Responding to subject access requests can present a variety of challenges for data controllers. In particular, managing such requests on behalf of children without clear precedent can prove to be challenging. The rights of the child are covered in part within the text of Regulation (EU) 2016/679 (‘GDPR’). However, how these rights should be managed has not been addressed in full. The Irish Data Protection Commission is currently undertaking a public consultation in this area. While the outcomes of this consultation are not yet available to the public, some precedent has been recently set by the Hellenic Data Protection Authority. This article covers the key takeaways from this recent judgement and the additional guidelines that are necessary to consider when responding to subject access requests involving personal data which relates to a child.
In March 2020, the Hellenic Data Protection Authority imposed a fine of €8000 against the Speech and Special Education Centre Mihou Dimitra. This fine was levied against the centre for their refusal of a subject access request (€3000) and the failure to act on the instruction of the supervisory authority to provide these records (€5000).
In this case, the father of the child submitted a subject access request to the controller on the child’s behalf. This request was refused in its entirety on the basis that the parent applying for the data was a former partner of the child’s birth mother. The controller cited the status of the custody of the child as a key factor behind the rationale for their refusal of this request. The Hellenic Data Protection Authority ruled that this was not a sufficient basis to refuse the provision of the personal data to the father.
The outcome of this ruling should not be taken as a blanket authorisation to provide a child’s data to each parent when requested. The processing of subject access requests on behalf of the child presents further complex considerations. The Information Commissioner’s Office (ICO) in the UK advises that the following aspects should be taken into account when responding to an access request pertaining to a child:
- Where possible, the child’s level of maturity and their ability to make their own decisions;
- The nature of the personal data;
- Any court orders relating to parental access or responsibility that may apply;
- Any duty of confidence owed to the child or young person;
- Any consequences of allowing those with parental responsibility access to exercise the child’s rights. This is particularly important if there have been allegations of abuse or ill treatment;
- Any detriment to the child or young person if individuals with parental responsibility cannot access this information; and
- Any views the child or young person has on whether their parents should have access to information about them.
When handling access requests on behalf of children, a holistic view of harm must be attempted, taking into consideration the wider context of child protection as well as the protection of rights and freedoms in the context of personal data. The ICO recommends that both the potential impact on the child receiving the data and the potential harm that may be caused by the requester on receipt of this information are considered. This is particularly important where potential harm may arise from the disclosure of an allegation made by the child or the disclosure of information relating to the whereabouts of that child that would ordinarily be restricted from the parent due to the risk of harm. Where such harm is suspected, the relevant child protection services should be consulted before taking any further action. As per Recital 38 of the GDPR, children merit specific protection with regard to their personal data. The processing of any personal data relating to the child must always be treated with careful consideration.
In a nutshell
This fine imposed by the Hellenic Data Protection Authority illustrates the importance of documenting a detailed assessment of risk to justify the refusal of a subject access request made by a parent on behalf of their child. This case illuminates that irrespective of the right to custody either parent may still assist the child in the fulfilment of the rights as data subjects.
The approach set by supervisory authorities and the courts should be taken into consideration when conducting your next policy review in relation to the handling of data subject requests relating to children. We anticipate further rulings in this area along with specific guidance from supervisory authorities which should provide increased clarity on how the rights of the child can be managed adequately.
Where subject access requests relate to a child, careful consideration must be taken when responding to such a request. Seek advice from your Data Protection Officer and from your supervisory authority where necessary.
If you need advice on managing complex subject access requests, our experts are here to assist with all aspect of your data protection compliance from policy reviews to workable solutions. Contact our Data Governance and Cyber-Risk team for more information.