Sensitive information

What is sensitive information?

Sensitive information covers a broad range of data, but what it holds in common is that its exposure poses risks to people and organizations. Types of sensitive information include: 

• Business-related data— accounting information, financial, planning, and trade secrets 
• Governmental data—confidential, restricted, secret, and top-secret information 
• Personal data—email addresses, phone numbers, physical addresses, and medical history 
• Transactional data—bank account information, credit card numbers, and Social Security Numbers 

Most sensitive information is protected by a mesh of domestic and international laws and regulations created and enforced by governments and organizations. These protections require that sensitive information be safeguarded from unauthorized access.  

Whether it is present in physical or digital formats, sensitive information must be protected at rest (i.e., where it is stored) and in motion (i.e., when it is sent through physical channels, such as mail, or digital channels, such as email or shared between applications).

Following are details about several of the various categories of sensitive information. 

Personal information

Personal information, often referred to as personally identifiable information (PII), is a large segment of sensitive information that can be traced directly to an individual and, if disclosed, could cause harm to the person. Because this type of sensitive information can distinguish one person from another, it could be used to deanonymize anonymous data.  

It is important to note that, singularly, personal data is not sensitive information. However, when multiple pieces of personal data are connected, the aggregate can become PII. Therefore, organizations are encouraged to apply the same protections to personal and sensitive information to avoid noncompliance penalties and other negative impacts.   

Examples of types of sensitive information included in personal information include: 

• Alien registration number 
• Biometric data (e.g., fingerprint, voice print, retina or iris image, or other unique physical measurement) 
• Criminal record 
• Date of birth 
• Driver’s license number 
• Genetic data 
• Internet protocol (IP) addresses 
• Location information 
• Mother’s maiden name 
• Name 
• Non-driver identification card number 
• Passport number 
• Phone number 
• Photograph 
• Place of birth 
• Political affiliation or opinion 
• Racial or ethnic origin 
• Religious or philosophical belief 
• Sexual orientation 
• Social Security Number 
• Trade union membership 
• Veteran and disability data 

Business and customer information

Sensitive business information includes anything that poses a risk to an organization if it is exposed. Examples of business and customer information that can be considered sensitive information include: 

• Bank account information 
• Cardholder data 
• Court records from a consumer report 
• Credit or debit card purchases 
• Credit scores 
• Customer data  
• Federal tax identification numbers 
• Financial data  
• Intellectual property data  
• Inventory information 
• Marketing plans 
• Operational information 
• Payment card information 
• Pending corporate actions or plans, such as an initial public offering (IPO), mergers, acquisitions, or stock splits 
• Sales figures  
• Supplier information  
• Trade secrets 
• Unreleased earning reports 

Classified government information

Classified information refers to government information that has restricted access based on the level of sensitivity—top secret, secret, and confidential.  

Top secret 
This type of governmental sensitive information refers to national security information that requires the highest level of protection. There is a high bar for sensitive information to achieve this designation.  

According to the Code of Federal Regulations, if this information was accessed without authorization, there is a reasonable expectation that the result would be “exceptionally grave damage to the national security.”  

Examples of “exceptionally grave damage” listed in the Code of Federal Regulations include: 

• Armed hostilities against the United States or its allies 
• Disruption of foreign relations vitally affecting national security 
• The compromise of vital national defense plans 
• The revelation of sensitive intelligence operations 
• The disclosure of scientific developments vital to national security 

Secret 
The second highest classification for governmental information is applied to sensitive information that requires “a substantial degree of protection” according to the Code of Federal Regulations, as unauthorized access to it could be reasonably expected to cause “serious damage to national security.”  

Examples of “serious damage” given in the Code of Federal Regulations include: 

• Disruption of foreign relations significantly affecting the national security 
• Significant impairment of a program or policy directly related to national security 
• Revelation of significant military plans or intelligence operations 
• Compromise of significant scientific or technological developments relating to national security 

Confidential 
Governmental information that is classified as confidential can reasonably expected to cause “damage to national security” in the event of unauthorized access. This information requires protection but not to the same level as secret and top-secret information. 

Examples of confidential information include: 

• The compromise of information that indicates the strength of ground, air, and naval forces in the United States and overseas areas 
• Operational and battle reports which contain information of value to the enemy 
• Intelligence reports 
• Documents and manuals containing technical information used for training, maintenance, and inspection of classified munitions of war 
• Research, development, production, and procurement of munitions of war 
• Performance characteristics, test data, design, and production data on munitions of war 
• Mobilization plans  
• Documents showing the meaning of code names or symbols used to refer to confidential information 
• Documents relating to special investigations, clearance, or assignment of personnel who will have knowledge of, or access to, classified information  
• Details pertaining to features of special shipping containers, routes, and schedules of shipments of confidential materials 

Protected Health Information (PHI) or Electronically Protected Health Information (ePHI)

PHI, or ePHI, is a type of sensitive information regulated by the US Health Insurance Portability and Accountability Act (HIPAA). It includes any medical information that can identify an individual or that is created, used, or disclosed while providing health care services. This includes any information related to a person’s medical, physical, or mental health that is recorded and stored in physical or digital records.  

Examples of PHI and ePHI include: 

• Appointments 
• Device identifiers and serial numbers 
• Health histories 
• Healthcare services provided  
• Lab or test results 
• Medical records 
• Medical bills 
• Patient forms 
• Prescriptions 
• Provider or patient communication records 

Education records

Educational information and records are considered sensitive information, and access by potential employers, publicly funded educational institutions, and foreign governments is strictly regulated.  

Examples of education records include: 

• Academic specializations and activities 
• Advising records 
• Awards conferred 
• Courses taken 
• Date and place of birth 
• Degrees earned 
• Disciplinary records 
• Documentation of attendance 
• Educational services received 
• Emergency contact information for parent and/or guardian  
• Grades and/or grade point average 
• Medical and health records that the school creates or collects and maintains 
• Number of course units in which the student is enrolled 
• Official letters regarding a student’s status in school 
• Parent and/or guardian addresses 
• Schedule 
• Schools attended 
• Special education records 
• Student email 
• Student’s identification code  
• Test scores 

Sensitive information vs personal information

Sensitive information	Personal information
A type of personal information that, if revealed, could leave an individual vulnerable to discrimination or harassment and can impact their livelihood, quality of life, or ability to participate in daily activities.	Personal information identifies an individual. It can be any piece of information that can be used to identify a living person with a fair degree of accuracy.
Examples of sensitive information are:  -Criminal history  -Political affiliations  -Race or ethnic origin  -Religion  -Sexual orientation  -Trade union or association memberships	Examples of personal information are:  -A home address  -A name and surname  -An email address  -An identification card number  -An internet protocol (IP) address  -Location data

Laws and regulations for sensitive information

Following are several laws and regulations that reference sensitive information and require protections for it. 

National laws

United States (U.S.) 

• Children’s Online Privacy Protection Act (COPPA)  
• Family Educational Rights and Privacy Act (FERPA)  
• Gramm-Leach-Bliley Act (GLBA)  
• Health Insurance Portability and Accountability Act (HIPAA)  
• U.S. Privacy Act of 1974 

International 

• Australian Federal Privacy Act  
• Australian Privacy Act and Sensitive Information 
• Brazil’s Lei Geral de Proteçao de Dados (LGPD)  
• Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) 
• Chile’s Law No. 19.628 Protection of Private Life  
• China’s data protection law, the Personal Information Protection Law (PIPL) 
• Egypt’s Personal Data Protection Law (PDPL) 
• European Union’s General Data Protection Regulation (GDPR) 
• Japan’s Act on Protection of Personal Information  
• Nigeria’s Data Protection Regulation (NDPR)  
• Thailand’s Personal Data Protection Act (PDPA)  
• UK’s Data Protection Act   

U.S. state laws that govern sensitive information 

• California Privacy Rights Act (CPRA), an amendment to the California Consumer Privacy Act (CCPA)  
• Colorado Privacy Act (CPA) 
• Connecticut Personal Data Privacy and Online Monitoring Act   
• Indiana Consumer Data Protection Act 
• Iowa Consumer Data Protection Act (ICDPA) 
• Maryland Online Consumer Protection Act  
• Massachusetts Data Privacy Law  
• Montana’s Consumer Data Privacy Act  
• New York Privacy Act  
• New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act) 
• Oregon Consumer Privacy Act (OCPA) 
• Tennessee Information Protection Act 
• Texas Data Privacy and Security Act (TDPSA)  
• Utah Consumer Privacy Act (UCPA)  
• Virginia Consumer Data Protection Act 

Key sensitive information-related categories included in laws and regulations

Following are specific items included in various U.S. laws and regulations that specify aspects of sensitive information handling. 

Biometrics    

• Allowing a consumer to opt out of the sale of biometric information 
• Developing a written policy regarding the collection or retention of biometric identifiers  
• Implementing a specific type of biometric (e.g., fingerprints, facial, voice, iris, and palm) 

Children’s online privacy 

• Prohibiting the collection of information about minor users for marketing purposes  
• Requiring operators of websites, online services, or applications to erase personal information about a minor if it has already been collected  

Connected devices (e.g., speakers, mobile phones, cameras, and video surveillance) 
May prohibit the following actions related to data captured with connected devices without an individual’s consent: 

• Collecting  
• Storing   
• Using 

Consumer rights 
Providing specific consumer rights related to their sensitive information and personal data, such as the right to: 

• Access—see any information about them that is stored
• Delete—request that any information about them be deleted 
• Correct—request that inaccurate information be updated 

Location privacy 

• Prohibiting the transfer or sale of consumer geolocation or global positioning system (GPS) data without permission  

Website privacy 

• Requiring an operator of a commercial website or online service that collects personally identifiable information to notify customers about its personal information-sharing practices  
• Requiring consent before sharing internet browser information 

Ensure protection of sensitive information with privacy by design

The protection of sensitive information is of paramount importance for the enterprise. Increasingly, organizations are adopting a Privacy by Design approach to protect sensitive information. This security approach integrates privacy into the implementation and deployment of all policies, systems, and devices.  

Privacy by Design helps organizations ensure the protection of sensitive information with seven core principles: 

1. Proactive, not reactive; preventive, not remedial 
2. Privacy as the default setting 
3. Privacy embedded into design  
4. Full functionality – positive-sum, not zero-sum  
5. End-to-end security—full lifecycle protection  
6. Visibility and transparency—keep it open  
7. Respect for user privacy—keep it user-centric  

Regardless of the approach, organizations must protect sensitive information to adhere to multiple regulations and laws and meet expectations for sensitive data protection.  

You might also be interested in: