Sensitive data and GDPR

What type of data is sensitive?

Sensitive data is classified information that must be protected from unauthorized access. Sensitive data can be accessible to outside parties ONLY with expressly granted permissions. The main types of sensitive data are human, ecological (e.g. location of endangered species), and confidential data.

Sensitive personal data is any data that reveals:

personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs,
trade-union membership,
genetic data, biometric data processed solely to identify a human being,
health-related data,
data concerning a person’s sex life or sexual orientation.

Sensitive personal data is subject to specific processing conditions according to the GDPR.

To learn more, see: Definition of Sensitive Data

What is personal data?

Personal data is any information related to an identified or identifiable living individual. Personal data can also be different information that can lead to the identification of one person when collected together.

Examples of personal data are:

a name and surname;
a home address;
email address;
social security number;
location data (for example, the location data function on a mobile phone);
(IP) address;
a cookie ID.

What is the difference between sensitive personal data and personal data?

Sensitive personal data is a specific set of “special categories” of personal data that must be treated with extra security. To learn more see: Definition of Sensitive Data.

The General Data Protection Regulation is a European Union (EU) data privacy and security law that regulates the management and processing of personal data.

It defines:

what is personal data
what is data processing
what are the roles of all the parties involved (Data Controller, Data Processor, Data Subject)
key principles that regulate EU data protection

Any organization that stores or processes personal information regarding EU citizens is obliged to comply with the GDPR.

In GDPR terms, CSC is always a data processor acting on behalf of a data controller. GDPR also requires that this relationship be done in writing. Therefore, the data controller (a group leader, researcher, research organization or their legal representative) needs to sign the Data Processing Agreement with the CSC, a legal contract. CSC never acts as a data controller, but our services give CSC users all the instruments necessary to manage the access to sensitive data. The CSC service user remains fully responsible for the data and is required to choose a service that complies with the security level needed for the data.

I am not sure if the data I am working with is sensitive or not. Where can I find support?

You can write to servicedesk@csc.fi (email subject: Sensitive Data) describing your research and the data you are working with (e.g. providing your Data Management Plan, DMP). You can also contact the legal services or Data Protection Officer in your own organization. They can give you more details about your organization's policies.

What type of sensitive data can I process with CSC Sensitive Data Services?

Any type of sensitive data consented for research. Processing register data under the Act on Secondary us of Health and Social data is possible only with a Findata permit and using a restricted version of the SD Desktop service (see: Sd Desktop for secondary use).

What type of documentation do I need to provide to use CSC Sensitive Data Services?

When creating a CSC account and CSC project in MyCSC, you are guided to view and accept CSC's Data Processing Agreement (DPA) and describe the type of data you are processing in the description of processing activities form. If you have any questions about these documents or addittional legal agreements are needed between your organization and CSC, write to servicedesk@csc.fi (email subject: Sensitive Data).

Last update: April 3, 2023