NAALA | Not An Average Legal Advisor

Swiping before grabbing: unraveling consent for processing children's health data

By: Anne Sophie Dil & Amy Eikelenboom – Co-Founders at NAALA

Originally published in ICT&Health 04-2019.

Swiping before grabbing: unraveling consent for processing children's health data​

1567607200223

Anne Sophie Dil & Amy Eikelenboom

Co-Founders at NAALA

Originally published in ICT&Health 04-2019.

They swipe before they can grasp: children are encountering technology at an increasingly early age. This holds true even in healthcare. Health applications can alleviate the anxiety of hospital visits for children and improve treatment adherence and knowledge about their condition. However, the growing use of technology in healthcare also leads to an increased processing of children’s health data. Processing such sensitive information brings elevated risks. To safeguard children in this regard, special rules have been established in the General Data Protection Regulation (GDPR).

Software developers of health apps offered outside of the treatment relationship often process data based on ‘consent’. Because it involves children, consent from the authorized parent or guardian is also required. In practice, this often proves to be an obstacle due to a lack of clarity on how to obtain consent.

For two driven privacy professionals working specifically in healthcare to foster compliance innovation, this sounds like a call for clarity. In this article, we translate the GDPR requirements for consent into practical solutions for health app developers (as data controllers of children’s health data).

While the Dutch Civil Code states that those who have not reached the age of eighteen are considered minors, according to the GDPR, you are already considered an adult at sixteen. Until then, under the GDPR, you are regarded as a child. Because children often cannot fully comprehend the consequences of processing their personal data, they are seen as a vulnerable group that requires additional protection. Therefore, (additional) specific rules apply to the processing of their personal data.

In this article, we focus and limit ourselves to the additional rules under the GDPR regarding obtaining consent for the processing of children’s personal data, including health data in health apps.

To protect children, it has been determined that consent from the authorized parent or guardian is required to rely on “consent as the basis for processing.” The adult who has authority over the child will typically be able to make a better decision on behalf of the child. This consent is valid only when freely given, specific, informed, unambiguous, and understandable. How does this fit into current practice?

  1. Specific consent is linked to the right to information, leading to informed consent. Prior to granting consent, the data subject must be informed about the processing of personal data, enabling them to make an informed decision and understand what they are agreeing to. This means that the information must be clear and understandable to the data subject (the child). The child must understand what happens to their personal data, who processes the data, why, etc., and the parent or guardian granting consent must also be aware of this. The information must be targeted towards that person as well.
  2. To address this lack of clarity, it is advisable for every provider of a health app for children to prepare a privacy statement for the child and a privacy statement and consent form for the parent or guardian. This way, the child can understand what it is about, and the authorized individual is informed and empowered to make an informed decision. The privacy statements and consent form should be made available before the child’s data is processed.
  3. Additionally, consent is valid only when the parent or guardian has been able to make a free choice, without the child being disadvantaged if consent is not given. Furthermore, consent must be sought for a specific processing purpose, not in general. Moreover, consent for the processing of health data must be “explicit.” This means that explicit confirmation of consent must be given through a direct statement, such as ticking a box saying “I give consent to…” at the bottom of a completed web form.
  4. Finally, it is important for the data controller (the software developer in this case) to be able to demonstrate that valid consent has been obtained. It should be verified whether the person granting consent had the authority to do so. In other words, did the respective person have authority over the child in question?

It is not easy to verify whether a health app is being used by a child. After all, not all children have their own identification documents. The European Article 29 Working Party [1] has indicated that appropriate checks should be conducted to verify if a user is indeed older than sixteen, as claimed by the user. If the user states that they are not yet sixteen, this can be accepted without further verification. In this case, the authorized parent or guardian must grant consent for the processing of the child’s personal data.

The GDPR stipulates that the data controller must make “reasonable efforts” to verify whether the authorized parent has given consent for the processing or has authorized the granting of consent. The Dutch Data Protection Authority has not yet provided clarity on how to fulfill this open norm.

To ensure that the authorized parent or guardian of the child has provided the required consent, it must be demonstrated that the relevant person is genuinely authorized to give consent for this purpose.

In theory, parental authority can be demonstrated with an extract from the public Authority Register or from the Personal Records Database (BRP). However, in practice, the Authority Register only contains judicial decisions regarding authority, and therefore, it does not indicate automatic authority. Additionally, an extract from the BRP can only be requested by legally authorized organizations. This means that developers of health apps do not have the right to obtain such extracts.

[1] The Article 29 Working Party was replaced by the European Data Protection Board (EDPB) under the General Data Protection Regulation (GDPR).

So, what is a practical solution that reasonably allows us to assume that the person who granted consent was authorized to do so? Requesting a copy of a passport is one option to verify this authorization, but it is only permitted in exceptional cases. If it is still desired to use a copy of an identity document for verification, the Citizen Service Number (BSN) and the passport photo on the identity document should be shielded, for example, by using the “KopieID” app provided by the Ministry of the Interior or by otherwise concealing the data.

The WP29 suggests asking the parent or guardian to make a payment of €0.01, including a brief confirmation in the transaction description that the holder of the bank account is the authorized parent or guardian of the child. Another method that does not require payment is an iDIN check, where individuals can use their own bank login credentials to verify their identity. Another example mentioned by the WP29 and the European Commission is conducting an email verification: an email is sent to the parent or guardian, requesting an explanation to confirm their parental responsibility.

Recommendations

The youngest generation is growing up in a digital environment and is more adept with the internet than with pen and paper. This development should be embraced in healthcare. Technology in pediatric care offers opportunities to introduce this generation to solutions like remote monitoring and video consultations at an early stage. However, processing the health data of this vulnerable group carries a higher risk if it fails to comply with privacy and security laws and regulations.

To ensure that technological solutions, such as health apps, can be safely used by children, choices need to be made in the design of these solutions. In this article, we have outlined the obligations and possibilities regarding obtaining parental consent for the processing of children’s (health) data.

Finding the right and appropriate solution lies in adopting a privacy-by-design approach. By integrating privacy measures from the beginning of application development, privacy-by-design ensures that an app efficiently complies with the applicable laws and regulations when it goes live, without encountering delays later on.

For further insights on the protection of children’s personal data or if you seek expert consultation on practical solutions, we invite you to get in touch. Our team is here to provide comprehensive guidance and address your specific needs. Contact us today to ensure compliance and navigate the complex landscape of children’s health data processing.

Questions? We are happy to discuss your specific case.

Related

The popularity of TikTok among young users raises concerns about privacy and children’s rights under the GDPR. Legal actions and investigations highlight the need for safeguards in the digital world. However, creating secure pediatric digital health solutions that comply with privacy laws remains a challenge. Bridging this gap is essential to ensure appropriate healthcare for children.

Introducing Verzamelwet Gegevensbescherming: The Dutch law revolutionizing data protection regulations. Explore key changes empowering individuals and organizations in the Netherlands. Unveil amendments to data subjects’ rights and guidelines for processing personal data. Discover its impact on businesses and the endorsement it receives from Autoriteit Persoonsgegevens.

Please note that all details and listings do not claim to be complete, are without guarantee and are for information purposes only. Changes in legal or regulatory requirements may occur at short notice, which we cannot reflect on a daily basis.