High-consequence data

High-consequence data

High-consequence data is personal or relational information whose exposure creates unusually severe, lasting, or hard-to-reverse harm. It is a practical risk category, not a replacement for legal definitions such as special-category data.

The category includes therapy notes, intimate images, location history, immigration and relocation records, biometrics, genetic data and family graphs, children’s photos and chats, and the identities of journalistic, legal, or advocacy contacts.

What makes data high-consequence

Several properties can converge:

  • it cannot be changed after disclosure
  • it exposes family, clients, patients, sources, or other people beyond the account holder
  • it can be used for blackmail, stalking, discrimination, retaliation, or physical targeting
  • the person cannot freely refuse collection
  • its meaning is intimate, stigmatizing, or easily misinterpreted out of context
  • it remains useful to an attacker or institution for years

The Vastaamo breach demonstrates the risk of intimate care records. The 23andMe incident demonstrates the relational and immutable character of genetic data. VTech demonstrates why children cannot meaningfully bear the long tail of a disclosure. These examples are synthesized in Case for privacy and security.

Design consequence

High-consequence data deserves a higher default bar: collect less, store it for less time, separate it from identity where possible, restrict access sharply, authenticate strongly, and test deletion, export, and breach response.

The question is not only whether a system is compliant. It is whether it turns a future breach, access request, or insider mistake into a life-changing event. Data minimization and Privacy product architecture provide the core design responses.

Sources

  1. 2026-07-12-justifications-caring-about-privacy-rights.pdf
  2. ico.org.uk
  3. tietosuoja.fi
  4. ohchr.org