When children have something crawling on their heads, many parents probably already suspect the dilemma: lice. This is an issue in kindergartens and schools across Germany, as children infect each other and entire classes or kindergarten groups can be affected. As soon as the treatment is finished, it starts all over again. In order to contain the spread of head lice, affected children are not allowed to enter the premises of the school or daycare center and are not allowed to take part in the facility’s activities in accordance with Section 34 Paragraph 1 Sentence 1 and Sentence 2 of the Infection Protection Act (IfSG).
What head lice have to do with data protection
The Thuringian State Commissioner for Data Protection and Information Security (TLfDI) has stated in his current activity report (6th activity report GDPR, section 2.11, as of June 2024, available). here) is now dealing with the question of whether, from the point of view of infection protection, a general query about a possible lice infestation is permissible under data protection law for those with custody. The background was a request from a primary school to all parents to state in writing in a reply letter whether their child was infested with lice and whether appropriate treatment had been carried out or whether the child was free of parasites or their eggs. The parents’ written answer should then be delivered discreetly to the school. Some parents expressed data protection concerns.
No requirement due to statutory reporting requirements
The TLfDI came to the conclusion that querying the school in the chosen form was inadmissible under data protection law due to the lack of a legal basis. First of all, it should be noted that the head lice infestation represents a health date within the meaning of Article 9 Paragraph 1 GDPR and therefore there must be a legal basis under Article 9 Paragraph 2 GDPR. In this context, the TLfDI recognizes that Article 9 Paragraph 2 Letter g of the GDPR in conjunction with Section 34 Paragraph 1 Sentence 2, Paragraphs 5 and 6 IfSG represents a legal basis for processing the date of “head lice infestation”, since the regulation, in addition to the ban on entry also provides for an obligation to report head lice infestations to the school or daycare center and for these in turn to the responsible health authority. Precisely because there is this legally regulated, proactive, immediate reporting obligation for the affected persons or their guardians, the TLfDI sees no need for the blanket query carried out by the school.
In addition, the TLfDI also criticizes the feasibility and therefore the suitability of the query, since the affected students are not allowed to enter the school and therefore cannot hand in the letter. At most, it would only be possible to submit it via a third person, which in turn would be problematic in terms of confidentiality.
Furthermore, the TLfDI does not consider it permissible to request negative information, meaning that there is no head lice infestation. He justifies this by saying that this information has no added value for the school and contradicts the principle of data economy, since the school is only required to report to the health department if there is a positive case of head runt. At most, the TLfDI considers the negative query to be permissible based on the informed and voluntary consent of the guardians.
In response to the relevant information from the TLfDI, the school in question finally decided to only inform those responsible for head lice in general about head lice infestation and treatment options and to point out the legal obligation to report to the school management.
Conclusion
From our perspective, the interpretation of the TLfDI is comprehensibly justified and takes into account the interests of the children affected without ignoring the infection process. Due to the proactive reporting requirement to the school management and the entry ban, the law already ensures that the lice infestation is contained as far as possible. The fact that this does not have to be recorded in writing in the reply letter reduces the risk of third parties gaining unauthorized knowledge of a child’s lice infestation. It also reduces the bureaucratic effort involved in setting up, as it would have to store the reply letters in a particularly access-protected manner and destroy them in accordance with data protection regulations when they are no longer intended.
