Definition · Plain-language
Sensitive data (special category data)
Sensitive data — known as special category data under GDPR — is information that needs extra protection because of the heightened risk its misuse poses to individuals.
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
What counts as sensitive data
Under GDPR Article 9, special category data covers personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, together with genetic data, biometric data used to identify a person, data concerning health, and data about a person’s sex life or sexual orientation. These categories are singled out because their disclosure can expose people to discrimination or serious harm. Information about criminal convictions is handled under a separate, related provision rather than Article 9 itself.
Why it gets extra protection
Processing special category data is treated more cautiously because the consequences of a breach or misuse are more severe. Beyond having a normal lawful basis, organisations generally need an additional condition specifically permitting the sensitive processing. In a research context this often shapes consent design, security controls and access arrangements. The underlying principle is proportionality: the more sensitive the data, the stronger the safeguards expected around it.
Sensitive data in research practice
Many research domains — clinical, social and biomedical — inherently involve sensitive data. Recognising data as sensitive informs classification, storage and sharing decisions, and often determines whether a privacy or data-protection impact assessment is appropriate. Robust de-identification and anonymisation become especially important here, since the goal is to enable valuable reuse of data while keeping the heightened risk to participants firmly under control.
Key facts
At a glance
- Definition: personal data needing extra protection due to heightened risk
- GDPR term: special category data (Article 9)
- Categories: health, genetics, biometrics, race, religion, beliefs, sex life
- Politics: political opinions and trade-union membership included
- Separate rule: criminal-offence data handled outside Article 9
- Effect: generally needs an extra processing condition plus safeguards
Common misconceptions
What people often get wrong
Often heard: Any personal data a person considers private counts as sensitive data.
Actually: Special category data is a defined GDPR list — health, genetics, biometrics, race, beliefs, sex life and similar. Other private-feeling data is still personal data but not legally “special category”.
Often heard: Criminal conviction data is special category data under Article 9.
Actually: Criminal-offence data is handled under a separate, related provision rather than Article 9, although it still attracts heightened protection.
Often heard: A photograph is automatically biometric special category data.
Actually: A photograph becomes biometric special category data only when processed through specific technical means to uniquely identify a person; an ordinary image alone is generally not special category data.
Going deeper
