What Is Sensitive Personal Data?

Personal data is called so for a reason – it is very private and not intended for anyone else to view. However, although the terms may sound similar, there is a difference between general personal data and sensitive personal data. 

If you want to find out more about sensitive personal data, what exactly it consists of, the regulations surrounding the topic, and how it differs from general personal data, then this is the article for you. 

The Definition Of Personal Data

In essence, personal data is any kind of information that is related to an identifiable person.

In most cases it is quite straightforward to determine whether the information you process relates to an identifiable person. However there may be some circumstances where it won’t be as clear and so you will need to very carefully consider the information you hold to determine whether it is personal data, and whether or not the UK GDPR applies.

Definition Of Sensitive Personal Data

So how does sensitive personal data differ from just personal data? The answer here is that this type of data requires a greater level of protection because it is extremely private and is therefore considered sensitive. 

The General Data Protection Regulation (GDPR) makes a very clear distinction between sensitive and non-sensitive personal data to the point where article 9 of GDPR establishes special categories that require extra attention.

Examples of personal data 

Below is a list of personal data that can be found in many databases:

• a name and surname
• a home address
• an email address 
• date of birth 
• an identification card number
• location data (for example the location data function on a mobile phone)
• an Internet Protocol (IP) address
• a cookie ID*
• the advertising identifier of your phone
• data held by a hospital or doctor, which could be a symbol that uniquely identifies a person
• passport number, national ID number, driver’s license number
• vehicle registration plate number
• employee number
• bank account number
• credit card number

Some of the personal data examples listed above fall into a sensitive data category, which includes:  

• Racial or ethnic origin
• Political beliefs
• Religious beliefs
• Genetic or biometric data
• Mental health or sexual health
• Sexual orientation
• Trade union membership

Handling Of Personal And Sensitive Data

Sensitive personal data should be held separately from other personal data to maintain its privacy, preferably in a locked drawer or filing cabinet, if it’s in a physical hard form. If sensitive data is to be stored online, encryption or pseudonymisation is required. 

Pseudonymisation is a technique that replaces or removes information in a data set that identifies an individual. This means that anyone with access can view parts of the data without identifying who it’s about. This differs from encryption which, with the right authority, can access a full set of data. 

Pseudonymisation and encryption can be used simultaneously or separately. 

The GDPR And Personal Sensitive Data

Under the GDPR (General Data Protection Regulation), the term personal data means “any information relating to an identified or identifiable natural person”. This only applies to information which relates to an identifiable living individual. Information relating to a deceased person does not constitute personal data and therefore is not subject to the UK GDPR.

Data processing 

The grounds for processing personal sensitive data have become much stricter over time. In order to process sensitive data you must document a lawful basis for processing under Article 6 of the GDPR, as well as documenting a lawful basis under Article 9 too.

Article 6 states that organisations must invoke one of the following lawful bases:

• A contract with the individual: this can include supplying goods or services that the person has or to fulfil a certain clause within a contract. 
• Compliance with a legal obligation: this is only for when processing data for a particular purpose is a legal requirement. 
• Vital interests: processing data for this base is only used when it will protect someone’s physical integrity or life.
• A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police. 
• Consent: when the data subject agrees to the processing when presented with a clear explanation of the personal data that will be collected and what it will be used for.

Article 9 states that organisations must only process sensitive personal data if the organisation:

• Requires the information for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89(1). 
• Is using information that is manifestly made public by the data subject.
• Requires the information to establish, exercise or defend legal claims.
• Has gained explicit consent, and made it clear on how the data will be used.
• Requires the information to complete tasks in public interest in the area of health.

For full guidance on the lawful bases, you can read the full terms and conditions of Article 6 and Article 9 of the GDPR. 

Consent 

Many people think that you need to have consent in order to process personal data. However this is not necessarily true, as the list above shows. Based on the grounds for processing personal data, consent is only one option and due to the strict rules regarding the way you obtain and maintain it, makes it the generally least preferable option. 

However, there will be times when consent is the most suitable basis, and many businesses and organisations need to be aware that they must receive explicit consent from people to process their sensitive personal data.

What Is Non-Sensitive Personal Data?

The GDPR establishes a very clear distinction between sensitive personal data and non-sensitive personal data. Examples of non-sensitive data include: 

• Gender
• Date of birth
• Place of birth
• Postcode
• An age range, e.g. 25 – 35
• Census data

Although this type of data isn’t sensitive, it can still be combined with other forms of data to identify an individual. That is why encryption and pseudonymisation can be useful in these situations. 

• Author
• Recent Posts

Thomas Lambert

Senior Data Protection Consultant at PDTN

Thomas Lambert is a seasoned expert and thought leader in the field of personal data protection, serving as the lead writer at PDTN. With a rich background in cybersecurity and data privacy law, Thomas brings a wealth of knowledge and a unique perspective to the complex and ever-evolving world of data protection.

Latest posts by Thomas Lambert (see all)

• Real-Time Fracture Monitoring: Using Fiber Optic DAS to Improve Stimulation Efficiency - January 30, 2026
• Smart Factory Production Networks: Connected Manufacturing Today - November 22, 2025
• IVR Testing Best Practices for Enhanced Voice Automation Quality - October 19, 2025