What is sensitive personal data?

Some personal data are defined as sensitive data by the Data Protection Act. Sensitive data will contain information about an individual’s:

  • Sex life and orientation
  • Race, religion or political beliefs
  • Trade union membership
  • Medical condition
  • Criminal offences, either alleged or proven
  • Punishments received for proven offences

Conditions for processing sensitive data

Data controllers are not permitted to process sensitive data about an individual unless:

  • the processing is in connection with current or prospective legal proceedings or consultations; or
  • the processing is in the substantial public interest; or
  • the explicit, informed and freely given consent of the individual has been obtained. This means:
    • the consent must be in writing, and
    • the individual has been informed of what information is to be processed, and
    • no detriment will be suffered by the individual if they refuse to give consent.

Hence a data controller can not require a care leaver to sign a consent form for sensitive data to be processed about him/her in exchange for granting access to the care leaver’s childhood case records. Such consent will not have been freely given because the care leaver will suffer detriment (being denied access to his/her case file) if they refuse.

Statutory Instrument 2000/417

This is an order issued by government that authorises data controllers to process an individual’s sensitive personal data without the individual’s consent, usually on the grounds that the processing is necessary in the ‘substantial public interest’.