Sensitive Personal Data: What is its importance & impact on users?

Sensitive personal data

Knowing the importance of sensitive personal data and the impact it has on users is crucial to digital security. Learn how your sensitive personal data is used and collected.

Knowing the importance of sensitive personal data and the impact it has on users is crucial to digital security. Learn how your sensitive personal data is used and collected.
In a world dominated by different apps, agencies, and organizations constantly collecting and leveraging our data, we’ve become desensitized to constant cookies’ requests and privacy policies. Between the consent forms, browser fingerprinting, and various other collection methods, it’s easy to just click through each ad, app, and e-book, content and sign away our data. But what exactly are those organizations collecting? Personal data comes in one of two categories: personal data and sensitive personal data. Each type of data comes with its own limitations on how it can be collected, how it must be stored and secured, and how it can be used by organizations.

Access premium content without the subscription fees.

What Is Sensitive Personal Data?

Sensitive personal data is data that contains information about a specific person’s race or ethnicity, their political opinions, religious or philosophical beliefs, and personal data concerning a person’s health and sex life. Because of what sensitive personal data can reveal about a person, it must be protected more than other data.

To simplify sensitive personal data even further, it can be looked at as bits of qualitative information that when combined can identify a single living individual. We’re talking about names, home addresses, ID numbers, IP addresses, email, date of birth, etc. For example, there might be a dozen Tom Rogers out there in the world. There might even be two Tom Rogers living in the same address. But, if one is born in 1975 and one in 2005, then organizations can quickly discern who’s who, and even speculate on the relationship between both individuals.

By comparison, sensitive personal data goes beyond those key bits of information and into some of the more foundational elements that shape someone’s identity. Under GDPR guidelines, sensitive personal data includes:

  1. Racial or ethnic origin
  2. Political affiliation
  3. Religious beliefs
  4. Union membership
  5. Genetic data
  6. Biometric data
But not all jurisdictions define sensitive data the same way. In the United States, financial data, student data, credit worthiness, passwords, and even data collected from children qualify as sensitive personal data. Under state breach notification and data security laws, organizations must inform their customers when sensitive personal data has been compromised. Both GDPR and U.S. policy recognizes sensitive personal data as the key building blocks of who someone is—building blocks that, if secured by cyber criminals, make it substantially easier to commit identity theft or fraud.

Sensitive personal data vs personal data

With the digital landscape being a treasure trove of information about everyone and everything, it is important to recognize the differences between sensitive personal data and just personal data in general. 

Personal data is often defined as any piece of general information that can be used to identify a person. This can include anything from a user’s cell phone number, address, age, email and more. Personal data on the smallest scale can even classify if someone is present on a given site or app just based on activity and screen time.

Sensitive personal data differs in that it can not be so readily collected like general personal data. Sensitive personal data requires special handling and collection instructions due to the fact that it offers a more in depth look at who someone is and the information itself is generally more sensitive. For instance, things like ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data relating to a person’s inherited or acquired genetic characteristics, biometric data such as fingerprint, sexual orientation, or data concerning a person’s physical or mental health are all deeply personal peices of information that can be used unethically if not handled properly.

The Rules for Sensitive Personal Data

Because of its appeal to bad actors, sensitive personal data comes with very specific rules for how it can be used by companies. Specifically, GDPR policy requires sensitive personal data to be stored separately from standard personal data and that sensitive information be encrypted and/or pseudonymized, specifically taking the stance that, “The use of pseudonymization in personal data may reduce the risk associated with data management and help controllers and processors to comply with their data protection obligations.”

Pseudonymization strips sensitive personal data of its key identifiers and replaces that information with other artificial identifiers. This separation creates a level of distance between users and their sensitive information and reduces the feasible impact of potential breaches. With that said, pseudonymization is not anonymization. If a cybercriminal were able to secure the right information and had the appropriate time and motivation, pseudonymized data can be reconstructed into a complete profile.
Sensitive personal data also comes with specific rules for how it can be collected by organizations. According to Article 6 of the GDPR, organizations can only collect sensitive data from their customers under one of the following circumstances:
  • To fulfill a contract with the individual.
  • In compliance with a legal obligation.
  • When processing that data is in the individual’s vital interests.
  • To complete official functions and tasks in the public interest.
  • When the individual agrees to a clear description of how that data is collected and used.
  • When a private-sector organization has a legitimate reason to process without consent, as long as it doesn’t overreach on the individual’s rights and freedoms.
Additionally, GDPR Article 9 sets clear expectations for when organizations may collect sensitive personal data, including explicit consent, data collected to accomplish social security or social protection tasks, archiving purposes, and more (you can find the full list of options here) .Organizations must be in accordance with Article 6 and Article 9 to lawfully collect sensitive personal data.
Sensitive personal data can be used most often in medical situations. Often, the data provides a good insight to a background of a patient when needed. Race, genetics, and other biometric data can be useful in maintaining health or creating an accurate diagnostic.
On the other hand, there are some dangerous situations when sensitive personal data is shared. For instance, identity theft is one the most common crimes that comes from the mishandling of sensitive personal data. If a social security number or banking information was stolen, a criminal could use it to apply for unemployment or even open credit in a victims name.
Impact of Sensitive Personal Data

For Users

Of course, there are a variety of niche circumstances highlighted in the GDPR policy, but for most consumers, Articles 6 and 9 highlight one key point:
Organizations can only collect your sensitive personal data under your consent and that consent requires a clear statement of how that data will be collected and how it will be used.
Now, it is important to re-emphasize that while this policy is absolutely the ethical standard for data collection worldwide, it is only federal policy across the European Union. Across the U.S., different states carry varying policies for how sensitive personal data is collected and managed, often referring to personally identifiable information, or PII, based on the industry and the jurisdiction. Some of the more prominent data protection policies include:
  • Gramm–Leach–Bliley Act (GLBA) for financial data.
  • Family Educational Rights and Privacy Act (FERPA) for student data.
  • Health Insurance Portability and Accountability Act (HIPAA) And Health Information Technology for Economic and Clinical Health (HITECH) for healthcare information.
  • Payment Card Industry Data Security Standard (PCI DSS) for credit card data.
Nevertheless, as both consumers and professionals operating in a data-driven world, we must recognize the responsibilities, implications, and expectations that come with how we handle sensitive personal data. Sensitive personal data shouldn’t be disclosed lightly; in fact, because sensitive data is so regulated, it can be incredibly valuable for the right buyer. As consumers, the choice to disclose our sensitive personal data comes down to three variables:
  1. Am I comfortable with how my sensitive personal data is being collected?
  2. Do my values align with how my sensitive personal data is being used?
  3. Do I trust the organization collecting my sensitive personal data to keep my information secure?
If the answer to any of those questions is “no”, or even worse, unclear, then absolutely do not divulge your sensitive personal data in that scenario.
For Organizations
Alternatively, as professionals working in a digital world, we owe it to our customers to treat their data—sensitive or otherwise—with the same care we would our own. The Federal Trade Commission outlines five tips for taking proper care of consumer data:
  1. Know what personal information you have in your files and on your computers.
  2. Keep only what you need for your business.
  3. Protect the information that you keep.
  4. Properly dispose of what you no longer need.
  5. Create a plan to respond to security incidents.
For individuals and organizations considering a sensitive personal data collection effort, it’s important to understand why that data is relevant to your projects. No matter the region, market, or industry, sensitive personal data shouldn’t be collected without a clear purpose.
Today, organizations of all sizes leverage customer data into new revenue streams and expanded product offerings. At Invisibly, we believe that selling your sensitive personal data shouldn’t be the only way for everyday people to get in on the data market. Learn more about how we view your right to personal data privacy in The Invisibly Bill of Rights, or sign up and start earning off your data today..


Use your data to access premium content you love.

Invisibly Mobile App

Subscription-free access to top publishers.

Invisibly Mobile App

More like this

Article Paywall Bypass: Trading Data for News Subscriptions

How to access articles from your favorite news publishers without having to gain access through hundreds of paywalls. ...

How To Get Around News Paywalls

How to access articles from your favorite news publishers without having to gain access through hundreds of paywalls. ...

The Path To Increased Publisher Subscriber Retention

Buying or consuming individual products seems more and more like an antiquated practice. In today’s world, consumer habits keep morphing and evolving into more of ...

The Wall Street Journal Paywall Bypass: No Code, No Tools, No Tricks

Has someone ever sent you a link to read something compelling on The Wall Street Journal, and as soon as you click-through, you’re met with ...

The Importance of Publisher Reader Data

There are few things more important as a publisher than having a true grasp of who your target audience is. Some may say it’s the ...

Publisher Content Insights: Understanding Your Audience

When it comes to developing a content program, publishing high-quality content is only half the battle. In fact, the most important step to nailing your ...