Access and Privacy Rights of Minors Online
On May 3, 2016, our office posted to our website a blog titled, Who Signs for a Child?. Though the focus of that blog was on who can sign for a child under the age of 18 years, the following advice on mature minors was offered:
FOIP and LA FOIP do not contemplate the child asking for his or her personal information. But when children get to the age of what may be considered a mature minor, heads should use their discretion to provide the personal information if the child “understands the nature of the right or power and the consequences of exercising the right or power.” Heads should also look to their governing legislation to see if the Legislative Assembly has provided direction on the rights of the child.
HIPA does contemplate an individual under 18 years of age exercising a right under the Act such as requesting his or her personal information. When such a request is made, it is up to the trustee to determine whether the individual understands the nature of the right or power and the consequences of exercising the right or power.
What further complicates matters is when services being offered to children and adolescents move to the online world. How are access and privacy rights impacted?
Although there does not appear to be any global rules on children’s consent under the new General Data Protection Regulation (GDPR), Article 8 speaks to children’s consent for ‘information society services’ (services requested and delivered over the internet). It appears that for most services provided to children, parental consent for those under 16 is needed unless otherwise set by Member States. If offered online, age-verification measures and reasonable efforts to verify parental responsibility for those under the relevant age is a must.
In an interesting decision, PIPEDA Report of Finding #2014-011, dealing with an investigation involving a website aimed at children between the ages of 6 and 13 years of age, the Privacy Commissioner of Canada’s office commented as follows:
112. The consent provisions of PIPEDA do not expressly speak to age-based consent. Principle 4.3 states that the knowledge and consent of an individual are required for the collection, use and disclosure of personal information. Principle 4.3.2 requires organizations to ensure that individuals are advised of the purposes for which the information will be used and that consent obtained from individuals is meaningful. Meaningful consent means that the individual concerned can reasonably understand how the information will be used or disclosed prior to providing consent.
113. Meaningful consent becomes a more difficult notion where personal information is being sought from children. Can a child reasonably understand what they are being asked to consent to?
114. Principle 4.3.6 of Schedule 1 states that consent can be given by an authorized representative (such as a legal guardian or a person having a power of attorney). However, it does not specify under what circumstances this can or should occur.
115. In PIPEDA Report of Findings #2012-001, we recognized that there was value in users of a Canadian social networking website aimed at teenagers and young adults involving their parents in their online transactions. However, we concluded that PIPEDA did not require parents to provide consent on behalf of their teenager in the context of that website. We concluded in that case that in order to ensure meaningful consent was obtained, the information handling practices of the organization had to be explained in such a way that its teenage users could understand how their personal information would be handled by the website.
116. Ganz’s Website is aimed at children under 13, a younger demographic group than the one at issue in PIPEDA Report of Findings: #2012-001. Children under the age of 13 have arguably a less sophisticated understanding of online marketing and social media interactions.
…
122. We considered it questionable as to whether a child under the age of thirteen opening an account would be able to find this provision in the User Agreement, understand the text, and act accordingly.
Canada Health Infoway has done some work in this area specifically examining adolescent access to PHI in a number of publications including Consumer Health Solutions – Pandora’s Box Adolescent Access to Digital Health Records – Research Summary dated August 2016. In its Executive Summary it states, “Outside of Quebec, statutes do not set an age requirement for a person to access their own PHI, to consent to the collection, use and disclosure of their PHI or to consent to treatment. However, there are other requirements to exercise the rights, such as knowledge, capacity or maturity.” Later it is stated, “the general rule is that a contract cannot be enforced against a minor (although there are exceptions).”
How do you cover your bases? The Privacy Commissioner of Canada offers good advice when dealing with kids online in Collecting from kids? Ten tips for services aimed at children and youth, as follows:
Make clear who is agreeing to terms and conditions. The ubiquitous “I have read and agree to the Terms and Conditions and Privacy Policy” checkbox on registration forms poses an additional difficulty when your users are youth. Is your organization asking the user to agree to these terms, or his or her parent/guardian? Remember, with younger children, the former is not possible given the need for meaningful consent. Moreover, if it is the latter, you must also ask yourself how you are ensuring that the parent/guardian has actually been involved in the process. The answer to these questions needs to be clear to, and consistent between, both you and your users.
Now that we are moving to online access to PHI through patient portals, what, if any, limits should be set as to age of those that can log-in and get direct access to his or her own PHI? Are any associated terms and conditions accepted akin to entering a contract? Our office has not yet had to offer any formal views on the particular issue. We will have to wait and see.