Sensitive personal information

Sensitive personal data or Sensitive personal information is any personal data whose leakage, unauthorized use or abuse may injure a particular person (data subject). The injury may be of a financial, material or psychological nature. Sensitive data is, in some way, an imaginary tip of the iceberg among other personal data (such as name, surname, address).

What data typically belongs to the category of sensitive information?

The decisive factor is the amount of the damage potentially caused to the injured party (a person) by the leakage of such data. For example, leakage of bank account access data, credit card details, or identification data to a system that allows you to execute, approve, or trigger a significant activity, is certainly one of the most dangerous and so is full data about a person allowing a third party to forge identity documents(e.g. photo, name and passport number).

A number of sensitive data is listed by legislation that aims at protecting it (one legislation applies for one particular state, country or community). The list of sensitive personal data can therefore vary from state to state (country to country, community to community).

What is considered the most sensitive personal data?

It is a combination of personal information that allows to falsify the identity of a person or to pass off as a particular person. In a digital environment, such information may be, for example, a combination of credentials (name and password) that are used to identify a person on-line and thus enable to act on one’s behalf. Loss of such data means mostly financial damage or loss of security. In particular, this includes:

• Access data (username and password) to a system that allows to perform financial transactions (e.g. bank account access data, payment gateway access data, etc.)
• System access information that allows to approve or trigger significant activities (e.g. an approval system)
• System access information that allows to enter a restricted area (e.g. a vault, an archive with sensitive data, a sensitive data server, etc.)
• Full passport details (passport number, photograph, name)
• Full personal data (personal ID number, photo, name)
• Biometric data of a particular person

The following data may also be considered sensitive by certain legislations:

• Health information about a particular person
• Personal document number (identity card, passport, etc.)
• Bank account number
• Payment card number
• Racial or ethnic origin
• Political views
• Information on criminal offenses
• Sexual orientation
• Membership in trade unions
• Religious beliefs

What legislation regulates sensitive data processing?

Many states have adopted laws that limit the handling of sensitive personal data. Here’s an overview of the most significant ones:

• Data Protection Act 1998 is a UK-based law implementing the European Directive 95/46 / EC
• Directive 2002/58 / EC (E-Privacy Directive) is the European directive regulating the electronic data processing
• Directive 2006/24 / EC Article 5 (The Data Retention Directive) is the European directive regulating the retention of personal data
• Directive 95/46 / EC Data Protection Directive is the European Directive regulating the personal data protection, which has been replaced by the GDPR
• The Privacy Act of 1974 is the US law governing the personal data processing
• Health Insurance Portability and Accountability Act (HIPAA) is a regulation governing the medical records processing in the United States
• GDPR (General Data Protection Regulation) is the European personal data protection regulation coming to effect on 25 May, 2018.