Yes, physical disability is classified as sensitive personal information under every major privacy framework worldwide. It falls under the broader category of health data, which receives the highest level of legal protection. This means organizations that collect, store, or share information about someone’s physical disability face strict rules about how they handle it.
Why Disability Qualifies as Sensitive Data
Privacy laws don’t typically list “physical disability” as its own standalone category. Instead, it’s protected because it’s health information, and health data is universally recognized as sensitive. The EU’s General Data Protection Regulation (GDPR) prohibits processing “data concerning health” unless specific exceptions apply. The UK GDPR mirrors this, explicitly listing “physical or mental health data” among its special categories. In the United States, the HIPAA Privacy Rule protects all “individually identifiable health information,” which includes any information related to a person’s past, present, or future physical or mental health condition.
The scope of what counts as disability data is broader than you might expect. It’s not limited to a formal medical diagnosis. Under CDC definitions, disability information includes whether someone has serious difficulty walking or climbing stairs, serious difficulty seeing or hearing, difficulty dressing or bathing, or difficulty doing errands alone. Any record that captures these details, whether it’s a medical file, a workplace accommodation request, or even a note about someone using a mobility aid, can constitute sensitive personal information.
How Employers Must Handle Disability Information
In the workplace, the Americans with Disabilities Act (ADA) creates a specific confidentiality regime for disability data. Every piece of medical information an employer obtains, whether from a required medical exam, a voluntary wellness program, or something an employee discloses on their own, must be treated as a confidential medical record. This isn’t optional or best practice. It’s a legal requirement.
Employers must store disability-related records separately from general personnel files. Access is limited to a short list: supervisors and managers who need to know about work restrictions or accommodations, first aid and safety personnel when relevant, and government officials investigating ADA compliance. Employers may also share the information with workers’ compensation offices, insurance carriers, and healthcare professionals consulted about reasonable accommodations.
One rule that catches many employers off guard: if a supervisor knows about an employee’s disability and that employee applies for an internal transfer, the supervisor cannot share the medical information with the hiring manager for the new position. The confidentiality obligation follows the data, not the job.
Consent and Legal Grounds for Processing
Because disability data is classified as a special category under the GDPR, organizations generally cannot process it without a specific legal basis beyond the standard grounds that apply to ordinary personal data. The most common lawful basis is explicit consent, meaning the person must clearly and affirmatively agree to the processing of their health information for a stated purpose. A pre-ticked box or a buried clause in a terms-of-service agreement doesn’t meet this standard.
Other legal bases exist for specific situations. Employers can process disability data when it’s necessary to fulfill obligations under employment law, such as providing reasonable accommodations. Healthcare providers can process it for medical treatment. Public health authorities can process it for disease monitoring or public safety purposes. But outside these defined exceptions, organizations need clear, informed, freely given consent before they collect or use information about someone’s physical disability.
Under HIPAA in the U.S., covered entities (healthcare providers, health plans, and healthcare clearinghouses) must obtain a signed authorization before disclosing protected health information to third parties outside the treatment, payment, and healthcare operations context. The Social Security Administration, for example, uses a specific HIPAA-compliant authorization form when requesting medical records for disability benefit determinations.
Security Requirements for Disability Records
Organizations that hold disability-related data are expected to protect it with safeguards proportional to its sensitivity. The HIPAA Security Rule requires administrative, physical, and technical protections for electronic health information. These include restricting access so only authorized personnel can view the data (consistent with a “minimum necessary” standard), implementing transmission security to prevent interception during electronic transfers, and maintaining access controls on information systems.
The rule is deliberately flexible rather than prescriptive. A solo medical practice and a large hospital system face different risks and have different resources, so both must evaluate their own size, complexity, technical infrastructure, and the probability and severity of potential breaches when choosing specific security measures. What matters is that the protections are reasonable and appropriate for the risk level.
Under the GDPR, organizations processing health data on a large scale must complete a Data Protection Impact Assessment (DPIA) before they begin. A hospital launching a new database containing patient health records, for instance, would need to conduct this formal risk evaluation. The assessment identifies potential threats to individuals’ privacy and documents the safeguards in place to mitigate them.
Penalties for Mishandling Disability Data
The consequences for failing to protect disability information vary by jurisdiction but can be severe. Under the GDPR, violations involving special category data like health information can result in fines of up to €20 million or 4% of global annual revenue, whichever is higher.
In the United States, the enforcement landscape is more fragmented. Under the federal Privacy Act, a government employee who willfully discloses protected records faces misdemeanor charges and fines up to $5,000. The same penalty applies to anyone who knowingly obtains such records under false pretenses. HIPAA violations carry their own tiered penalty structure, with fines ranging from $100 per violation for unknowing breaches up to $50,000 per violation for willful neglect, with annual caps in the millions.
ADA confidentiality violations can result in enforcement actions by the Equal Employment Opportunity Commission, including compensatory damages, back pay, and injunctive relief requiring employers to change their practices. The financial exposure is real, but so is the reputational damage. Organizations that mishandle disability data face both legal liability and a serious erosion of trust from employees, patients, or customers whose information was compromised.
What This Means in Practice
If you collect any information that reveals a person’s physical disability, you are handling sensitive personal data. This includes formal medical records, accommodation requests, insurance claims referencing a health condition, survey responses about functional limitations, and even informal notes documenting that someone uses assistive equipment. The format doesn’t matter: electronic files, paper records, and verbal disclosures all receive the same protection.
For individuals, this classification gives you meaningful rights. Under the GDPR, you can request access to your disability data, ask for corrections, and in many cases demand deletion. Under HIPAA, you can request an accounting of who has accessed your health records. Under the ADA, you can expect that medical information you share with your employer stays locked away from people who don’t need it. If you discover that your disability information has been shared inappropriately, you have grounds to file a complaint with the relevant regulatory body, whether that’s a data protection authority in Europe or the EEOC in the United States.