Definition of Sensitive Data - Services for Research
Definition of Sensitive Data
Sensitive data is defined as any information that is protected against unwarranted disclosure. Protection of data may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations.
- Human data: e.g. health, genetic and personal information, data that may identify a person
- Ecological data: e.g. location of endangered species or other conservation efforts
- Confidential data: e.g. trade secrets
- Data that is otherwise deemed sensitive
Sensitive personal data
While composing a definitive description for sensitive personal data is hard. However, there are a few simple guidelines for identifying sensitive data, which are all derived from national and EU legislation. General Data Protection Act (GDPR) lists the following as special category data that is considered especially sensitive (Art. 9 (1), Art. 10):
The following categories are classified as sensitive personal information by the General Data Protection Regulation (GDPR, Art. 9 (1), Art. 10)
- racial or ethnic origin;
- political opinions; or
- religious or philosophical beliefs, or trade union membership.
- genetic data;
- biometric data for the purpose of uniquely identifying a natural person;
- data concerning health;
- data concerning a natural person's sex life or sexual orientation; or
- data relating to criminal convictions and offences, or related security measures
Note that not all personal data are sensitive, e.g. name, address or even social security number are not classified as sensitive, but they still definitely are personal data and thus, most of the following guidelines still apply.
There are also other national laws that deal with sensitive personal data, such as Data Protection Act (1050/2018) .
Health care data, defined in more detail by the Act on the status and Rights of Patients (785/1992, 13 §) (in Finnish) states that information contained by, and derived from, patient documents shall be confidential.
Closely related to health care data is biomedical data. The Biobank Act (688/2012) (in Finnish) indicates that data related human samples and processing of those samples shall be confidential.
Other data classified sensitive
Another, much more diverse topic, are documents. For example, agreements, contracts, governmental documents, documents addressed to or in possession of an authority, etc., may be secret, classified, confidential or otherwise deemed sensitive. The Act on the Openness of Government Activities (621/1999) (in Finnish) covers some of those, but not all. Also, data under a non-disclosure agreement(s), such as confidential business related data which, if leaked, could harm the data owner, is thus deemed confidential.
Sensitive data can also include data that reveals the location of rare, endangered or commercially-valuable species, or other conservation efforts.
Some data collected from Statistics Finland is also sensitive and you should consult Statistics Finland should you have any data from them before processing the data.
If your data falls under one, or more, categories listed above, it is very likely that your data should be deemed sensitive and processed accordingly.
Read more:
- EU General Data Protection Act (GDPR) defines the personal information in its 4th article and the data handling principles in its 5th, 24th and 32nd articles. In 9th article it defines the special cases which included for example genomic or biometric data.
- In Finnish: Yleinen tietosuoja-asetus
- Finnish Social Science Data Archive: Anonymisation and Personal Data
- The Finnish National Board on Research Integrity TENK