What should our general approach to processing children’s personal data be?

In detail

• Why do children merit specific protection?
• What do we need to do about data protection by design and default?
• How important are fairness and the data protection principles?
• What about the best interests of the child?
• What if we’re not sure whether our data subjects are children or not?
• Should we consult with children?

Why do children merit specific protection?

Recital 38 of the UK GDPR states that:

“Children require specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.”

What do we need to do about data protection by design and default?

The UK GDPR requires you to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is ‘data protection by design and by default’. This means you have to integrate data protection into your processing activities and business practices, from the design stage right through the lifecycle.

If you process children’s personal data then you should think about the need to provide the specific protection required by Recital 38 from the outset and design your processing, products and systems with this mind. This is vital if you regularly or systematically process children’s personal data. It is usually easier to incorporate child friendly design into a system or product as part of your initial design brief than to try and add it in later. We recommend that you use a Data Protection Impact Assessment (DPIA) to help you with this, and to assess and mitigate data protection risks to the child. You should also take into account the rights and freedoms of the child so that their freedom to learn, develop and explore (particularly in an online context) is only restricted when this is proportionate.

If your processing is likely to result in a high risk to the rights and freedoms of children then you must do a DPIA. The ICO has produced guidance on processing that it considers to be likely to result in a high risk to data subjects and therefore requires a DPIA. The list includes the use of children’s personal data for marketing purposes, profiling or other automated decision-making, or if you intend to offer online services directly to children. This does not mean that this type of processing will always result in a high risk to children’s rights and freedom, you may not know that until after you have completed your DPIA. Rather it is the type of processing where we think there is a likelihood that the processing will be high risk. For further information about DPIAs please see our Guide to the UK GDPR and our detailed guidance on Data Protection Impact Assessments

Transparency is also key. You can raise children’s (and their parents’) awareness of data protection risks, consequences, safeguards and rights by:

• telling them what you are doing with their personal data;
• being open about the risks and safeguards involved; and
• letting them know what to do if they are unhappy.

This will also help them make informed decisions about what personal data they wish to share.

Your approach should be privacy by design and by default, taking into account the age of the children as far as you can, and the personal data you will be processing. For example, to protect children from sharing data inappropriately you could set privacy settings on Apps to ‘not to share’ by default, and when activating ‘sharing mode’ include a clear, child friendly explanation of the increased functionality and its risks.

In the context of online processing, Section 123 of the Data Protection Act 2018 requires the Commissioner to produce a Code of Practice on age appropriate design for ISS that process personal data and are likely to be accessed by children. Once published this Code will provide further guidance about the standards and practice the Commissioner will expect in this area.

How important are fairness and the data protection principles?

As with any other processing, fairness and compliance with the data protection principles should lie at the heart of all your processing of children’s personal data. The purpose of these principles is to protect the interests of the individuals and this is particularly important where children are concerned. They apply to everything you do with personal data (except where you are entitled to rely upon an exemption) and are key to complying with the UK GDPR.  The data protection principles are set out at Article 5 of the UK GDPR and explained further in the Guide to the UK GDPR. For further information about exemptions please see the section of this guidance on How do the exemptions apply to children’s personal data?

What about the best interests of the child?

The concept of the best interests of the child comes from Article 3 of the United Nations Convention on the Rights of the Child. Although it is not specifically referenced in the UK GDPR it is something that the Commissioner will take into account when considering compliance, and that you should consider when making decisions about the processing of children’s personal data. It states that:

‘In all actions concerning children, whether undertaken by public or private social welfare institutions, courts of law, administrative authorities or legislative bodies, the best interests of the child shall be a primary consideration.’

What if we’re not sure whether our data subjects are children or not?

This can be an issue, particularly with online or other remote processing. If you aren’t sure whether your data subjects are children, or what age range they fall into, then you usually need to adopt a cautious and risk based approach. This may mean:

• designing your processing so that it provides sufficient protection for children;
• putting in place proportionate measures to prevent or deter children from providing their personal data;
• taking appropriate actions to enforce any age restrictions you have set; or
• implementing up-front age verification systems.

The choice of solutions may vary depending upon the risks inherent in the processing, the rights and freedoms of the child, and the particular provisions of the UK GDPR that apply to your processing. You should always think about both the target age range for your processing and the potential for children outside this age range providing their personal data.

Should we consult with children?

It is good practice to invite the views of children themselves when you are designing your processing, including diverse groups who can provide a range of feedback. This can help you to identify risks, design safeguards and assess understanding, as well as giving you an opportunity to test your system or product on the end user.

It is also consistent with the UN Convention on the rights of the child which provides at Article 12 that every child has the right to express their views, feelings and wishes in all matters affecting them, and to have their views considered and taken seriously.

UNICEF (The United Nations Children’s Fund) recommends that companies seek to take account of the views of children by consulting experts and child’s rights advocates and employing expert third-party facilitators with skills in engaging children according to their evolving capacities. Employing an expert facilitator can help to ensure children’s safety throughout a consultation and accurately capture children’s views and experiences.

Children in Scotland have produced some guidelines to assist organisations wishing to engage with children.