The National Cyber Security Centre (NCSC) has released new guidance to help businesses understand and manage the risks of storing sensitive personal information (SPI).
If you hold data about individuals—clients, employees, or suppliers—it’s well worth checking if any of it qualifies as "sensitive" and whether you're doing enough to protect it.
🧐 What Counts as Sensitive Personal Information?
There’s no fixed legal definition of SPI—but the NCSC advises thinking in terms of risk.
Ask yourself: Would exposing this information cause harm, harassment, or prejudice to the individual?
🔎 Examples might include:
-
Someone’s profession or job role
-
Medical or personal characteristics
-
Relationship status or beliefs
⚠️ What Are the Risks?
A cyberattack or accidental data leak involving SPI can carry serious consequences, including:
-
Loss of client trust
-
Business disruption
-
ICO fines and penalties
-
Legal claims
-
Costly recovery time
🛡️ 9 Key Principles for Protecting Sensitive Data
NCSC recommends following these nine practical steps to reduce risk:
-
Know what sensitive data you have and why it’s at risk
-
Restrict access—only the right people should see it
-
Track access—know who is viewing sensitive info
-
Prevent misuse by setting limits on what users can do
-
Avoid bundling too much sensitive data together
-
Be careful when merging datasets—SPI may be exposed
-
Be cautious when sharing data externally or between systems
-
Handle sensitive and non-sensitive data consistently
-
Keep SPI access controls separate from standard access controls
✅ Final Thoughts
Cyber threats are on the rise, and protecting your data isn’t just good practice—it’s essential.
If your business holds any information that could put individuals at risk, now is a good time to review your data protection measures using the NCSC’s new guidance.