Sensitive Personal Information

Section 2 of the Data Protection Act 1998 defines sensitive personal information as information related to:

  • Racial or ethnic origin;
  • Political opinions;
  • Religious or other similar beliefs;
  • Membership of trade unions;
  • Physical or mental health or condition;
  • Sexual life; and
  • Convictions, proceedings and criminal acts.

Sensitive personal data is subject to much stricter regulation than ordinary personal data and must only be processed when one of the following conditions have been satisfied

  • The data subject has given explicit consent;
  • It is required by law for employment purposes;
  • It is needed in order to protect the vital interests of the individual or another person. For example, an individual with a medical condition has an accident at work; it would be in the individual’s vital interest to disclose this condition to medical staff treating the individual; or
  • It is needed in connection with the administration of justice or legal proceedings.

The most common condition for processing sensitive personal data is that the data subject has given explicit consent. By explicit consent, we mean that the consent of the data subject to process their personal information is made absolutely clear. This consent is usually in writing.