Innogen · Publications · Journal articles
When can the child speak for herself? The limits of parental consent in data protection law
Medical Law Review
Draft regulatory guidance suggests that if the processing of a child’s personal data begins with the consent of a parent, then there is a need to find and defend an enduring consent through the child’s growing capacity and on to their maturity. We consider the implications for health research of the UK Information Commissioner’s Office’s (ICO) suggestion that the relevant test for maturity is the Gillick test, originally developed in the context of medical treatment. Noting the significance of the welfare principle to this test, we examine the implications for the responsibilities of a parent to act as proxy for their child. We argue, contrary to draft ICO guidance, that a data controller might legitimately continue to rely upon parental consent as a legal basis for processing after a child is old enough to provide her own consent. Nevertheless, we conclude that data controllers should develop strategies to seek fresh consent from children as soon as practicable after the data controller has reason to believe they are mature enough to consent independently. Techniques for effective communication, recommended to address challenges associated with Big Data analytics, might have a role here in addressing the dynamic relationship between data subject and processing. Ultimately, we suggest that fair and lawful processing of a child’s data will be dependent upon data controllers taking seriously the truism that consent is ongoing, rather than a one-time event: the core associated responsibility is to continue to communicate with a data subject regarding the processing of personal data.