Definition of Sensitive Data - Services for Research
Definition of Sensitive Data
Sensitive data is defined as any information that is protected against unwarranted disclosure. Protection of data may be required for legal or ethical reasons, for issues pertaining to personal privacy, or for proprietary considerations. Sensitive data includes:
- Human data (e.g. health, genetic and personal information, data that may identify a person)
- Ecological data (e.g. location of endangered species or other conservation efforts)
- Confidential data (e.g. trade secrets)
- Data that is otherwise deemed sensitive
Sensitive personal data
There are a few simple guidelines for identifying human sensitive data, which are all derived from the national and EU legislation.
Note that not all personal data is sensitive. For example, name, address or even social security number are not classified as sensitive. Such personal data should nevertheless be managed carefully. Most of the guidelines for managing sensitive data apply to personal data.
Lawful processing of sensitive personal data
Processing of personal human data is regulated by the GDPR and by national laws.
In particular, the GDPR prohibits the processing of personal sensitive data unless there are valid lawful bases: consent, performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest.
Moreover, the regulation clearly defines the responsibilities of a:
- Data controller, a natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
- Data processor, a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
In Finland, the processing of register data is regulated by a national law, the Act on Secondary Use of Health and Social Data (552/2019).
This regulation in particular applies when health and social information is collected and saved in a register (for example, during examination in health care services, or while applying for social benefits), and then the original information is used for a different purpose. Secondary use entails using such information for scientific research, compiling of statistics, development and innovation activities, teaching, knowledge management, steering and supervision of authorities, and the planning and reporting duties of authorities.
In this case a data permit authority, Findata, or the register in question issues data permits and processing is possible only in a certified processing environment.
There are also other national laws that deal with sensitive personal data, such as Data Protection Act (1050/2018).
Health care data, defined in more detail by the Act on the status and Rights of Patients (785/1992, 13 §) (in Finnish) states that information contained by and derived from patient documents shall be confidential.
Closely related to health care data is biomedical data. The Biobank Act (688/2012) (in Finnish) indicates that data related to human samples and processing of those samples shall be confidential.
Other data classified sensitive
Another much more diverse topic is documents. For example, agreements, contracts, governmental documents, documents addressed to or in possession of an authority, and so on may be secret, classified, confidential or otherwise deemed sensitive. The Act on the Openness of Government Activities (621/1999) (in Finnish) covers some of these types, but not all. Also, data under a non-disclosure agreement(s), such as confidential business-related data which, if leaked, could harm the data owner, is thus deemed confidential.
Sensitive data can also include data that reveals the location of rare, endangered or commercially-valuable species, or other conservation efforts.
Some data collected by Statistics Finland is also sensitive. You should consult Statistics Finland if you have any data from them before processing it.
If your data falls under one or more categories listed above, it is very likely that your data should be deemed sensitive and processed accordingly.
- EU General Data Protection Act (GDPR) defines personal information in Article 4. Data handling principles are defined in Articles 5, 24, and 32. Article 9 defines the special cases, which include, for example, genomic or biometric data. In Finnish: Yleinen tietosuoja-asetus
- Ministry of Social Affairs and Health introducing the secondary use of health and social data and frequently asked questions about the Act on Secondary Use of Health and Social Data
- Database of secondary-use enviroments
- Finnish Social Science Data Archive on anonymization and personal data
- The Finnish National Board on Research Integrity TENK