Iceland's Data Protection Authority has ruled in a case in which Social Services complained about the sharing of personal information about the complainant and their child with the father of his eldest child. In this case, social services complained that the complainant's eldest child had sent a letter to the father of her and her three other children containing personal information about the complainant, including sensitive personal information (health information) and the full names and identification numbers of her other children.

The Data Protection Authority has concluded that the dissemination of sensitive personal information about the complainant is in accordance with the Law on Data Protection and Processing of Personal Data with regard to the content of the notification and the review of social services. Regarding the transmission of the names and identities of the complainant's other children to the father of the eldest child who does not have custody, the Data Protection Authority has concluded that the processing is not in accordance with the Data Protection and Personal Data Processing Law.

You can find the details of the news here.

Detailed News

The personal data of the mother, who was the person concerned, and her four children, were sent by a Social Services (data controller) of a municipality in Iceland in a letter containing information about the mother's suicide attempt, addiction problem, as well as the full names and social security numbers of all her children. shared with the father of the older child. The person concerned filed an objection, thinking that Social Services was not authorized to share this personal data.

In the response given by Social Services regarding the need to share relevant information under Icelandic Law; Article 21 of Law No. 80/2002 states that when child protection services receive information that a child's physical or mental health or development may be at risk due to the behavior of parents or others, they must investigate the matter and make a decision without delay. It is stated that it obliges the parents to notify the situation, and for these reasons, it is required by law to inform the father about the mother's suicide attempt and drug consumption habits. In addition, Social Services has acknowledged that sharing other children's information is not in compliance with data protection laws. However, it was claimed by the data controller that the father of the eldest child may have obtained this information in other ways, and it was argued that he could ask his child for example or could reach this information through the national registry.

The Icelandic Data Protection Authority states that the processing must comply with Article 9 as well as Article 6 of the GDPR, as the data subject is health data of suicide attempt and addiction problems and GDPR classifies health data as sensitive personal data. Considering its legal obligations under the Law No. /2002, it decided that Social Services was right to share information about the mother with the father. However, Social Services has held that sharing the names and social security numbers of the person's other children with the father of the eldest child, who does not have custody of the other children, violates the GDPR.