Organisations must pay particular attention when it comes to the collection and processing of children’s personal data. Children possess the same rights to their personal data as adults (including right of access, rectification, erasure, to be informed and to object), yet they are likely to be less conscious of the risks and consequences involved when their personal data is processed.
Recently there have been a number of data breaches in the UK concerning children’s personal data. On one occasion various documents had been incorrectly posted online which included children’s names, addresses, and dates of birth. During another incident the special needs and disabilities of children who have not yet found a place in a school were disclosed during a Freedom of Information request. Each incident is likely to result in a high risk of harm to the data subjects and cause significant reputational damage to the organisation. Both cases have now been referred to the Information Commissioner’s Office for further investigation.
In order to successfully reduce the likelihood of a breach occurring, it is important to ensure that your organisation has taken the appropriate steps to protect children’s personal data in the first instance. The expectation of the ICO is that children would be given more protection given their vulnerability and as such a high risk approach is generally recommended when processing children’s data. There are a number of actions your organisation could employ to ensure it is fulfilling its obligations under the UK GDPR when it comes to the collection and processing of children’s data. These include the following:
- Ensure from the beginning that all systems and processes are built in a way to protect children from harm. A key action in this regard is ensuring a Data Protection Impact Assessment (DPIA) is carried out when processing children’s data. A DPIA will assist in identifying risk factors and provide a platform to discuss, agree and implement how these risks can be mitigated. This will also involve taking into consideration wider requirements including the ICO’s Children’s Code (where applicable).
- Have reliable security measures in place and make sure these are maintained. Cyberattacks are inevitable in today’s technological world. Therefore, your organisation has a responsibility to make sure that all information is held as securely as possible.
- Ensure you have a valid lawful basis for processing children’s personal data and this is recorded in your internal Record of Processing Activities record if you have one, as well as any public facing privacy notices. There are various options available when choosing a lawful basis set out in Art 6 and Art 9 of UK GDPR and the correct one will depend on your processing activity.
However, be aware that if your organisation is relying on processing for the performance of a contract, this could be problematic depending on the age of the child and their ability to legally enter into a contract.
Likewise, consent, while it may seem the obvious choice, also has its issues. In England the age of consent is 13 and in Scotland it is 12. Anything below the age of consent in either respective country would need parental consent. However, in practice, organisations often seek parental consent even if the child is above the age of UK GDPR consent (as applicable in each country) up to the age of 16 to avoid any potential dispute regarding capacity or fairness and some thought should be given as to what practically works for your organisation.
Another option may be legitimate interest; where you choose to rely on legitimate interest as your lawful basis, you must carry out a Legitimate Interest Assessment. The onus is on you rather than the child or their responsible adult to make sure that the child’s right is protected in an adequate manner. It is important to consider what the child may reasonably expect you will do with their personal data and an important aspect of this is taking into account the relationship you have with them.
- Create and maintain a set of relevant internal policies to ensure everyone in the organisation understands their obligations under data protection law and will follow the appropriate processes.
- Regularly train all individuals in the organisation in respect of their obligations under the UK GDPR for processing children’s data. Interactive training sessions are particularly beneficial for allowing individuals to communicate with each other and clarify any areas of uncertainty.
- Put in place appropriate Data Sharing Agreements and Data Processing Agreements prior to sharing any personal data with third parties. As children’s data is particularly high risk this is a very important measure.
- Publish clear and easily understood Privacy Notices using plain, age appropriate language. Children must understand what will happen to their personal data and what their rights are.
- Foster a blame free environment when breaches occur. It is important that everyone in the organisation will come forward as quickly as possible in order to deal with a breach efficiently and within the appropriate 72 hour timescale. Individuals are less likely to do this where they are worried about the negative repercussions of making a mistake.
Our team is always available to offer support and guidance. Should you require any assistance please do not hesitate to get in touch.