The GDPR mentions Personal Data and Special Category Data
PERSONAL DATA: Name; Email; Address; Phone
SPECIAL CATEGORY DATA: Ethnic Origin; Politics; Religion; Trade Union Membership; Genetics; Biometrics (Where Used For ID Purposes); Health; Sex Life; Or Sexual Orientation.
I have always suggested that organisations should consider a middle Category called Confidential Data
CONFIDENTIAL DATA: SocSec; TaxRef; Passport; Driving Licence; Utility Bills; Bank Account;
I have also advocated perhaps have a RED, AMBER, GREEN approach to how data is classified and handled. This is simplistic, but for example, you might say GREEN can be shared within the organisation, AMBER only by approved persons and RED only by a senior manager under strict controls. This is a very simple approach to Data Processing Impact Assessment, making decisions based on the potential harm to the person.
RED = Special Category Data - likely to have significant negative impact on the data subject
AMBER = Confidential Data - likely to have a negative impact on the data subject
GREEN = Personal Data – unlikely to have a negative impact on the data subject
In Jersey the conditions for processing PERSONAL DATA are as follows
03 Vital interests
04 Public functions
05 Legitimate interests
The key thing about Special Category Data is that there are the conditions for processing special category data. The conditions are listed in Article 9(2) of the GDPR
In Jersey the conditions for processing SPECIAL CATEGORY data are as follows
07 Other legal obligations
08 Employment and social fields
09 Vital interests(subject to certain conditions)
10 Non-profit associations (subject to certain conditions)
11 Information made public
12 Legal proceedings, etc.
13 Public functions
14 Public interest
15 Medical purposes
16 Public health
17 Archiving and research
18 Avoidance of discrimination
19 Prevention of unlawful acts
21 Publication about malpractice and mismanagement
23 Insurance and pensions: general determinations
24 Insurance and pensions: current processing
25 Functions of a police officer
The point is that SPECIAL CATEGORY DATA must fit one of the conditions above.
As for CONFIDENTIAL DATA (which is not legally defined) this needs to comply with legal basis, but I would suggest merit a higher level of care, custody and safeguarding.
As noted above, this is what a Data Processing Impact Assessment is about. Ask yourself: Is there are risk? If there is perhaps give the data a special category and special treatment to make sure it is private, safe and secure.
So to be clear the law only talks about PERSONAL DATA and SPECIAL CATEGORY DATA, but I recommend that CONFIDENTIAL DATA is recognised as sensitive and treated accordingly.
Logically I would hope that any business would treat Passport; Driving Licence; Utility Bills; Bank Account; with special care and that is all I am advocating.
UK Guidance on Special Category Data
Jersey Law re Special Category Data
Working Party 29 Guidance on how to intrepret EU GDPR