Processing children’s health data in hobby activities

Kuva: Kim Reuben, Unsplash

Processing children’s health data in hobby activities

Based on the initial survey of the GDPR4CHLDRN – ensuring data protection in hobbies project, people have questions about the processing of children's health data, especially data on allergies, in hobby activities. This article is meant to provide some guidelines for the appropriate processing of children's health data in hobby activities.

As a rule, processing children’s health data in hobby activities is permitted, provided that it stays within the limits provided for in data protection legislation.

What is health data?

According to the EU General Data Protection Regulation (GDPR), health data refers to personal data relating to a person’s physical or mental health.

Health data includes

  • information on an individual’s physical conditions, such as allergies and diabetes;
  • personal data relating to mental health;
  • information on a person’s medication; and
  • information on the provision of health services, if it gives information on the individual’s state of health.

When may health data be processed?

According to the GDPR, health data constitutes a special category of personal data, the processing of which requires a basis in the GDPR or other legislation. The GDPR states that the processing of health data may be permitted based on, for example, the data subject’s explicit consent. The “explicit” requirement refers to the manner in which the data subject expresses their consent. For example, explicit consent can be given by signing a written statement, or with an electronic signature or two-factor authentication.

In hobby activities, children’s health data are often obtained from the child’s custodian or other representative, or from the child themselves. Information on a child’s allergies, illnesses or medication is often essential for guaranteeing the child’s health and safety in hobby activities.

If health data is collected based on the consent of the child or their representative, the controller must only request health data necessary for the child’s health and safety. The controller should not collect data just in case or for possible future needs. For example, it is not permitted to collect data on food allergies if there is no appropriate basis for it at the time. The controller must be able to demonstrate that the child or their representative has given their explicit consent for processing the child’s health data.

More information on the requirements for consent is available on the Office of the Data Protection Ombudsman’s website.

Who is permitted to process health data in hobby activities?

The controller must specify who has the right to process the child’s health data. In hobby activities, those responsible for the child usually need access to such data.  For example, it may be essential for the child’s coach at a sports club to be aware of the child’s health information if it can ensure the child’s safety during the activity and let personnel react to possible symptoms of illness. Likewise, information on a child’s allergies can be important at camp or in similar situations where instructors are responsible for providing the child’s meals.

The controller must also specify who should not have a right to access health data. The controller has to ensure that health data is not disclosed to third parties. For example, other children in the same team or their parents do not, as a rule, have legitimate grounds for accessing a child’s health information. The disclosure of data always requires an appropriate legal basis.

How should health data be stored?

Storing personal data also constitutes processing. Factors such as appropriate security, including protection against unauthorised and unlawful processing, must be taken into account when storing personal data.

The security of personal data can be guaranteed by means such as securing the controller’s systems against web attacks or keeping physical devices or documents secure from access by outsiders. The required level of protection depends on the nature and volume of data being processed. For example, health data requires more effective protection as a special category of personal data.

The sensitive nature of the data and potential risks to the child caused by its disclosure must be taken into account, especially when storing the health data of underage children. Health data should be stored so that outsiders cannot gain access to it. The data may only be disclosed to those who need it.

When processing personal data, the controller also must evaluate the duration of its basis for storing the data. The controller must specify a storage period for the data it has collected and ensure that the data is erased when it is no longer necessary for the hobby activity. For example, children quitting the hobby has to be taken into account when defining the storage period. In order to prevent people who are no longer involved in the hobby activity from processing data without an appropriate legal basis, changes in staff must also be taken into consideration in the storage of personal data.

What else does the controller need to consider?

Some aspects that controllers need to consider when processing children’s health data have been highlighted above. In addition to the controller’s own activities, it must ensure that individuals involved in the hobby activity are aware of the requirements of data protection legislation and capable of processing personal data appropriately.

The controller should discuss matters involving the processing of a child’s health data also with the child’s custodian or other representative, so that they too are aware of how the child’s data is being processed. The GDPR gives everyone the right to know which data relating to them a controller is processing and how. Therefore, the children must also be informed of the processing of their personal data in a clear and intelligible manner.

Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or European Commission. Neither the European Union nor the granting authority can be held responsible for them.

Read next