Definition of Sensitive Data

Sensitive data is defined as any information that is protected against unwarranted disclosure. Protection of data may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations. 

  • Human data: e.g. health, genetic and personal information, data that may identify a person
  • Ecological data: e.g. location of endangered species or other conservation efforts
  • Confidential data: e.g. trade secrets
  • Data that is otherwise deemed sensitive

Sensitive personal data

While composing a definitive description for sensitive personal data is hard. However, there are a few simple guidelines for identifying sensitive data, which are all derived from national and EU legislation. General Data Protection Act (GDPR) lists the following as special category data that is considered especially sensitive (Art. 9 (1), Art. 10):

The following categories are classified as sensitive personal information by the General Data Protection Regulation (GDPR, Art. 9 (1), Art. 10)

  • racial or ethnic origin;
  • political opinions; or
  • religious or philosophical beliefs, or trade union membership.
  • genetic data;
  • biometric data for the purpose of uniquely identifying a natural person;
  • data concerning health;
  • data concerning a natural person's sex life or sexual orientation; or
  • data relating to criminal convictions and offences, or related security measures

Note that not all personal data are sensitive, e.g. name, address or even social security number are not classified as sensitive, but they still definitely are personal data and thus, most of the  guidelines  on the page Managing Sensitive Data still apply.

There are also other national laws that deal with sensitive personal data, such as Data Protection Act (1050/2018)

Health care data, defined in more detail by the Act on the status and Rights of Patients (785/1992, 13 §) (in Finnish) states that information contained by, and derived from, patient documents shall be confidential.

Closely related to health care data is biomedical data. The Biobank Act (688/2012) (in Finnish) indicates that data related human samples and processing of those samples shall be confidential.


Other data classified sensitive

Another, much more diverse topic, are documents. For example, agreements, contracts, governmental documents, documents addressed to or in possession of an authority, etc., may be secret, classified, confidential or otherwise deemed sensitive.  The Act on the Openness of Government Activities (621/1999) (in Finnish) covers some of those, but not all. Also, data under a non-disclosure agreement(s), such as confidential business related data which, if leaked, could harm the data owner, is thus deemed confidential.

Sensitive data can also include data that reveals the location of rare, endangered or commercially-valuable species, or other conservation efforts.

Some data collected from Statistics Finland is also sensitive and you should consult Statistics Finland should you have any data from them before processing the data.

If your data falls under one, or more, categories listed above, it is very likely that your data should be deemed sensitive and processed accordingly.


Read more: