The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 contain many provisions that relate to processing children’s data, but do they require dentists to treat children’s personal data any differently to personal data belonging to other patients?
According to the GDPR, children are ‘vulnerable individuals’. In Article 8, it tells us how consent should be obtained before children can access information society services. Recital 38 of the GDPR says that the use of child data in marketing, or for profiling purposes, are areas of concern.
Indeed, the Irish Data Protection Act 2018 says it is an offence to process the personal data of a child for the purposes of direct marketing, profiling or micro-targeting. GDPR Article 12.1 instructs that information addressed to a child should be in clear and plain language so the child can understand it.
There is not much in the clauses referenced above that requires dentists to process, store or protect children’s data differently to other patient data.
So, where do we need to treat children’s data with kid gloves?
GDPR grants individuals the right to access personal data that you hold about them. In the case of children, parents or guardians can request this information about their child.
Under current Irish law, following a separation or divorce, both parents remain the child’s legal guardian, even if the child is not living with them and they have not been awarded custody of the child.
A dental practice might become subject of complaints made to the Data Protection Commission if one or other guardian feels the practice either disclosed information to the other without authorisation or withheld access to information that the guardian might feel they had a right to access.
Most dentists will be aware that data privacy legislation requires obtaining explicit consent to use photos or other data that may identify an individual on websites or in the practice. If you have been using photos of child patients with parent’s consent, check if the child has reached the age of digital consent (16).
Consent given by a holder of parental responsibility to process personal data given prior to the age of digital consent will remain a valid ground for processing. On reaching the age of digital consent, the child can withdraw the consent, in line with GDPR Article 7.3. In accordance with the principles of fairness and accountability, you should inform the patient about this right.
Duty of care
I’ve been asked if contacting children, their parents or guardians to recommend fitted mouthguard protection during sporting seasons would be considered to be marketing activity requiring consent.
Providing this information to patients would be considered to be a duty of care to protect the patient and would not require marketing consent, but should be discontinued on request from the child or guardian.
This article was first published in the July 2019 issue of Irish Dentistry. Read more articles like this with a magazine subscription. Click here to subscribe or call 01923 851 777. Get in touch via Twitter @IrishDentistry or Facebook.com/IrishDentistry.