Have you ever wondered if food allergy information falls under the category of sensitive personal data? If it does, how should this information be collected according to PDPA? More importantly, do you always need consent before collecting this information?
Since eating is a daily routine, especially in today's world where dining out is often easier than cooking at home, food and beverage business operators who care about customer safety find it difficult to avoid accessing food allergy information. Although If consent must be obtained every time, customers may experience consent fatigue, leading to a poor service experience and eventually refusing to give any consent at all. This would ultimately impact business operations of data controllers.
Food allergies are a mechanism of the human immune system that creates immunoglobulin E: (IgE) after consuming allergen-triggering foods for the first time. Then when the same food is consumed again, it triggers the IgE to release chemicals that cause allergic reactions. These chemicals can cause physical symptoms, ranging from mild to severe, such as throat itching, mouth, swollen nose, swollen eyelids, or tightness in the chest and difficulty breathing. Food allergies can be diagnosed through various medical methods.
Given the definition and diagnostic methods, food allergy is considered a medical condition and is also a common chronic condition. Statistical studies indicate that in the United States, more than 33 million individuals suffer from food allergies out of a total population of approximately 340 million. This translates to roughly one in every ten people experiencing food allergies. As a result, the volume of food allergy-related data that needs to be collected is substantial. Moreover, since such data is considered sensitive and subject to special legal protections, the requirements for ensuring both privacy and security are significantly heightened.
Is Food Allergy Considered "Sensitive Personal Data"?
Since food allergies are classified as a medical condition, they might be interpreted as "Data Concerning Health," which is a type of sensitive data under Section 26 of Thailand’s Personal Data Protection Act, B.E. 2562 (2019). However, as there are currently no subordinate regulations or official interpretations defining the scope of "health data" under Thai law, reference may be made to foreign legal frameworks. Internationally, health data is often broadly defined to encompass personal data related to an individual’s physical or mental health, as well as healthcare services that reveal the health status of the data subject, whether past, present, or future. Notably, the UK’s Information Commissioner’s Office (ICO) has clarified that health data is not limited to specific details about diseases, medical tests, or treatments. It also includes any information revealing a person’s health condition, such as data on injuries, disabilities, disease risk factors, medical opinions, clinical treatments, health assessments, test results, data from medical devices, health tracking information (e.g., from fitness trackers), and medical appointments.
Therefore, at this time it can be concluded that “Food Allergy” constitutes data concerning health, which is a type of sensitive personal data. Undeniably, as a sensitive data under Section 26 of PDPA, data controllers have additional responsibilities before collecting, using, storing, or disclosing such information. The following are the necessary steps to ensure the proper protection of food allergy information incompliance with the PDPA:
1. Prepare a Record of Processing Activities (RoPA) for activities related to "Food Allergy Information" to determine the legal basis and ensure whether consent is required.
Cases where consent is not required: consent may not be required in certain cases where legal exceptions apply. For example, an exception may apply if the processing is necessary to prevent or suppress dangers to the life, body, or health of an individual who is unable to provide consent for any reason, as stated in Section 26(1) of the PDPA.
Additionally, consent may not be required when processing is necessary for compliance with legal obligations to achieve purposes related to medical diagnosis, healthcare services, medical treatment, or health management, as provided under Section 26(5)(a) of the PDPA.
Cases where consent is required: When relying on consent, organizations must prepare a consent forms that complies with legal requirements. The form should be clear, easy to understand, and separate from other agreements as required by law. Furthermore, the consent form should be designed in a way that facilitates both the giving of consent and the management of consent records, including the ability to withdraw consent efficiently.
2. Provide a Privacy Notice that clearly outline the collection, storage, use, and disclosure of food Allergy Information. The notice should also inform data subjects of their rights and provide contact details of the data controller.
3. If food allergy information is recorded and stored, organizations should implement sufficient data protection measures. This includes restricting access to authorized personnel only and selecting appropriate security tools based on the method of data storage.
4. Alternative methods to avoid collecting, storing, or using “Food Allergy Information” and reducing the need to rely on consent
4.1 Instead of collecting food allergy data, organizations may clearly disclose the ingredients and potential allergens present in their food offerings. If an individual has a food allergy, they can be advised to consult a doctor and contact the organization in advance before using the service. In some industries, such as airlines, passengers with food allergies may be allowed to bring their own meals or may be required to submit medical documentation for severe allergies as per airport regulations. This approach helps minimize the need for collecting consent and reduces the volume of sensitive personal data that organizations must manage.
1.1. Organizations may provide a diverse selection of food options and ensure that menus clearly indicate allergen-containing ingredients. This is particularly important for common allergens, such as nuts, allowing individuals to make informed choices without having to disclose their food allergy information.
Key Takeaway
If an organization needs to collect, store, use, or share food allergy information, the PDPA does not prohibit such processing. However, organizations must comply with all legal obligations and ensure the security of the collected data.
That said, if an organization can implement alternative methods to reduce the need for processing food allergy information, it can lower the risk of data breaches and regulatory non-compliance.
If you have further questions about collecting food allergy data or handling health information, Athentic Consulting is here to provide expert guidance, helping your organization operate efficiently, legally, and in compliance with the PDPA—enhancing your corporate reputation through a commitment to customer privacy.
