The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Age of Consent

The minimum age at which a person can give consent to having their personal data processed is not specified in the Data Protection Acts.

Section 2A(1) of the Acts provides that, where a person by reason of his or her physical or mental incapacity or age, is or is likely to be unable to appreciate the nature and effect of giving consent, such consent may be given by a parent or guardian or a grandparent, uncle, aunt, brother or sister of the person provided that  the giving of such consent is not prohibited by law.

Where a person is under the age of majority (18), the Acts require the data controller to make a judgement on whether the young person can appreciate the implications of giving consent. 

The consent provisions laid down by law can provide helpful guidance to data controllers. In the medical area, the Non-Fatal Offences Against the Person Act, 1997 (Section 23) provides that a  minor who has reached the age of 16 can give consent to medical treatment.  It would therefore be reasonable to conclude that a young person of 16 or above could give consent to the processing of their medical data.  For a person under that age, Managing and Protecting the Privacy of Personal Health Information in Irish General Practice provides useful guidance.  It suggests that, where the individual is under 16,  consent may still be given, but that this requires that the medical practitioner involved  assess whether the  young person has the maturity to understand and make their own decisions about the handling of their personal health information. In relation to the right of access to health data,  it recommends that the general practitioner  use professional judgement on a case by case basis, on whether the entitlement to access should be exercisable by (i) the individual alone, (ii) a parent or guardian alone, or (iii) both jointly. In making a decision, it suggests that particular regard should be had to the maturity of the young person concerned and his or her best interests.  This guidance on the exercise of the right of access could also usefully be applied in other contexts.

Where marketing to young people is involved – including via the Internet - a person under 18 could be expected to understand the implications of giving consent in suitable cases. A company in this area would need to consider if, for example, a 13-14 year old could be expected to understand the implications of giving consent to processing of their personal data in order to avail of a particular product or service.  Otherwise,  the consent of a parent or guardian should be obtained and suitable authentication measures adopted to make sure that such consent is genuine.

In the education area, the rights of parents are given strong protection in the Constitution and in legislation. It would therefore be prudent for a school to obtain the consent of  a student's  parents or guardians to the processing of  personal data concerning  her or him, unless the processing is required by law or is self-evidently necessary (for example, the keeping of attendance and other routine student records).