Categorisation of personal data as sensitive personal data
15. (1) The Central Government shall, in consultation with the Authority and the sectoral regulator concerned, notify such categories of personal data as “sensitive personal data”, having regard to
(a) the risk of significant harm that may be caused to the data principal by the processing of such category of personal data; (b) the expectation of confidentiality attached to such category of personal data;
(c) whether a significantly discernible class of data principals may suffer significant harm from the processing of such category of personal data; and
(d) the adequacy of protection afforded by ordinary provisions applicable to personal data. (2) The Authority may specify, by regulations, the additional safeguards or restrictions for the purposes of repeated, continuous or systematic collection of sensitive personal data for profiling of such personal data.