Jul 24 2020

As you will have read in recent newsletters, the new project on GDPR has started and we have explained what personal data is. This week we want to tell you about personal data that needs extra protection and is known as ‘sensitive personal data’.

Sensitive personal data can be broken down into three categories. You can have ‘special category’, ‘criminal offence’ or just generally ‘other sensitive’ data. Let’s understand each of these in a little more detail…

Special category data

Special category data is a specific list that is found in the GDPR and Data Protection Act 2018 (DPA). These laws stipulate that when we handle data from the specific list, we have additional responsibilities and requirements that we have to comply with.

This specific list is personal data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic, biometric, health, sex life and sexual orientation.

Criminal offence data

Criminal offence data is personal data relating to criminal convictions and offences, or related security measures. The GDPR and DPA distinguishes this from special category data because it needs to be treated differently, and there are extra conditions we need to meet in order to lawfully use it.

This includes data relating to criminal allegations, proceedings or convictions, such as a DBS check.

Other sensitive data

Other sensitive data is a catch-all phrase we use for any personal data that isn’t special category or criminal offence data, but if not handled correctly will adversely affect the individual it relates to.

For example; financial or salary data, debit or credit card, copies of official documents i.e. passport or driver’s license, location data, or viewing and usage history data.

There is some data that isn’t sensitive because of its content but because of its nature and context.

For example, data related to a student or participant in research having been a social services care leaver i.e. adopted or fostered; data related to vulnerable individuals such as employees, children, the elderly or asylum seekers; data related to a student’s private family matters; data related to confidential reports, interviews or sessions i.e. therapy or wellbeing support; data collected when the individual is in a vulnerable situation i.e. security's body-worn cameras filming someone receiving medical assistance; or generally personal data that could cause someone significant harm or distress if not handled correctly.

In summary

All of the above is sensitive personal data, which we are required to provide extra protection for, and can only use in limited circumstances.

It is important to understand what personal data is and what sensitive personal data is.

It’s important to identify where you may use it in your role because you need to comply with the GDPR and DPA. More information is found in our training available on Moodle.

For further information about personal data, sensitive personal data or data protection and GDPR, please see our FAQs by clicking here or contact Data Protection at dataprotectionrhul.ac.uk.


  • Sensitive data is personal data.
  • Sensitive data is a term that covers many different types of personal data that need extra protection.
  • These types are ‘special category’, ‘criminal offence’ or ‘other sensitive’ data.
  • Under GDPR, almost all data used by the College falls under ‘personal data’.