Since the POPIA regulates the processing of the personal information of minors, the following questions will continuously have to be answered when dealing with and processing minors' personal information:
- Am I allowed to collect the minor’s data?
- How do I collect the data of the minor?
- With whom may I share the collected data?
- May I share a minor’s data across borders?
WHO IS WHO?
We must establish and consider what a minor is and what their rights are. The POPIA defines a child as a natural person under the age of 18 years who is not legally competent, without the assistance of a competent person, to take any action or decision in respect of any matter concerning himself or herself. A competent person is defined as any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child. It means the person must have parental responsibilities given to them in terms of the Children’s Act, namely a parent or legal guardian. If there is more than one legal guardian, either is entitled to consent to healthcare.
A healthcare practice may process the information of minors for the following reasons:
- A competent person's prior consent was obtained to process the minor’s personal information.
The practice should ensure that consent is provided voluntarily concerning specific care and that the practice can prove that the consent was well-informed. Once the child becomes an adult, consent should be obtained from the adult. However, consent should not be used as a justification for the processing of personal information under normal circumstances since the burden of proof lies with the practice of proving that all the conditions for consent are present. Therefore, the next condition should be used as a ground for the processing. (See the article “The pitfalls of consent” (https://www.goodx.healthcare/news/the-pitfalls-of-consent/).
- Processing the minor’s personal information is necessary for the establishment, exercise or defence of a right or obligation in law.
In terms of Section 28 of the Bill of Rights in our Constitution, it states that “every child has the right to basic nutrition, shelter, healthcare and social services, as well as the right to be protected from maltreatment, neglect, abuse or degradation.”
The following are examples of specific legislation that allows minors to consent to healthcare services without the parent's or legal guardians' consent, thus making them legally competent to consent to their own healthcare:
- Section 129 of the Children’s Act allows a minor child aged 12 may consent to medical treatment.
- Section 5 of the Choice on Termination of Pregnancy Act allows a minor girl of any age to consent to the termination of her pregnancy without the consent of her parents or legal guardians.
- Section 130 of the Children’s Act allows a minor child aged 12 to undergo an HIV test with just the minor’s consent.
- An emancipated minor is a minor under the age of 18 who is free from parental or legal guardian control and who can legally consent or refuse medical care without parental assistance.
It follows that the healthcare practice will have the right to process the minor’s personal information without the consent of a competent person. The practice can collect all necessary information to comply with the ethical rules of the HPCSA and other legislation.
- The personal information of the minor is being used for historical, statistical or research purposes.
It is important to take note of the requirements for this processing:
- The purpose of processing must serve a public interest, and the processing is necessary for the purpose concerned,
so in healthcare, it would be for the public’s health and safety
- It appears to be impossible or would involve a disproportionate effort to ask for consent, in which case the information may be processed
- Proper safeguards have been implemented to ensure the security of the personal information collected.
TRANSBORDER FLOW OF INFORMATION
If a child’s personal information is going to be transferred to a recipient in another country, the level of confidentiality and protection of that information must be adequate.
This means that the legislation in the country or an agreement with the recipient should be such that the security of the data can be maintained. Thus, information may be transferred, but the practice may have to demonstrate adequate safeguards.
As a result of the type of service that healthcare practitioners provide to the public, children’s personal information may be processed without much concern. The practice should document their legal justifications for processing the information and ensure that they keep proper processing records.