What is sensitive information?
As you may be aware, companies and organisations often hold large amounts of our personal data and information. While much of this will be fairly standard, there will also be occasions where your ‘sensitive information’ is recorded for various purposes.
Sensitive personal information covers a range of elements and, as you might expect, needs to be handled with extra care and attention.
If your sensitive information is ever exposed or misused, you could be in a position to claim compensation. It is therefore important to understand exactly what can be considered to be highly sensitive information, and what you can do if you ever find yourself in such a position.
In this article, we will explore:
- What is sensitive personal information?
- What are some examples of sensitive information?
- What is non-sensitive personal information?
- What is commercially sensitive information?
- What are the rules on processing sensitive information?
- How can you protect your sensitive information?
- What should you do if someone has misused your sensitive information?
- How Hayes Connor can help if your sensitive information has been misused
At Hayes Connor, our team can support you with making a claim if your sensitive information has been mishandled in any way. We have a high level of experience and expertise, having established a strong track record of success over many years.
What is sensitive personal information?
To summarise, general personal information is any data which relates to an individual – such as, their name, address or physical appearance.
Personal information is considered to be ‘sensitive’ when it includes various special categories. When handling sensitive information, extra care and attention must be paid at all times. The exposure of sensitive personal information can cause substantial financial or personal harm.
What are some examples of sensitive information?
Sensitive personal information examples include:
- Racial or ethnic origin
- Political opinions
- Religious beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health records
- Sex life
- Sexual orientation
What is non-sensitive personal information?
What will constitute non-sensitive personal information will vary. Generally, any information that does not fall into a ‘special category’ will be considered non-sensitive. This will often include any general identification information such as names, addresses and ages.
It is important to note that non-sensitive personal information should still be treated with care. If any information is exposed, any victims could be in a position to claim compensation.
What is commercially sensitive information?
Commercially sensitive information will typically involve any data which, if misused, could jeopardise a businesses’ general commercial interests. An issue could arise if the commercially sensitive information is released to either a competitor or the general public.
Often, this will include intellectual property, trade secrets and information related to company formation, such as mergers and acquisitions. Commercially sensitive information could also include customer or supplier records.
What are the rules on processing sensitive information?
There are very strict rules for processing and handling sensitive information. If these guidelines are not followed, any responsible party could be liable to face a claim for compensation from any victims.
To process sensitive information and special category data, a business must identify a ‘lawful basis’ under Article 6 of the UK GDPR and a separate condition for processing under Article 9. These two conditions do not necessarily need to be linked.
Under Article 6, processing of sensitive information is only lawful if the following applies:
- An individual has given consent to the processing of their personal data for one or more specific purposes.
- Processing is considered necessary to perform a contract to which an individual is party or to take steps at the request of the data subject prior to entering into a contract.
- Processing is necessary to comply with a legal obligation to which the controller is subject.
- Processing is necessary to protect the vital interests of the individual or of another natural person.
- Processing needs to be carried out for the performance of a task completed in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. This is except for where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. This is particularly where the data subject is a child.
The following list includes the conditions for processing special category data under Article 9:
(a) Explicit consent
(b) Employment, social security and social protection (if authorised by law)
(c) Vital interests
(d) Not-for-profit bodies
(e) Made public by the data subject
(f) Legal claims or judicial acts
(g) Reasons of substantial public interest (with a basis in law)
(h) Health or social care (with a basis in law)
(i) Public health (with a basis in law)
(j) Archiving, research and statistics (with a basis in law)
How can you protect your sensitive information?
If your sensitive information has been exposed without your consent, it may be possible for you to pursue compensation for any damages caused. The court will have the authority to award damages from a claim, covering for any reputational and/or financial losses, as well as the general distress caused.
In addition to this, an injunction can potentially be filed to prevent the publication of the sensitive information.
Claims for the misuse of sensitive information can also be made on the following grounds:
Breach of confidence
A breach of confidence relies on the general principle that sensitive information, which was provided in confidence, has been unfairly exposed exploited. This could be used where there is a pre-existing contract or relationship in place.
Where the misuse of sensitive information classifies as a breach of UK GDPR, a victim may be able to make a GDPR data breach. This is something our specialist GDPR solicitors can support you with further.
Protection from harassment
Depending on the circumstances, misusing or exploiting sensitive information could also lead to criminal or civil liability where actions amount to harassment. This occurs where behaviour is intended to cause alarm or distress in any way.
What should you do if someone has misused your sensitive information?
If your sensitive personal information has been misused in any way, it is important that you clearly understand what your current legal position is and what actions you may be able to make moving forwards.
It should be noted that, after learning your sensitive information has been exposed, it is good practice to make sure that you secure your data as quickly as possible. Usually, this will include taking actions such as changing your passwords to accounts, creating security alters for your credit reports and initiating security freezes.
So that you are clear on whether you have grounds to claim compensation for the misuse of your sensitive information, or any other type of data breach claim, speaking to a specialist solicitor is essential. This is where the team at Hayes Connor can step in.
How Hayes Connor can help if your sensitive information has been misused
If your sensitive information has been misused, or exposed without your permission, our team may be able to help you in pursuing a claim for compensation. Our data breach experts act for clients on a no win, no fee basis, removing the financial risk of pursuing claims where sensitive information has been mishandled in any way.
At Hayes Connor, we are one of the largest teams of data breach claims specialists in the country. With a wealth of combined experience and expertise in supporting clients from a wide range of backgrounds, we are perfectly positioned to support you.
Our team can provide carefully tailored advice on whether you will have grounds to make a claim for the misuse of sensitive information, the level of compensation you may be entitled to receive, and what steps need to be taken.
We want to ensure that anyone affected by the misuse of sensitive information can access the compensation they deserve, while also making the entire process as straightforward and stress-free as possible.
You can find out more about our expertise and how we handle data breach claims here.
To start a claim, you can use our online claim form and we will get back to you shortly to let you know if we believe you have grounds for compensation.
If you would like to speak to a member of our team, please do not hesitate to give us a call on 0330 041 5139.