When someone’s personal data is being processed, they mainly have rights with regard to the organisation processing their data. For example, they have the right to be informed of how their personal data is being processed. If an organisation processes the personal data of a child or adolescent, it must take into account that the minor’s custodian may also have the right to exercise the minor’s rights on their behalf. On the other hand, minors also have the right to their own data, and their data should not be disclosed to their custodians in every case.
A child’s fundamental rights and the role of custodians in exercising them are easy to understand when you think about the right to maintenance, for example. Every child has the right to be cared for by their parents. Custodians are responsible for ensuring the adequate maintenance of their child.
A child’s right to maintenance and a child’s right to privacy are both fundamental rights, but different in nature. The fundamental right over personal data cannot be calculated mathematically like a child’s maintenance requirement.
A minor’s right to prohibit the disclosure of their personal data to their custodian
Let us illustrate a situation involving the protection of personal data through an imaginary example related to hobby activities.
Ville is going to his orienteering club’s summer camp, which falls on Ville’s 15th birthday. Ville is currently living with his father. Ville does not want the club to disclose his data and camp participation to his mother. He tells the orienteering club instructor that he has also prohibited the disclosure of his health care information to his mother.
What should the orienteering instructor do, when Ville’s mother contacts the instructor and asks for Ville’s information in her capacity of his other custodian? The club is aware that Ville’s parents have joint custody. As a rule, both parents thus have equal rights to data about Ville. However, several acts provide for a minor’s right to restrict their custodian’s right of access to the minor’s data. A child’s rights to decide on the use of their data also increase as the child grows in age and understanding.
In the case of health data, Ville’s physician would use the Act on the Status and Rights of Patients (section 9, subsection 2) as his starting point. If an underage patient is old and developed enough to decide on their own treatment, they have the right to prohibit the disclosure of information on their health and treatment to their custodian or other legal representative. The government proposal for the Act on the Status and Rights of Patients refers to the age of 12 years.
Therefore, the physician can fairly confidently refuse to disclose Ville’s information to his mother if the physician considers that Ville is capable of making that decision. Finding direct answers from legislation or legislative materials is not as easy for hobby organisers. The situation requires an on-the-spot decision taking into account the individual circumstances of the case.
What does the controller need to take into account if a child wants to prohibit the disclosure of their data to their custodian?
How would I approach the situation, if I were Ville’s orienteering instructor? Even though I am somewhat familiar with the legislation, in this example case, I am on an equal footing with everyone else, because no direct answer can be found in the law. One possibility could be to talk to the minor about their custodian having requested the disclosure of information prohibited by the minor. Care must be taken here, however, to avoid accidentally pressuring the young person into changing their opinion just because it would be more convenient for me.
So I have to try and resolve the situation based on the information available to me.
- I would look for other information on disclosing a minor’s data to their custodians. For example, I know that data from the Kanta health register is not visible to parents after a certain age. Examples of various scenarios are out there, even if you are unfamiliar with the legislation. Could such other scenarios offer guidelines for resolving the matter, even if they cannot provide a direct answer? I nevertheless remind myself to take care not to jump to conclusions because, for example, the disclosure of data from Kanta is governed by special legislation on the disclosure of minors’ personal data. No such special legislation is available for hobby activities.
- I would try to make the family agree on the flow of information between themselves. Custodians have the right to tell the other parent about matters involving their child, even if I came to the conclusion that I was unable to disclose the information to the custodian who requested it. Family relations can sometimes be so strained, however, that encouraging openness would do little good.
- I would weigh the negative consequences of disclosing and refusing to disclose the information. But I must remember to respect the young person’s fundamental right to their own data. If the parent’s only grounds for obtaining the information is curiosity, does the parent’s curiosity override the child’s fundamental right to privacy?
- I would decide whether or not to disclose the information requested and write down the grounds for my decision if necessary. I will need to consider the merits of the case at hand to be able to make a decision. I should weigh the factors in favour of and against disclosing the information, based on the information available to me.
As an orienteering instructor, I would start from the premise that Ville’s mother would be unlikely to suffer concrete harm if she does not get the information she requested. On the contrary, Ville can have a genuine need to keep some information from his mother. I may not have information on such a need, however, and I cannot ask Ville about it either.
Therefore, I would decide that I have to respect the opinion of Ville, who will soon turn 15, especially in view of his age. I could have decided differently if Ville’s mother had a concrete need for the information she requested.
As the person who has to make the decision, I would take into account the circumstances described in the example scenario and base my decision on the information available to me at the time, until possible new regulations, guidelines or legal practice becomes available. Questions involving the exercise of data protection rights must still be resolved and requests answered, whether made by the child themselves or their custodian.
One must be able to justify later why the information was disclosed or refused to disclose.
Every case is unique – remember to use your discretion
Had Ville been aged five or there been other weighty grounds on which the mother, as his custodian, would have needed the information, my decision could have been different. Time will tell whether future legal practice or guidelines issued by the authorities will have a n impact on the imaginary scenario I have described above. Similar situations are sure to come up in hobby activities around Finland.
The GDPR4CHLDRN – ensuring data protection in hobbies project creates practical materials for hobby clubs and associations to help them take the requirements of data protection legislation better into account in their activities.
The aim is that people processing personal data in hobby activities could, like the instructor at Ville’s orienteering club, resolve everyday situations cropping up in their activities independently with the project’s materials.
The GDPR4CHLDRN project provides information about the protection of personal data and data protection rights to children, young people and their parents. Materials targeted at them as well as icons that clarify concepts related to data protection will be developed in the project. In addition, a toolkit to support compliance with data protection legislation and its application will be created for associations and hobby clubs that organise hobby activities for children and young people.
- A two-year project that will end in August 2024.
- The project is funded by the Citizens, Equality, Rights and Values programme of the European Union.
- The project coordinator is the Office of the Data Protection Ombudsman, and its partner in the project is the TIEKE Finnish Information Society Development Centre.