Something we discuss pretty frequently around here at RadarFirst is the idea of sensitive data: what we call protected health information, personally identifiable information, or just personal data. We are constantly considering what qualifies as protected data under specific regulations, what risk the data may pose to individuals should it be disclosed in some way … basically, what do we qualify as data we must protect as privacy professionals?

In the last few years, this topic has gotten more complicated. When the GDPR went into effect, the definition of personal data became considerably more broad, to include “any information relating to an identified or identifiable natural person,” with particular sensitivity  to personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, and sex life or sexual orientation.

Stateside, the CCPA is also broadening what privacy professionals will need to consider as personal data, as it includes information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” including name, email, biometric information, geolocation data, household data, and IP address. In fact, the expanding scope of what is considered personal information is a trend we have been tracking at RadarFirst for some time – in 2019 alone, 7 states expanded their definition of personal information.

This week, this topic is top of mind because the UK’s Information Commissioner’s Office (ICO) recently issued guidance on special category personal data. From a recent ICO blog post on handling this data with extra care:

“Special category data is the most sensitive personal data a controller can process. The misuse of this data is likely to interfere with an individual’s fundamental rights and freedoms and could cause real harm and damage.”

The blog post goes on to emphasize that you must have a lawful basis for processing this data, and you may consider an appropriate policy document outlining your compliance measures and retention policies regarding the data you process.

When an incident occurs and privacy professionals perform a risk assessment to determine if it qualifies as a breach, this expansive view of data brings with it extra complications. For example, certain data could be considered more sensitive in combination with other specific types of data. Or data may have special contextual sensitivity.

There is also the proliferation of technologies using biometric data as a way to authenticate identities – what happens when this data is exposed, such as this example of data breach impacting a popular DNA testing startup? How are you supposed to mitigate the impacts of this kind of exposure?

You can’t change your fingerprint or DNA nearly as easily as you can change your credit card number.