About us
Learn how GA4GH helps expand responsible genomic data use to benefit human health.
GA4GH Policy Brief: children’s data protection and genomic research (part 1: general considerations)
23 Jan 2025
Part one of this two-part Policy Brief discusses general considerations related to protecting children’s genomic and health data under the General Data Protection Regulation (GDPR). This brief is published as part of the GA4GH Health Data Sharing, Privacy, and Regulatory Forum’s work to explore laws and regulations that have an impact on genomic and related health data sharing.
By Michael J. S. Beauvais
Today’s children have data generated about almost all aspects of their lives. At birth, the medical record includes the results of newborn screening (NBS) programmes that search for asymptomatic children at risk for treatable conditions. In the future, NBS will increasingly be collecting genomic data for those purposes.
These data pose important questions about the child’s privacy and about data governance more broadly. Children have privacy rights in international human rights law under the Convention on the Rights of the Child and the International Covenant on Civil and Political Rights, in regional law under instruments such as the Charter of Fundamental Rights of the European Union, and further specified in national (domestic) data protection laws like the European Union’s General Data Protection Regulation (GDPR), the US’s Health Insurance Portability and Accountability Act (HIPAA), Canada’s federal Personal Information Protection and Electronic Documents Act (PIPEDA), and so on.
Focusing on the GDPR, part one of this brief details certain fundamental aspects of processing children’s personal data for genomic and health-related research purposes. Part two of this brief will discuss issues regarding lawful bases for data processing and children.
Let us first address the question of who is a child according to the GDPR. Under the GDPR, a child is a minor — a person who is younger than the age of majority as specified in national law. Thus even a “competent” or “mature” minor (i.e. a child who demonstrates sufficient rational capacities for a specific decision) remains a child for GDPR purposes. The picture is a bit more complicated as additional rules may apply with different legal bases (see the next brief).
If there is a general rule for children’s data protection, it is that greater safeguards and care are required throughout the data processing lifecycle. The fact that one is processing children’s data implicates various obligations under the GDPR.
Best interests of the child
The best interests of the child is meant to guide decision-making when there are multiple ways to further a child’s rights and when there might be a conflict among the child’s rights (e.g. health versus privacy, health versus “being heard”). As is the case with the ethical design and conduct of research involving children, the best interests of the child should be a primary concern in all decisions in data processing.
A decision must be considered to be in the best interests of the child, which, according to the United Nations (UN) Committee on the Rights of the Child, is “adjusted and defined on an individual basis, according to the specific situation of the child or children concerned, taking into consideration their personal context, situation, and needs.” Building off of authoritative guidance from the UN Committee on the Rights of the Child, defining the way in which a child’s best interests are to be determined is a matter for national (domestic) law. The research team cannot make its own determination according to its own methodologies. While ethics may propose a particular way of understanding a child’s best interests, the starting point is national legislation, regulations, case law (judicial decisions), and other applicable laws that define the best interests. Failing that, looking to the Convention on the Rights of the Child and guidance from the UN Committee on the Rights of the Child are starting points. Depending on how open-ended the definition and likely included factors are, ethical understandings of the best interests may still play a role.
Children as vulnerable data subjects
The preamble to the GDPR indicates that children are vulnerable data subjects and that additional care is needed in processing their data. A number of concerns flow from this. Information given as part of a controller’s transparency obligations should be adapted to the child’s understanding. Likewise, any eventual code of conduct must specify how children’s data are handled and how the child’s legally authorised representatives are involved in consent.
Data protection authorities have demonstrated a willingness to take children’s vulnerability into consideration when interpreting and enforcing data protection law. For example, the Danish data protection supervisory authority has cited children’s vulnerability in its ordering of a municipality to stop using Google services in its primary schools. In a similar vein, the European Data Protection Board advises that Member States consider the child’s vulnerability when imposing restrictions on the right to object. Effectively, the consideration for a child’s vulnerability means that increased procedural, substantive, organisational, and technical safeguards are merited at every stage in the data processing lifecycle.
The GDPR recognises that children’s claims to either have their data rectified or deleted are more robust than those of adult data subjects, and in human genomic research, this is no different. The more robust claim to have data deleted poses questions about data retention. The question of retention can be a difficult one because hypothetically shorter retention may better suit the child’s privacy interests, but those data may be of significant scientific value, representing a unique point in time as the child undergoes many physiological changes. Nevertheless, the scientific or clinical utility of the data does not intrinsically justify retention: the data must be considered in relation to the purposes for which they are processed and the best interests of the child remain a primary consideration. For example, if phenotypic data are unique in time but wholly unrelated to the types of research for which data are processed, there is a lack of legal justification for retaining the data. The approach here works in tandem with the ethical right of a child to an “open future”, which aims to preserve a child’s ability to make meaningful decisions later in life when the child is not yet in a position to do so.
Further reading
Council of Europe -The best interests of the child – A dialogue between theory and practice (2016)
Relevant provisions
Convention on the Rights of the Child — articles 3, 12, 16
Charter of Fundamental Rights of the European Union — articles 7, 8, 24
General Data Protection Regulation — recitals 38, 58, 75; articles 12, 23, 40
Michael J. S. Beauvais is a doctoral candidate at the University of Toronto’s Faculty of Law.
Related Work Streams
