September 1, 2022
What Elements of Personal Data Are Considered Sensitive Data?
Sometimes it feels like a new data privacy law is going into effect nearly every day. It can be challenging for businesses to keep up with the different regulations and requirements and the various penalties for non-compliance. When things are changing rapidly, it’s essential to have good fundamentals.
For data security, that means understanding important concepts—like which parts of personal data are sensitive data.
What Makes Data Sensitive?
Most laws usually treat sensitive data as a subcategory of personal data or personally identifiable information (PII). Personal data can include many different types of information, including names, addresses, phone numbers, browsing history, or other information that relates to an individual or could be used to identify them in their personal or professional life.
However, while keeping data private is important, most jurisdictions recognize that some information could be more easily abused or harmful if processed, mishandled, or leaked. Data that falls into the latter category is often classified as “sensitive data.”
The GDPR in Europe
Unsurprisingly, Europe’s GDPR provides a solid blueprint for what sensitive data is that many other countries have emulated. While it doesn’t explicitly mention “sensitive data,” it does provide a list of “special categories of personal data.” The following items of personal data fall into this category:
- racial or ethnic makeup
- political stance
- religious belief
- trade union membership
- mental or physical health condition
- sexual orientation
- criminal files or court proceedings
- biometric data
- genetic data
At first glance, the items included on this list aren’t very surprising. Relative to something like an email address, many of these items could be far more damaging if leaked. Overall, they fall into three primary categories.
The first category is “physical information.” This includes racial or ethnic makeup, physical and mental health conditions, biometric and genetic data, and sexual orientation. The second includes “political and religious beliefs,” which contains political stances, religious beliefs, and trade union membership. Finally, records related to criminal history or court proceedings also fall into this category.
While not official, these categories are helpful for understanding the reasoning behind placing these kinds of data into a special class.
In theory, these kinds of records are illegal to process in areas covered by the GDPR. However, the law provides a long list of exceptions where the data can be used, including a provision allowing it to be processed “when necessary.” In practice, this often means these kinds of data may be treated the same way as other data under the GDPR.
The CCPA in California
The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CRPA) cover the data privacy of Californians. Both laws include definitions of “sensitive” data types that deserve additional protection. These include:
- Biometric data (when combined with a name or used to uniquely identify a data subject)
- Contents of email
- Contents of mail
- Credit card numbers
- Debit card numbers
- Driver’s license number
- Ethnic origin
- Racial origin
- Financial account number
- Genetic data
- Medical or health information
- Health insurance information (when used in combination with a name)
- Military identification number (when used in combination with a name)
- Passport number
- Philosophical beliefs
- Precise geolocation
- Religious beliefs
- Sex life
- Sexual orientation
- Social security number
- Tax identification number
- Trade union membership
- Username and password for an online account
Given that there are two laws in play here, it’s not surprising that this list is a bit longer. However, the focus is a bit different from what we see in Europe as well. In addition to information about health, personal beliefs, and physical attributes, there are more entries related to technology. The contents of email, credit card and financial account numbers, usernames, and passwords being labeled as “sensitive” matches California’s reputation as a tech hub. And the inclusion of social security and tax id numbers speaks to a greater concern about identity theft.
The PIPL in China
As with many areas of law, when it comes to personal and sensitive data, China marches to the beat of its own drum. Under the Personal Information Protection Law (PIPL), China defines sensitive data as “Information that, once leaked or illegally used, may lead to personal discrimination or material harm to personal or property security, including race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts, individual location tracking, and other information.”
This law differs from what came before in that its categorization is far broader. There’s more subjectivity at play here, meaning data processors must be extra careful when dealing with data in China. There’s also an increased penalty for noncompliance compared to many countries, as fines of up to 50,000,000 RMB or up to five percent of annual revenue could be levied on companies who misuse data.
The Trend in Sensitive Data Definitions
One trend that exists when looking at these laws is that the newer the law, the more extensive or the broader its categorization of sensitive data. It’s a safe bet that trend will continue in the future, and more countries adopt data privacy laws for the first time, or update the aging laws they have on the books. This means that companies should start preparing today for the increasing controls on sensitive data that will emerge in the future, so that they don’t get caught flat-footed by the changes and the ever-increasing penalties for noncompliance.
Managing Sensitive Data the Right Way
While these laws are getting more difficult to deal with by the day, the good news is that technology is rising to meet the challenge. Mage’s patented Sensitive Data Discovery tools use Artificial Intelligence and Natural Language Processing to discover sensitive data, even when mislabeled, or presented in an unorthodox manner or location. Plus, the tool comes preconfigured to track which of your users and programs have access to sensitive data, making rights management a breeze. To find out how Mage can better help your company manage its sensitive data, schedule a demo with us today!