Your organization may have standard definitions for data sensitivity included in a data policy or elsewhere. Data sensitivity definitions may also be found in applicable privacy or data protection legislation. In the absence of such guidance, any data that may put certain individuals, groups or organizations at risk of harm in a particular context should be considered sensitive. While personal data can categorically be considered sensitive, more nuanced issues arise for non-personal data. For example, locations of medical facilities in conflict settings can expose patients and staff to risk, while the same data would not necessarily be considered sensitive in a natural disaster response context.

In the health sector specifically, all identifiable data concerning health, factors influencing health (for example, cultural and socio-economic details) and the history of individuals are sensitive and must be handled with care and professionalism. In addition, any data (identifiable or not) that can be voluntarily or involuntarily misused against the interests of patients, potential patients, their family, groups or communities and/or health service providers or other humanitarian organizations and their staff, or put any of them at risk for political reasons, financial gain or any other reasons shall be treated as “highly sensitive” data. Even some seemingly non-sensitive data can be highly sensitive in certain contexts (for example, details of cholera outbreaks). Finally, the metadata generated as a ‘byproduct’ of data management can create a distinct set of risks, which should not be overlooked. For more information on the risks associated with metadata, see https://www.icrc.org/en/document/digital-trails-could-endanger-people-receiving-humanitarian-aid-icrc-and-privacy