What counts as sensitive data?
Section 2 of 10
'Sensitive data' is an umbrella term which we use to cover data relating to people, rare or endangered animal or plant species, data generated or used under a commercial research funding agreement, and any data likely to have significant negative public impact if released. Other kinds of research data also come under this category. Researchers should use their own judgement to identify any research data which might be called sensitive.
Generally sensitive data can be categorised into the following areas:
Data concerning human participants - This kind of sensitive data is often referred to as ‘personal data’. Personal data is information that can be used to identify a study participant or subject. Implicit is a risk of discrimination, harm, or otherwise unwanted attention. As a general rule, personal data cannot be shared in its original form.
Under GDPR, personal data means any information relating to a living person who can be identified, directly or indirectly, from that information. Personal data therefore includes information such as names and addresses, but also email addresses, IP addresses, information on health and sexuality, and on “physical, physiological, genetic, mental, cultural or social identity”.
Other types of information relating to research participants will also be unsuitable for publication. It is up to the owner of the data to understand and comply with the law and to exercise good judgment when deciding the potential risk of publishing a research dataset.
Data relating to species of plants or animals - Data which includes information on rare or endangered species, or other conservation activities, is often classed as sensitive data. Determining when this data is sensitive can be complex; for instance a species may be at risk in one geographical area but not another, so disclosure of data on the location would cause potential harm even if details of the species itself would not. Whilst no legislative definition currently exists, general consensus is that if the release of the data increases the chance of risk or harm to that species or conservation effort, it should be classed as sensitive.
Commercially sensitive data - Data where disclosure could cause economic harm, or prejudice the interests of any person, is deemed to be sensitive. This includes information such as references to ongoing negotiations, trade secrets, or data generated as part of a commercial funding agreement. Whilst funders now place an emphasis on sharing data as default, it is understood that data whose disclosure could jeopardise future funding arrangements and commercialisation of products can in some circumstances be regarded as sensitive.
Data that poses a threat to others - Information which, if made available, would pose a threat to national security or would have a negative public impact.
Question: which of the following would be regarded as sensitive data?
- the date of birth and postcode could easily be enough information to identify individuals, but especially if combined with other information that would only apply to a small number of individuals
- descriptions of the physical characteristics of a rare species is unlikely to cause it harm unless the geographical location of the species, or environmental information that indicates a particular region, is also disclosed.