Definition of Sensitive Data - Services for Research
Definition of Sensitive Data
Sensitive data refers to information that is classified for restricted dissemination for legal, ethical, privacy or proprietary reasons. Its protection is essential to prevent unauthorised disclosure. Sensitive data includes:
- some personal data (see below);
- environmental data (e.g. location of endangered species or other conservation efforts);
- confidential data (such as trade secrets); and
- data that is otherwise considered sensitive.
All such data should be handled properly and carefully, and a great deal of thought should be given to data management planning before the research begins. A good data management plan should consider how the data is collected, where it is stored and how it is protected, who has access to it, and what happens when the data is no longer needed.
Personal data
Processing of personal data is regulated by the General Data Protection Regulation (GDPR) and by national laws, such as Laki yksityisyyden suojasta työelämässä (13.8.2004/759), Laki sähköisen viestinnän palveluista (7.11.2014/917), or Tietosuojalaki (5.12.2018/1050).
Not all personal data is sensitive. For example, name, address, or even social security number are not considered sensitive personal data. However, such personal information should still be handled carefully. The general guidelines for managing all sensitive information apply equally to personal data, but some personal data is subject to a number of strict rules.
Sensitive personal data
The following are listed as special categories of personal data by the General Data Protection Regulation (GDPR, Art. 9 (1), Art. 10) and, as such, are sensitive personal data:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs, or trade union membership;
- genetic data;
- biometric data for the purpose of uniquely identifying a natural person;
- data concerning health;
- data concerning a natural person's sex life or sexual orientation; and
- data relating to criminal convictions and offences, or related security measures.
The processing of sensitive personal data is prohibited by default unless there are valid legal grounds: consent, performance of a contract, legitimate interest, vital interest, legal requirement and public interest.
For such processing, the Regulation clearly defines the responsibilities of
- a data controller, a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; and
- a data processor, a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
CSC's role is always to act as a data processor for your research data, providing you the services you need for your research.
Health and social data
In Finland, the secondary use of health and social data is regulated by a separate act, the Act on the Secondary Use of Health and Social Data (26.4.2019/552).
The Act and the derived regulation apply when health and social information is collected and stored in a register (for example, during an examination in health services or when applying for social benefits) and the original information is then used for another purpose. Secondary use includes the use of such information for scientific research, compilation of statistics, development and innovation activities, teaching, knowledge management, management and supervision of public authorities, and planning and reporting obligations of public authorities.
In this case, a data permission authority, Findata, or the relevant register issues data permissions and processing is only possible in a certified processing environment, such as SD Desktop.
Biomedical data
Biomedical samples are collected from persons with a consent and these samples are then stored in a biobank. These samples and the associated register data are regulated by the Biobank Act (30.11.2012/688) and are considered sensitive.