Skip to main content
Hafan

How do the lawful bases apply to children’s personal information?

Contents

In detail

Which lawful bases can we rely on to handle children’s personal information?

Before you start using people’s personal information, you must choose your basis for processing to help ensure it is lawful. Article 6 of the UK GDPR outlines the possible lawful bases for processing.

Any of the lawful bases might apply to your use of children’s personal information, but some will be more appropriate in certain contexts. Therefore, you should consider several important factors before deciding which basis to rely on. We discuss these in further detail below.

Where applicable, also see our guidance on the lawful bases for processing within the children’s code.

Further reading – ICO guidance

Can we rely on 'consent'?

General requirements

Under article 6(1)(a), this basis applies where:

“the data subject has given consent to the processing of his or her personal data for one or more specific purposes”

Article 4(11) defines consent as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”

There may be times when you want to rely on consent to handle children’s personal information. This is possible, and it may be appropriate, but only where you can truly give children (or their parents) informed choice and control over how you use their personal information.

With the exception of organisations that offer ISS directly to children, the UK GDPR does not set a general minimum age at which a child can give their own consent. Instead, you must assess whether the child has the capacity to understand what they’re agreeing to.

This capacity is assessed differently across the UK:

  • In England, Northern Ireland and Wales, the capacity of a child or young person – often referred to as ‘Gillick competence’ – is assessed depending on their level of understanding. 
  • In Scotland, children are presumed to have capacity from the age of 12. 

In many cases, it’s reasonable to follow the Scottish approach. For more information, see the NSPCC’s guidance on Gillick competence and Fraser guidelines.

The UK GDPR only sets a specific age threshold for consent where an organisation offers an ISS directly to a child. (We discuss this in more detail under the section Additional consent requirements for ISS providers.)

When you ask a child for consent, you must ensure that your request is clear, easy to understand and appropriate for the age of the child.

You must also consider whether the child can understand the implications of your use of their personal information. If they can, they are generally considered to have the capacity to give their own consent, unless this is clearly against their best interests.

If the child doesn’t have sufficient capacity, their consent is not informed. This means it’s invalid under the UK GDPR. If you still want to rely on consent in this situation, you must have consent from someone with parental responsibility for the child, unless this is clearly against the child’s best interests (eg in safeguarding or child protection contexts).

If you can’t assess a child’s individual capacity, you should at least consider their age and the complexity of what you’re expecting them to understand.

To ensure consent is freely given, you must also consider any imbalance of power between you and the child.

Example

A school wants its students to use an educational app for certain classroom activities and remote homework tasks. Alongside basic identity and parental information, the app allows the school to collect information about students’ educational performance and digital activity. It does this to ensure the app is meeting their educational needs.

The school considers relying on consent as its lawful basis. However, the students (and their parents) may feel that they have no real choice but to agree to the use of their information for these purposes, particularly if the school does not offer suitable alternatives. This is because the school’s authority and the children’s dependence on education create a clear power imbalance. The differing ages and developmental stages of students also mean that certain children may not have sufficient capacity to understand the implications of this use of their personal information.

For these reasons, the school decides that consent is not an appropriate lawful basis to rely on for these purposes. Instead, it considers whether another lawful basis would be more appropriate (eg public task).

You must include details of the right to withdraw consent in your privacy information and in any consent requests directed at the child. You should also explain how the child can withdraw their consent. You could reinforce this as part of any regular reminders about privacy settings.

You must make it as easy for a child (or someone acting on their behalf) to withdraw their consent as it was for them to give it in the first place.

(For more information on the right to withdraw consent, see the section What data protection rights do children have?.)

(For more details on providing privacy information to children, see How does the right to be informed apply to children?.)

The UK GDPR sets out specific requirements for valid consent. You must meet all of these if you want to rely on this lawful basis.

It’s also important to remember that:

  • relying on consent doesn’t guarantee that your use of personal information is fair; 
  • you’re still responsible for assessing the associated risks; and
  • consent isn’t always the most appropriate lawful basis.

Additional consent requirements for ISS providers

You must follow additional rules if you offer an ISS directly to children and want to rely on the consent lawful basis. Article 8 of the UK GDPR states that in this context:

  • only children aged 13 and over can lawfully give their own consent to the use of their personal information;
  • where a child is under 13, your use of their personal information is only lawful if a person with parental responsibility for the child gives or authorises their consent; and
  • in cases requiring parental consent, you must make reasonable efforts to verify that parental consent.

The only exception to these rules is if you provide preventive or counselling services. In these cases, it may be in the child’s best interests for you to accept their consent.

Alternatively, you may decide that relying on a different lawful basis (eg public task or legitimate interests) is more appropriate.

We consider that you are offering an ISS directly to a child if your service:

  • explicitly states it’s for children;
  • targets children of any age;
  • is available to all users without any age restrictions; or
  • allows users under the age of 18.

We wouldn’t usually consider you to be offering an ISS directly to a child if your service:

  • only allows users aged 18 and over; or
  • is only available through an intermediary (eg in some school settings).

However, whether this is the case in practice will depend on the specific circumstances, including your role in determining how and why children’s personal information is used.

(See our guidance on The children’s code and education technologies (edtech) for more details on ISS provided through an intermediary.)

You must meet the article 8 age limit for consent if you:

  • have an office, base or other establishment in the UK; or 
  • monitor the behaviour of or offer services directly to UK users.

If your service has an age limit, we may review how you apply this in practice (eg if we receive a complaint and article 8 is relevant). We may consider evidence such as:

  • site content;
  • marketing plans;
  • access control systems or processes; and
  • the information you provide to users.

Therefore, you should clearly define your target audience and specify the age group you plan to allow access to your service.

If you choose not to offer your service to children, you must implement appropriate measures to mitigate the risk of them gaining access. You must use measures proportionate to the risks associated with your use of their personal information.

If you do offer an ISS directly to children and want to rely on consent as your lawful basis, you must take reasonable steps to confirm that users are at least 13 years old. If you don’t do this, you risk handling a child’s personal information without valid consent under the UK GDPR. If you use age assurance measures, you must ensure they comply with the data protection principles. You should ensure they provide a level of accuracy proportionate to the risks to the child’s rights and freedoms.

The UK GDPR says you must make ‘reasonable efforts’ to verify that anyone giving consent on a child’s behalf does in fact hold parental responsibility. When considering what’s ‘reasonable’ for these purposes, you must take into account available technology. You should also consider your available resources and any risks associated with your use of the child’s personal information that you’ve identified in your DPIA.

However you choose to verify parental consent, you must be able to justify your approach.

If you plan to collect personal information to meet article 8 requirements, you must do this in a privacy-friendly way by:

  • limiting collection to what is necessary to verify age of consent or parental responsibility;
  • only keeping the information for as long as necessary for verification purposes; and 
  • securing the information appropriately.

If you plan to use children’s personal information to offer them an ISS, you must complete a DPIA. This is because we believe that using children’s personal information in this context is likely to result in a high risk to their rights and freedoms. A DPIA can also help you:

  • decide what steps to take to verify age and parental responsibility; and 
  • show that these steps are reasonable if we receive a related complaint.

Further reading – ICO resources

Can we rely on ‘performance of a contract’?

Under article 6(1)(b), this basis applies where:

“the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract” 

If you want to enter into a contract with a child, you must consider their capacity to agree to the contract and understand the implications of your use of their personal information. 

You must consider an alternative lawful basis (eg legitimate interests) if you have doubts about a child’s capacity or your use of their information isn’t necessary for the contract.

In Scotland, the legal age of capacity to enter into a contract is 16 (with some exceptions which allow contracts with younger children). In the rest of the UK, people aged 18 and over are generally considered to have the legal capacity to enter into a contract. However, children under the age of 18 can enter into valid and enforceable contracts for the purposes of:

  • obtaining necessities such as food, clothing or shelter (if they are reasonably necessary for their lifestyle); or
  • receiving beneficial services such as employment or education (although these can be refused or rejected at the point of adulthood).

If a child enters into a contract outside these categories, this contract is generally considered to be ‘voidable’. This means the child isn’t legally bound by the contract and can effectively cancel their contract with you at any time. If the contract you have with a child is voided, you can no longer rely on this lawful basis to handle their personal information.

Example

A child places an order for an item of clothing using a popular online retailer. The retailer relies on the contract lawful basis to handle the child’s personal information in order to: 

  • fulfil the child’s order; 
  • arrange for its delivery; and 
  • handle any related returns or complaints.

This is a complex area of law, so if you’re considering entering into a contract with a child, we strongly recommend getting your own legal advice about the validity of the contract. This will help you: 

  • ensure that your underlying business model complies with the law; and 
  • establish whether you have a lawful basis for using the child’s personal information. 

If you’re thinking about allowing a parent to agree to a contract with you on a child’s behalf, we also strongly recommend that you take legal advice.

Further reading – ICO guidance

Other resources

Can we rely on ‘legal obligation’?

Under article 6(1)(c), this basis applies where:

“processing is necessary for compliance with a legal obligation to which the controller is subject” 

The requirements of the legal obligation lawful basis are the same whether you want to use children’s or adults’ personal information. 

You must directly link your use of personal information to a legal obligation placed on you. Your use of the information doesn’t need to be essential for you to comply with your obligation. However, you must ensure it is a reasonable and proportionate way of achieving compliance. 

What may be different when you’re handling children’s personal information is your underlying legal obligation. This is because some laws: 

  • are specifically about children or aim to protect children; or 
  • apply different standards or requirements where children are concerned.

Example

A local authority receives an order from the Family Court to disclose records relating to a child’s welfare. To comply with the court’s order, the local authority relies on legal obligation as its lawful basis for handling the child’s personal information.

 

Example

An online gaming platform uses human moderators to: 

  • review user-generated content; and 
  • remove anything that breaches its content policies. 

This system involves the use of personal information, including that of children.

The platform introduced its content moderation system in accordance with the measure recommended in Ofcom’s illegal content codes of practice for user-to-user services. 

The platform relies on legal obligation as its lawful basis for handling users’ personal information in this way. This is because carrying out this code measure helps it comply with its legal obligations under the OSA.

However, the platform doesn’t rely on legal obligation as its lawful basis for processing activities that go beyond what is necessary to meet its OSA duties.

What counts as a proportionate and necessary use of personal information to achieve compliance can also differ between adults and children. Therefore, you should make this judgement based on the specific situation while keeping the best interests of the child in mind.

Further information – ICO guidance

Other resources

Can we rely on ‘vital interests’?

Under article 6(1)(d), this basis applies where:

“processing is necessary in order to protect the vital interests of the data subject or of another natural person”

You should use the same basic approach whether you want to handle adults’ or children’s personal information. For this lawful basis to apply, you must be using the information in a way that is necessary to protect someone’s life. 

There may be a difference between what is necessary to protect the vital interests of a child and of an adult. This is because children have different needs at different stages of their development. Therefore, you should judge this based on your circumstances, keeping the best interests of the child in mind.

Example

A child suffers a severe and life-threatening allergic reaction while at nursery and becomes unconscious. The on-duty daycare employee calls for an ambulance and provides details of the child’s health information to the ambulance crew on arrival. 

Sharing this information is necessary to protect the child’s vital interests.

Further reading – ICO guidance

Can we rely on ‘public task’?

Under article 6(1)(e) of the UK GDPR, this basis applies where:

“processing is necessary for the performance of a task of the controller carried out in the public interest or a task carried out in the exercise of official authority vested in the controller”

You don’t need to rely on an explicit statutory provision or specific legal authority to handle personal information. However, your underlying task, function or power must have a clear basis in law. 

This basis usually applies to the functions or tasks of public authorities (eg those of Children’s Services or the Family Courts). However, it can sometimes be used by private organisations that exercise official authority or carry out tasks in the public interest. Examples include: 

  • independent schools and academies with statutory education or safeguarding duties; and 
  • private clinics delivering services under statutory National Health Service duties.

You should apply the same basic approach to this lawful basis, whether you want to handle children’s or adults’ personal information. You must:

  • identify your task, function or power; and 
  • ensure that your use of personal information is necessary for this purpose. 

What counts as a proportionate and necessary use of personal information can also differ between adults and children. You should make this judgement based on your circumstances, keeping the best interests of the child in mind.

Example

A local authority and schools within its jurisdiction have a legal duty to monitor pupil attendance to identify and support children who regularly miss school.

This task is necessary, and it’s carried out in the public interest to: 

  • safeguard pupils’ welfare; and 
  • uphold their right to a suitable full-time education.

Therefore, the local authority and schools rely on the public task lawful basis to handle children’s personal information for attendance monitoring.

The public task lawful basis only applies to your own tasks. If you’re using personal information to support another organisation in carrying out its tasks, you should rely on a separate lawful basis to do this. 

Further reading – ICO guidance

Can we rely on ‘legitimate interests’?

Under article 6(1)(f), this basis applies where:

“the processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”

There are three key elements to the legitimate interests lawful basis. We refer to these as a ‘three-part test’. To rely on this basis, you must:

  • identify your legitimate interest (purposes test);
  • show that your use of personal information is necessary to achieve it (necessity test); and 
  • balance this against the interests, rights and freedoms of the person whose information you’re using (balancing test).

The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, specific people’s interests or broader societal benefits.

It is possible for you rely on the legitimate interests basis to handle children’s personal information. However, you must take extra care to protect their interests. This reflects the broader safeguards for children built into the UK GDPR, which recognise that children merit specific protection in relation to their personal information. This is because they may be less aware than adults of the risks, consequences and safeguards involved, as well as their rights.

If you plan to use legitimate interests as your lawful basis for handling children’s personal information, you must protect them from risks and consequences that they may not fully understand or expect in the context of your relationship with them. It is up to you, not the child, to adequately protect their interests and identify appropriate safeguards.

Example

A local community group hosts a family fun day and uses a simple sign‑in process at the entrance. The group collects only the following information it needs to run the event safely: 

  • the child’s first name;
  • their age group; and 
  • the accompanying adult’s name and mobile number in case of an emergency.

In this case, the community group relies on the legitimate interests lawful basis.

Purpose test: The group has a legitimate interest in:

  • managing numbers at the venue; and 
  • making sure it can contact an adult quickly if something goes wrong.

Necessity test: The group only collects the minimum information needed to achieve these aims. The sign‑in process is a practical and proportionate way of doing this.

Balancing test: Families attending a child‑focused event would reasonably expect to provide this limited information. The impact on children’s privacy is low.

The group also puts appropriate safeguards in place. These include:

  • only using the information for managing attendance and safety;
  • keeping the information only for the short period needed to run the fun day and destroying it once the event has finished;
  • storing the information securely during the event so that only authorised organisers can see it; and
  • explaining to families in clear and simple terms why it’s collecting the information.

You should be able to demonstrate that you are sufficiently protecting the child’s fundamental rights and freedoms and prioritising their interests over your own where appropriate.

Taking a data protection by design approach will help you do this. (For more information, see How do we build in data protection from the start when using children’s information?.)

If there’s a serious mismatch between your interests and the interests, rights and freedoms of the child, you should assume the child’s are stronger and put them first.

The legitimate interests basis doesn’t apply if you want to use children’s personal information to perform your tasks as a public authority. (For more information, see Can we rely on ‘public task’? .)

Further reading – ICO guidance

Can we rely on ‘recognised legitimate interest’?

Under article 6(1)(ea), this basis applies where:

“processing is necessary for the purposes of a recognised legitimate interest”

Article 6(5) adds that:

“For the purposes of paragraph 1(ea), processing is necessary for the purposes of a recognised legitimate interest only if it meets a condition in Annex 1.”

A ‘recognised legitimate interest’ is a specified purpose for handling personal information that’s in the public interest. Annex 1 of the UK GDPR lists five recognised legitimate interest conditions:

  • Sharing information with organisations that have public tasks or official functions in UK law.
  • Safeguarding national security, protecting public security or for defence purposes.
  • Responding to emergencies covered by the Civil Contingencies Act 2004.
  • Detecting, investigating or preventing crime (including capturing or prosecuting offenders).
  • Safeguarding a “vulnerable individual”.

You don’t need to balance people’s rights and freedoms against the relevant interests you’ve identified. This is because the law has already done so and determined that any potential impact on people is justified. However, this doesn’t mean you can handle personal information without any restrictions. You must

  • ensure that your use of the information is necessary for the recognised legitimate interest condition; and 
  • comply with all other legal requirements.

Depending on the circumstances, any of the recognised legitimate interest conditions may be suitable when you’re handling children’s information. However, if you’re planning to use personal information to safeguard someone under 18, the safeguarding condition is likely to apply. This is because it includes a provision that specifically applies to children.

Example

A youth club volunteer notices signs of emotional distress in one of the children who attends regularly. The volunteer has growing concerns about the child’s well-being. Therefore, they decide it’s necessary to share relevant personal information about the child with the club’s safeguarding lead and the local authority. 

They rely on the recognised legitimate interest basis and safeguarding condition to lawfully share this information.

If you’re a public authority, you can’t rely on recognised legitimate interest to use children’s or adults’ personal information when performing your tasks or functions. (For more information, see the section Can we rely on ‘public task’?.)

You also can’t rely on recognised legitimate interest to make significant decisions about adults or children based solely on automated decision-making. (For more information on automated decision-making and children, see the section What if we want to profile children or make automated decisions about them?.)

Further reading – ICO guidance

What if we want to handle special category data?

Under article 9(1), special category data includes:

“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership…genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation”

If you want to handle special category data, you must have:

  • a lawful basis for processing under article 6; and
  • a separate condition for processing under article 9 of the UK GDPR.

This is because the UK GDPR prohibits you from using special category data unless you meet specific conditions. 

(For more information on special category data and the 10 conditions for processing, see our separate guidance What is special category data? and What are the conditions for processing?.)

This type of information merits specific protection because handling it is more likely to interfere with people’s fundamental rights and freedoms. If you can’t meet a condition for processing special category data, it isn’t lawful for you to use this personal information. This applies even if your purpose satisfies a lawful basis for processing under article 6.

The Data Protection Act 2018 (DPA) supplements and tailors the UK GDPR conditions for processing special category data. It’s important that you read the article 9 conditions alongside sections 10 and 11 and schedule 1 of the DPA.

Schedule 1 covers the very specific circumstances in which certain article 9 conditions apply. Many of these include a necessity test. Protecting children’s personal information may be a particular consideration when you apply this test. For example, if you’re handling children’s information in a child protection context, the schedule 1 condition for safeguarding children and individuals at risk is likely to be relevant. If you suspect a criminal offence, the schedule 1 condition for preventing or detecting unlawful acts is also likely to be relevant.

Example

A local youth homelessness charity works with 16 and 17-year-olds at risk of rough sleeping. 

A young person tells one of the charity’s support workers that they’ve been forced to leave home after a serious family conflict. The charity needs to collect special category data to:

  • assess the risks to the young person; and 
  • coordinate appropriate support. 

This includes relevant information about their health and family circumstances.

In this situation, the charity relies on the recognised legitimate interest lawful basis (safeguarding) to handle the young person’s personal information.

Because the young person is in crisis and cannot meaningfully give consent to the use of their special category data for safeguarding purposes, the charity can’t rely on consent as its article 9 condition. Instead, it relies on the:

  • substantial public interest article 9 condition; and 
  • safeguarding children and individuals at risk condition under schedule 1 of the DPA. 

This safeguarding condition only applies where: 

  • a person cannot give consent; 
  • a person cannot reasonably be asked to give consent; or 
  • seeking consent may put the person at further risk.

The charity’s use of the young person’s information in this case is necessary to coordinate referrals and develop a tailored support plan. It is also proportionate to the risks to the young person’s welfare.

If you want to handle children’s special category data, you could use sector-specific expertise to help you decide what is proportionate and in the best interests of the child.

Further reading – ICO guidance