Definition of Sensitive Data

Sensitive data is defined as any information that is protected against unwarranted disclosure. Protection of data may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations. Sensitive data includes:

  • Human data (e.g. health, genetic and personal information, data that may identify a person)
  • Ecological data (e.g. location of endangered species or other conservation efforts)
  • Confidential data (e.g. trade secrets)
  • Data that is otherwise deemed sensitive

Sensitive personal data

There are a few simple guidelines for identifying human sensitive data, which are all derived from the national and EU legislation.

The following categories are classified as sensitive personal information by the General Data Protection Regulation (GDPR, Art. 9 (1), Art. 10):

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs, or trade union membership
  • Genetic data
  • Biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health
  • Data concerning a natural person's sex life or sexual orientation
  • Data relating to criminal convictions and offences, or related security measures

Note that not all personal data is sensitive. For example, name, address or even social security number are not classified as sensitive. Such personal data should nevertheless be managed carefully. Most of the guidelines for managing sensitive data apply to personal data.

Lawful processing of sensitive personal data

Processing of personal human data is regulated by the GDPR and by national laws.


In particular, the GDPR prohibits the processing of personal sensitive data unless there are valid lawful bases: consent, performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest.

Moreover, the regulation clearly defines the responsibilities of a:

  • Data controller, a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
  • Data processor, a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Finnish laws

In Finland, the processing of register data is regulated by a national law, the Act on Secondary Use of Health and Social Data (552/2019).

This regulation in particular applies when health and social information is collected and saved in a register (for example, during examination in health care services, or while applying for social benefits), and then the original information is used for a different purpose. Secondary use entails using such information for scientific research, compiling of statistics, development and innovation activities, teaching, knowledge management, steering and supervision of authorities, and the planning and reporting duties of authorities.

In this case a data permit authority, Findata,  or the register in question issues data permits and processing is possible only in a certified processing environment.

There are also other national laws that deal with sensitive personal data, such as Data Protection Act (1050/2018).

Health care data, defined in more detail by the Act on the status and Rights of Patients (785/1992, 13 §) (in Finnish) states that information contained by and derived from patient documents shall be confidential.

Closely related to health care data is biomedical data. The Biobank Act (688/2012) (in Finnish) indicates that data related to human samples and processing of those samples shall be confidential.

Other data classified sensitive

Another much more diverse topic is documents. For example, agreements, contracts, governmental documents, documents addressed to or in possession of an authority, and so on may be secret, classified, confidential or otherwise deemed sensitive.  The Act on the Openness of Government Activities (621/1999) (in Finnish) covers some of these types, but not all. Also, data under a non-disclosure agreement(s), such as confidential business-related data which, if leaked, could harm the data owner, is thus deemed confidential.

Sensitive data can also include data that reveals the location of rare, endangered or commercially-valuable species, or other conservation efforts.

Some data collected by Statistics Finland is also sensitive. You should consult Statistics Finland if you have any data from them before processing it.

If your data falls under one or more categories listed above, it is very likely that your data should be deemed sensitive and processed accordingly.

Read more: