Data Protection

Processing sensitive personal data

The Act provides a separate definition for "sensitive personal data". This relates to information concerning a data subject's racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life, or details of criminal offences.

As with general personal information, there are a number of circumstances that enable the processing of sensitive personal data without consent. However, if consent is used as a way to process such data, it is important to note that the Act requires explicit consent. It is always preferable to have explicit consent in order to process sensitive personal data, and this should always be obtained if it is possible to do so, even if another processing condition could apply.

Circumstances that enable sensitive data to be processed lawfully, other than explicit consent are:

  • some University activities relating to employment;
  • protecting the vital interests of an individual where consent cannot be given (such as a life threatening medical emergency);
  • where the data has already been made public by the data subject;
  • for legal proceedings (including prospective legal proceedings);
  • for some medical purposes undertaken by a health professional, or equivalent;
  • for some equal opportunity purposes.

Sensitive information must be protected with a higher level of security. It is recommended that sensitive records are kept separately in a locked drawer or filing cabinet. Sensitive personal data must never be kept on laptops, or portable storage (such as USB drives) unless the device or the file has been encrypted.

Information on encryption at the University can be found here