Age of Consent
The minimum age at which a person can give consent to having their personal data processed is not specified in the Data Protection Acts.
Section 2A(1) of the Acts provides that, where a person by reason of his or her physical or mental incapacity or age, is or is likely to be unable to appreciate the nature and effect of giving consent, such consent may be given by a parent or guardian or a grandparent, uncle, aunt, brother or sister of the person provided that the giving of such consent is not prohibited by law.
Where a person is under the age of majority (18), the Acts require the data controller to make a judgement on whether the young person can appreciate the implications of giving consent.
The consent provisions laid down by law can provide helpful guidance to data controllers. In the medical area, the Non-Fatal Offences Against the Person Act, 1997 (Section 23) provides that a minor who has reached the age of 16 can give consent to medical treatment. It would therefore be reasonable to conclude that a young person of 16 or above could give consent to the processing of their medical data. For a person under that age, Managing and Protecting the Privacy of Personal Health Information in Irish General Practice provides useful guidance. It suggests that, where the individual is under 16, consent may still be given, but that this requires that the medical practitioner involved assess whether the young person has the maturity to understand and make their own decisions about the handling of their personal health information. In relation to the right of access to health data, it recommends that the general practitioner use professional judgement on a case by case basis, on whether the entitlement to access should be exercisable by (i) the individual alone, (ii) a parent or guardian alone, or (iii) both jointly. In making a decision, it suggests that particular regard should be had to the maturity of the young person concerned and his or her best interests. This guidance on the exercise of the right of access could also usefully be applied in other contexts.
Where marketing to young people is involved – including via the Internet - a person under 18 could be expected to understand the implications of giving consent in suitable cases. A company in this area would need to consider if, for example, a 13-14 year old could be expected to understand the implications of giving consent to processing of their personal data in order to avail of a particular product or service. Otherwise, the consent of a parent or guardian should be obtained and suitable authentication measures adopted to make sure that such consent is genuine.
In the education area, the rights of parents are given strong protection in the Constitution and in legislation. It would therefore be prudent for a school to obtain the consent of a student's parents or guardians to the processing of personal data concerning her or him, unless the processing is required by law or is self-evidently necessary (for example, the keeping of attendance and other routine student records).