In Ireland, the role of the family in the Irish Constitution has always had a special place. In Article 41 (1.1) the Constitution sets out that:
“The State recognises the Family as the natural primary and fundamental unit group of Society, and as a moral institution possessing inalienable and imprescriptible rights, antecedent and superior to all positive law.”
In addition, Article 42A(2.1) acknowledges the duty of parents towards their children as regards their safety and welfare albeit by speaking about the State’s role when a parent fails in this regard.
Under the GDPR (Art 8.1), these duties of the parent to protect the safety and welfare of their child are also acknowledged. Where a child wishes to access information society services, the provider of these services must request consent from the ‘holder of parental responsibility over the child’ when the child is below the age of 16. These services are defined as:
“any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service”.
Given these duties of the parent, what are the obligations of an organisation when faced with a Subject Access Request made by a parent on behalf of their child?
SARs submitted by a parent/guardian
Having acknowledged the role of the parent or guardian in this particular case, the GDPR makes no further reference to the responsibility or authority of a parent or guardian, not even in Article 15.
This raises an interesting question for organisations who work with, and legitimately provide, services to children. Can a parent or guardian submit a Subject Access Request (SAR) on behalf of their child? It is logical that a parent or guardian needs to be aware of, and verify, the lawfulness of the processing of their child’s personal data in order to protect their child’s safety and welfare. This role of verification and the underpinning principle of accountability is precisely the purpose of a Subject Access Request (Recital 63).
There are differing opinions as to the right of a parent or guardian to submit a SAR with some reiterating that Art 15(1) makes it clear that it is the Data Subject who shall have the right to obtain from the Controller confirmation of the processing of their data and other relevant information. Because of this some organisations refuse any third-party SARs except where there is a legal representative or publicly elected official known to be acting on behalf of the Data Subject as permitted under the 2018 Act.
Others will, where possible, revert back to the child and ask their permission to provide the data requested. This is the approach taken by several universities whose students could technically be children (under 18 as defined by the Child Care Act 1991 and the Children Act 2001) but who obviously have the capacity to act in their own right.
For schools who would deal with younger children, they have the benefit of operating under other pieces of legislation, including the Education Act 1998 (as amended). Under this Act parents/guardians of children under the age of 18 years are statutorily entitled to information relating to their child’s educational progress. The 1998 Act also helpfully sets out who exactly can exercise these parental rights. The majority of parent’s queries can usually be answered under this legislation, but it would not cover exactly the same data technically accessible under a SAR.
In relation to the Freedom of Information Act, the Office of the Information Commissioner released an interesting guidance note, no 37. Where requests are made to a public body by a parent or guardian for information relating to their child, the Commissioner makes clear the welfare of the child is the ultimate parameter and that (following a Supreme Court Decision relating to a child’s medical records) a parent / guardian has rights and duties in relation to their child. It is to be presumed that his or her actions in requesting their child’s data are in accordance with the best interests of the child. The Supreme Court made clear that this presumption while not absolute is fundamental.
In light of this lack of specificity under the GDPR, the Data Protection Commission (DPC) has opened a public consultation on the Processing of Children’s Personal Data and the Rights of Children as Data Subjects. To date, it has received more than 80 submissions which the DPC is considering. Until the results of the consultation and any resulting advice are released later in the year there are some core steps organisations would be advised to take.
Steps to take
Organisations should author a policy, approved by their Board, which sets out how the organisation will address a) Subject Access Requests in general, b) Subject Access requests received by children including any duty of care towards the child which will be dependent on the nature of the personal information processed, c) Subject Access Requests received from third parties including parents.
In considering the latter, the following considerations, as recommended by the DPC, need to be addressed when coming to a decision whether to reply:
- the child’s level of maturity and their ability to make decisions regarding their personal data;
- the nature of the personal data being requested;
- any court orders relating to parental access or responsibility
that may apply;
- any duty of confidence owed to the child or young person;
- any consequences of allowing those with parental responsibility access to the child’s or young person’s information. (This is particularly
important if there have been allegations of abuse or ill-treatment);
- any detriment to the child or young person if individuals with
parental responsibility cannot access this information; and
- any views the child or young person has on whether their parents should have access to information about them.
The policy should also indicate how any exceptions might be handled such as where a child has limited capacity either because of age, illness or other special circumstances. In cases where there is any doubt, the organisation should request guidance from their DPO, where one has been appointed, and document the logic of any decision made. Advice from the DPC may also be sought.
Trilateral’s advisors can assist with the authoring of such policies and support organisations where guidance is needed on particular cases.
For more information please refer to our service pages or contact our Data Governance team: