The GDPR describes personal data as “any information relating to an identified or identifiable natural person aka a ‘data subject’. This relates to any information about a person that could be used to identify them, such as their full name, their race, or their sexual orientation. Sensitive personal data relates to categories of data that must be treated with extra security. These categories are:
- Biometric data
- Genetic data
- Health information
- Political opinions
- Racial or ethnic origin
- Religious or philosophical beliefs
- Sexual orientation
- Trade union membership
Sensitive Data Scenario
What would you do in the below situation?
You have been tasked with organising the work summer party. Your final task is to confirm your colleagues’ menu selections and dietary requirements. You send the following email to all those attending:
Ask yourself the question, “Are there any privacy concerns here?”
The answer would be yes. Why?
- Firstly, when emailing a large group of people, the Bcc field should be used to eliminate the risk of unintended sharing of information via the ‘Reply all’ function.
- Secondly, dietary requirements are considered to be personal data and should only be disclosed to others when there is a valid reason. In some cases, dietary requirements can reveal racial or ethnic origin which is classed as sensitive personal data. Allergy information is also considered sensitive personal data.
In this case, the information should only be shared with the event organiser and not with everyone attending. It should also be made aware to those attending how their personal data will be processed and stored.
Collecting data
Things to remember:
- Use Bcc when emailing a large group of people.
- Ensure you are educated on what is considered “sensitive personal data” and be careful to not share this information with people who don’t need to see it.
- When asking someone for personal data, ensure they are aware of how their data will be processed.
- Ensure you have a reasonable business purpose to collect or use the data and only hold the minimum data necessary.
- Appropriate access controls for shared storage within the organisation should be considered. This ensures that only those who need access, have access. Restricting who can read, edit, and download files is another strong way of protecting personal data.
- Password-protect files you are sending and when saving confidential personal data, ensure you “Protect workbook” by “restricting access”.
What to do if a data breach occurs
If you believe your personal data has been shared without your consent, then you should alert the GDPR representative at your organisation to get the problem solved as soon as possible.
By law, you must report a breach within 72 hours. That time starts when the breach is discovered, not when the breach occurred. It is important to pull the facts together and try and contain the breach by establishing what has happened to the affected data. Once the report is submitted, the ICO will take action in an appropriate and timely manner.
Why it is important to adhere to data rules
The principles set out in The Data Protection Act help businesses ensure the details of their staff, clients, and customers are properly protected. Employers and business managers have a duty to ensure all information is correct. Following correct data protection procedures is crucial in preventing cybercrimes and fraud.