Data Protection Toolkit - Protecting children's data
There is some understandable confusion around the implications of GDPR for the protection of children's personal data.
If your charity or community group offers a service directly to children, or collects information about children in a household receiving a service, you should carefully consider what data you collect and how it is used.
Even if your service is not aimed specifically at children, if their personal data is likely to be processed as part of it, the data protection considerations are important.
There are few explicit requirements concerned with the use of children's data set out in the GDPR.
However, there are some definite issues that you should consider, and you might decide to treat the use of a child's data differently from that of an adult as a result.
Recital 38 sets out the principles behind the protection of children's data:
Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.
It goes on:
Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.
Recital 38 GDPR
Broadly speaking, this is saying that there are differences between processing a child's and an adult's personal data, and this is down to the gap in the level of understanding between the two data subjects. You need to be especially mindful of this difference in cases where you are collecting data from children with no interaction with parents.
There are some questions that will come up when thinking about this:
- What lawful basis do you use for processing children's data?
- How do you make sure that your processing is fair and transparent?
- What can be done to reduce any risk to the child's rights and freedoms?
- Can children's data be shared with third parties?
It is your responsibility as the data controller to ensure that these issues are addressed and that adequate protection is given.
Another part of the GDPR (Article 8) sets the conditions for a "child's consent to use information society services". This is dealt with in more detail below, but it will only apply to you if you are providing online services to children.
There are mentions of children regarding transparency of information (in Recital 58) and the risks resulting from the processing of data concerning vulnerable persons (in Recital 75). We take these into consideration in the advice given below.
There is also a brief of children mention in Article 40, which concerns the implementation of codes of conduct under the GDPR. This doesn't have any practical implications as no codes of conduct have yet been officially approved by the ICO. It is worth noting, however, that there may be best practices developed for your sector concerning the use of children's data, and it would be worthwhile considering any guidance that may have a bearing on your activities.
In Northern Ireland there is no legally-defined age at which someone is considered a child (at least in terms of data protection). Children are therefore able to give consent themselves and you are not required to seek parental consent for processing personal data about a child—unless the fact that the data subject is a child would cause difficulties with the GDPR's requirements for valid consent.
Before considering who can give consent, you should consider if consent is—in fact—the most appropriate basis to rely on for the processing.
If you need to collect information solely to satisfy a legal obligation to which you are subject (such as safeguarding or health and safety laws), then you should not be asking for consent to hold this data.
Where there are other purposes not connected to a legal requirement, you might also consider whether you can apply your legitimate interests to the processing.
In many cases an organisation, such as a school or club, will choose 16 (or even 18) as the "default" age below which a parent's consent must be gathered. Considering than in Scotland (where there is a clear definition) this legal limit is set at 12 years, then 16 may be too high a limit to require a parent to consent for a child—but this will depend on the circumstances.
Any consent that you obtain for data processing must meet be "freely given, specific, informed and unambiguous". Where children are concerned, allowing for an informed and freely given choice are the most significant questions for whether you should get consent from a person with parental responsibility instead.
It might be very clear that children below a certain age are too young to make an "informed" choice. For less obvious cases, you might be able to assess each child on whether they can give consent for themselves. You also need to keep in mind that "freely given" consent will depend on how much they might feel compelled to agree with an adult in a position of power.
A parent therefore can give consent on behalf of the child where you have come to the conclusion that the child would not be able to give consent for theirself. Keep in mind that the child will have the right to withdraw this consent once they reach the point at which they do have a suitable understanding.
If the service that you offer directly to children is an online service (in law, an "information society service"), then you do need the consent of the parent if the child is under the age of 13 and in the UK (i.e. those aged 13 and older can lawfully provide consent for themselves).
Other countries in the EU may have decided on different age levels for this purpose, which can be between 13 and 16, so take care if offering online services to children outside of the UK. In Ireland the age is 16.
Please see more about this in the ICO's guidance for more about what you need to know about offering online services to children. You should also carry out a Data Protection Impact Assessment if this is something that you are doing.
Preventative and counselling services
Preventative and counselling services are mentioned in Recital 38. If you offer these types of services to a child, then you should not require the parent's consent for any of the data processing as a condition to allow a child to access the service.
If your preventative or counselling service is offered online as with the above, then you should not require parental consent even if the child is under 13. In such cases, either the consent of the child (if appropriate) or another lawful basis, such as legitimate interests, should be applied.
In the GDPR, "legitimate interests" can provide a lawful basis for your processing of personal data (as would consent). It allows you to process someone's data where you have identified an interest in doing so, it is necessary to achieve that interest, and it is on balance with the data subject's rights and freedoms.
Particular emphasis must be put on balancing the rights and freedoms of the data subject where they are a child.
Whenever you are considering legitimate interests you should carry out a Legitimate Interests Assessment. If children are the data subjects, then you should reflect this as part of that assessment, including the impact on their rights and freedoms as children and their more limited understanding of the risks and consequences of data processing.
Under the GDPR, individuals have certain rights over their own data, such as the right of access to their own information. Data protection rights belong to the data subject, and children have the same rights as adults. Where the data concerns a child, the rights belong to that child.
You must allow them to exercise those rights without requiring permission from or having to communicate through a parent, if they have the ability and level of understanding to do so. This applies even if there was a case of consent for the processing originally granted by the parent.
A parent (or adult with parental responsibility) may approach you wishing to exercise these rights on behalf of a child. You will have to make a decision on whether this is something that you can respond to.
However, in some cases, you may allow the person with parental responsibility to exercise those rights where:
- they have been authorised to act on the child's behalf — as with any request made via a third party (read more), or
- the child in question does not have an understanding of their rights, or is not competent in exercising them
Assessing the level of competence will depend on the child's age and development, the nature and complexity of the personal data, and the potential consequences of them exercising these rights.
In such cases you should be satisfied that the person has parental responsibility or legal authorisation required. If the adult has made the request, you can still respond directly to the child unless it would not be appropriate to do so (for example, revealing some information that may cause them harm or distress).
There may be particular situations where you would not allow a parent to exercise a child's data protection rights, even if the child were not able to themselves. There may be a potential conflict or danger in allowing an adult to know about or control information relating to a child. For instance, if a child is receiving counselling or a confidential advice or advocacy service from you, you wouldn't let another person (a parent or otherwise) have access to the personal data generated through the course of that service. This is especially important where there are duties of confidentiality, abuse or safeguarding matters.
Whether you can take photographs or videos of children will depend on the purpose that you are taking them for. If a child can be identified from a photograph and it is not solely for domestic purposes, then you need to consider the data protection implications.
The ICO has issued guidance on taking photos in schools. Generally speaking, photos taken by parents of events (such as school plays) would not be covered by data protection as they are for personal use. Schools and other settings may, of course, impose their own policies and rules on the taking of photographs, which will restrict or prohibit anyone in taking photos.
In circumstances where the photograph would not be publicly available, legitimate interests may be an option to use as a lawful basis. You should consider what the interest is in having the photograph, that it will be of some benefit, that the photograph is a necessary part of achieving that interest, and that parents would reasonably expect that you would do this. For example, if you were using a photo to form part of a child's record of learning, to share with parents. You may even need to take photos as part of doing your job and to demonstrate that you meeting educational standards. In such cases, you can carry out a Legitimate Interests Assessment to help you make this judgement.
If a photo of a child will appear in public, such as in an advertising brochure, on a website or social media, it would usually be necessary to have consent first. This may be from the parent or from the child (depending on their age and level of understanding as outlined above). Permission forms for taking photographs are a common way of doing this. They should include what the photographs are being used for and how they will be used.
Keep in mind that there might be security and confidentiality issues if staff members' personal mobile phones are used to take photographs. It might be more suitable to get a camera for this purpose.
Notwithstanding any of this, you should consider any safeguarding issues and circumstances where it isn't appropriate to take photographs of children. If a parent withdraws their consent, or objects where you are using a legitimate interest, you will have to remove and delete any copy of a photograph with that child.
You should also be mindful of how long photographs are retained for, in either digital or printed form (including where they are stored in the camera). Your privacy notice and retention policy should cover the use of photographs.
Transparency of information
Recital 58 requires particular regard to the transparency of information about the processing of personal data when the data subject is a child.
Any privacy information that is addressed to a child should be delivered in a way that they can be expected to understand. That means thinking about reading and comprehension levels, and using clear and plain language.
A Data Protection Impact Assessment (DPIA) is a tool to help you identify and minimise data protection risks of a particular processing activity. While there is no automatic requirement to carry out a DPIA solely to process children's data, the likelihood that you will need to carry one out will increase if you do.
If any type of processing is likely to result in "a high risk to the rights and freedoms of individuals", then a DPIA is required. It stands to reason that there is some level of risk involved where a data subject is a child, because they are vulnerable individuals (due to their lack of awareness and understanding of data protection risks). Depending on what you're doing, the purpose of your processing may also present risks to the child—especially where you using evaluation or scoring methods. Whether this is a "high risk" is a decision that you will have to make.
The ICO has a specific requirement that a DPIA be carried out for processing that involves any targeting of children (or other vulnerable individuals) for marketing purposes, profiling or automated decision-making, or if offering online services directly to children.
Another way that you can ensure good practice in collecting and using children's data is by applying child-friendly design. While you can make your privacy information child-friendly, you can also develop ways to incorporate child friendly design into systems and interfaces, and communicate with children in a way that gives them control (where appropriate) rather than feel disempowered. Read more about data protection by design and by default.
Sharing children's data
There may be cases where you want or need to share children's data with a third party, such as another organisation that is going to help provide services to a family you have been working with. This could be the systematic sharing of data or something that is done on a one-off basis.
The ICO's Data Sharing Code of Practice covers what decisions need to made, how people should be informed about sharing, data security issues, putting agreements in place, and the things you mustn't do when sharing data.
The fact that you are sharing data should add to your consideration of whether a Data Protection Impact Assessment is needed.
European Commission, Can personal data about children be collected?