By definition, the GDPR describes personal data as “‘[P]ersonal data’ means any information relating to an identified or identifiable natural person (‘data subject’). “This basically means any information about a person which could be used to identify that person, from their first and last name, to their outer appearance, including features and height.
Sensitive personal data is specific to a set of categories and must be treated with extra security. These categories are:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data and
- Biometric data (where processed to uniquely identify someone)
Sensitive Data Scenario
What would you do In the below situation?
Your organisation wants you to organise the Christmas party for your office. The venue, photo booth and DJ has been booked and you are now required to confirm your colleagues’ menu selections and dietary requirements.
You send the following email to all those attending:
You ask yourself the question, “are there any privacy concerns?.”
The answer would be, yes.
- Firstly, when emailing a large group of people it is always advisable to use the Bcc field. This helps to eliminate the risk of unintended sharing of excessive information via “Reply all” function.
- Secondly, dietary preferences are personal data and should only be disclosed to others when there is a valid business need for disclosure.
- Moreover, dietary requirements can in some circumstances reveal racial or ethnic origin which falls under sensitive personal data. Information about allergies is also considered sensitive personal data as it concerns an individual’s health. Special care is required when handling this type of data.
- In this case, the information should only be shared with the meeting organiser and NOT with everyone attending.
- Individuals should also be made aware of how their personal data will be processed via a privacy notice.
Things to consider
- Should i use Bcc to send this email?
- When dealing with confidential or personal data via email triple check recipients before “replying all”.
- Educate yourself on what comes under “sensitive personal data” and be sure NOT to share this information with people who don’t need to know.
- Whenever you are asking for personal data be sure to let the person/people know how their personal data will be processed via privacy notice.
- Ensure you have a proportionate business purpose to collect or use the data and only hold the minimum data necessary to perform the activity.
- When it comes to shared storage within your organisation, consider appropriate access controls to ensure data is only made available to those who need access to it. Restrict who can read, edit and download specific to each person and each folder and file.
- Password protect files you are sending and when saving confidential personal data, ensure you “Protect workbook” by “restrict[ing]t access”.