified from the data itself or indirectly identified when combined with other information.

On the other hand, the DPA 2018 defines personal data as information about identified or identifiable living individuals. It further explains that an 'identifiable living individual' refers to a person who can be identified directly or indirectly through identifiers like name, identification number, location data, online identifiers, or specific factors related to their physical, physiological, genetic, mental, economic, cultural, or social identity.

(Note: The term 'natural' instead of 'living' was used in the GDPR to facilitate its translation into multiple European languages.)

Special Category Data

Data classified as special category data requires enhanced protection due to its sensitive nature. This includes personal information pertaining to an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data processed solely for identification purposes, health-related data, and data regarding a person's sex life or sexual orientation. The inclusion of genetic and biometric data as special category data is a new provision under the GDPR.

In the UK, special category data used to encompass information about criminal convictions and alleged criminal offenses. However, this type of data is now treated separately and subject to even stricter controls.

Recognizing the distinction between special category data and other personal data is of utmost importance due to the heightened level of protection that special category data enjoys under the law. This distinction plays a pivotal role in ensuring that individuals' sensitive information is handled with the utmost care and in compliance with stringent legal requirements.

In the realm of data protection, all categories of personal data must adhere to specific conditions, commonly referred to as "lawful bases," in order to be processed lawfully. These lawful bases serve as the foundation for any data processing activity, emphasizing the necessity of a legal and justified reason for such data handling. Article 6 of the General Data Protection Regulation (GDPR) meticulously delineates the six lawful bases that must be satisfied when processing personal data, thereby underscoring the significance of lawfulness and transparency in data management.

However, when we delve into the realm of special category data, a distinctive layer of scrutiny and precaution becomes evident. Special category data, which encompasses sensitive information like race, religion, health, sexual orientation, and more, is subject to even stricter regulations. Generally, the processing of such data is prohibited unless a secondary condition, as elaborated in Article 9 of the GDPR, is met or unless an applicable exemption applies. This heightened level of scrutiny ensures that sensitive personal information is treated with the utmost care, minimizing the potential for misuse or discrimination.

Moreover, it is essential to grasp these distinctions and definitions because the processing of special category personal data is not only subject to additional conditions but also requires the implementation of safeguards and adherence to specific exemptions. These critical provisions are explicitly outlined in Schedule 1 of the Data Protection Act 2018 (DPA 2018), a supplementary legal framework that complements the GDPR and provides further guidance on the handling of special category data.

Regardless of whether the personal data is considered sensitive or not, it is essential to determine the categories of personal data that will be processed, along with the how and why of the processing. Prior to commencing any processing activities, the lawful basis conditions for both categories of data must be established, documented, and adhered to, which may require the expertise of data protection consulting.