Under GDPR, children benefit from all the same protections as adults in respect of their personal data. However, organisations must take particular care in respect of processing the personal data of children, a child being a person under the age of eighteen years.
The digital age of consent in Ireland is 16 years. Prior to that age, a child does not have the legal capacity to sign up to online services without parental consent. This does not prevent children from using the internet, but rather from giving their consent to the collection of their personal data. A parent or guardian may give consent on their behalf in some circumstances. And where the lawful basis of processing is something other than consent, the processing can proceed with clear explanations given in plain language.
While children remain the owners of their personal data in all circumstances, GDPR does not state that they are legally capable of exercising their own rights. In general, a parent or guardian is the person who should exercise a legal right on behalf of a child. In the majority of cases, a parent or guardian must then make subject access requests on behalf of a child or provide their authorisation for the child to do so. In certain cases, it may not be in the best interests of the child to provide either them or indeed their guardian with the personal data of the child.
Subject access requests in respect of a child’s data may be utilised by conflicting parents in family law disputes and/or in situations where there may be child protection concerns, as was the case which led to Tusla being subjected to fines by the DPC. Where the rights and freedoms of the child or other persons may be prejudiced by compliance with a SAR, it is important that the SAR Procedure of the organisation allows risk assessment and increased scrutiny of the data disclosed, and appropriate redactions and limitations.
There is there is a limitation on the exercise of the right of access to data where the rights and freedoms of others are impacted. In such cases, efforts should be made to comply as far as possible without prejudicing the rights or freedoms of the child or other persons.
A pre-GDPR case involved a finding by the DPC that a sports club was correct in redacting the address of a child in responding to the subject access request made by a parent in circumstances where disclosure would have necessarily disclosed the address of a third party who was listed as an emergency contact for the child.
All complicated subject access requests should be examined on a case to case basis and consideration should be given to whether the request should be complied with in full, with redactions or possibly not at all.
The above is provided for information purposes and is not intended as legal advice. We, at Fitzsimons Redmond, would be happy to discuss with you any specific concerns you have about your obligations in respect of processing the personal data of children. Please contact us on 01-676 3257.
By Lisa Quinn O’Flaherty Solicitor at Fitzsimons Redmond