What is Sensitive Personal Data?

Not all personal data is the same. Some types are particularly sensitive and require extra protection.

Under OC 11, these are referred to as “Sensitive Personal Data”, and include any information relating to:

• Physical or mental health
• Genetic data
• Biometric data (when used to uniquely identify someone)
• Racial or ethnic origin
• Sexual orientation
• Political, religious, or philosophical beliefs or opinions

Obligations when processing sensitive personal data

Because of their sensitive nature, any misuse, unauthorised access, or breach of these types of data could cause serious harm to individuals, such as discrimination, reputational damage, or psychological distress. This is why their processing is generally prohibited, except in limited circumstances set out in OC 11.

As such, Services must ensure that they:

• Have a valid legal basis: Sensitive Personal Data may only be processed if one of the exceptions listed in OC 11 applies. For example, where the individual has given explicit consent, or where processing is necessary for CERN to fulfil its legal obligations, particularly in matters relating to personnel management, health services, or social insurance.
  The transfer of Sensitive Personal Data to External Entities is not authorised, except in a few exceptional circumstances.
• Apply enhanced security measures: Use encryption, access controls, and audit logs to protect the data. Don't transfer Sensitive Personal Data via e-mail. Instead, use secure alternatives such as CERNBox.
• Apply enhanced organisational measures: Provide adequate training, ensure that all staff handling Sensitive Personal Data understand the applicable guidance, risks, and responsibilities.
• Minimise data collection: Collect only the data that is strictly necessary for the intended purpose.
• Limit access on a strict “need-to-know” basis: Ensure that only authorised individuals have access to the data, based on a clear necessity (e.g. operational need).
• Assess the need for a Data Privacy Impact Assessment (DPIA): In many cases, processing Sensitive Personal Data will require a DPIA before any activity begins. If you are uncertain whether a DPIA is necessary, please contact the Office of Data Privacy for guidance.

What does this mean in practice?

The explanations above may sound abstract, but they have very concrete implications in day-to-day life at CERN. Common situations involving Sensitive Personal Data include sending and receiving medical certificates, transferring other classified documents such as health assessments or complaint reports, and managing HR files.

But how should these be handled in practice to ensure compliance and protect individuals' privacy? Below are a few examples that illustrate good practices in these real-life scenarios.

• Use secure platforms like CERNBox to share these documents. Configure file-drop folders to prevent unintended access and ensure only authorised personnel can view the files.
• Don’t use e-mail to send documents containing Sensitive Personal Data, as it increases the risk of it being delivered to the wrong recipient(s) and long-term storage in unsecured inboxes.
• If email is the only option, the document must be encrypted (e.g. by setting a password on a PDF or Word file), and the encryption key must be shared separately with the recipient, using a different communication channel.
• Print, store, or forward these documents only when strictly necessary and always in line with CERN's established procedures.
• Restrict access to Sensitive Personal Data strictly on a need-to-know basis, with formal authorisation and role-based access controls in place. Remember: Sensitive Personal Data should never be shared unless it is strictly necessary - even if you believe there are good reasons, such as requesting additional resources, informing colleagues, or escalating an issue!
• Train personnel handling such data on data privacy and any other specific rules or CERN procedures that apply (e.g. handling of medical certificates). In certain cases, this may be supported by a signed confidentiality declaration.