What are the lawful bases for processing?
Before you start processing the personal data of any individual, you need to consider your basis for processing to help ensure it is lawful. The possible lawful bases for processing are outlined in Article 6 of the GDPR.
For the full list and further explanation on choosing a basis for processing, please see our Guide to the GDPR and our Lawful basis interactive guidance tool
You may rely on any of the bases given in Article 6 as your lawful basis for processing a child’s personal data However, for some of the bases there are some important additional considerations that you need to take into account when your data subject is a child.
What if we’re relying on consent?
The GDPR allows you to process personal data on the basis of consent. For further information on this basis for processing please see our Guide to GDPR and our detailed GDPR consent guidance.
“the data subject has given consent to the processing of his or her personal data for one or more specific purposes”
- Article 6(1)(a)
There may be circumstances in which you wish to process a child’s personal data using consent as your lawful basis for processing. This may be appropriate if you are truly able to give children (or their parents) informed choice and control over how you use their personal data. However consent shouldn’t be used as a way of avoiding your own responsibility for assessing the risks inherent in the processing. Although consent is a lawful basis for processing children’s personal data, using it does not necessarily guarantee that the processing is fair, and it isn’t always the most appropriate basis.
Our GDPR consent guidance provides details about the various requirements for valid consent, and you need to meet all of these. In addition, you need to consider the competence of the child (whether they have the capacity to understand the implications of the collection and processing of their personal data). If they do have this capacity then they are considered competent to give their own consent to the processing, unless it is evident that they are acting against their own best interests.
You should also take into account any imbalance of power in your relationship with the child, to ensure that if you accept their consent it is freely given.
Where the child is not competent then, in data protection terms, their consent is not ‘informed’ and it therefore isn’t valid. If you wish to rely upon consent in this situation, you need the consent of a person with parental authority over that child, unless it is evident that it would be against the best interests of the child to seek such parental consent.
In England, Wales and Northern Ireland there is no set age at which a child is generally considered to be competent to provide their own consent to processing. In Scotland children aged 12 or over are presumed to be of sufficient age and maturity to provide their own consent for data protection purposes, unless the contrary is shown.
In some contexts you may be able to make an individual assessment of the competence of a child. However, if you aren’t in a position to make this kind of assessment then you should at least take into account the age of the child and the complexity of what you are expecting them to understand.
If you accept consent from a holder of parental responsibility over a child then you also need to think about how you let the child know that he or she has a right to withdraw that consent once they are competent to make such a decision. You should provide this information in any case as part of any privacy information directed at the child. We would also recommend that you include it as part of any regular reminders you send to data subjects about their privacy settings and how to update them. For further information on privacy information please see the section on How does the right to be informed apply to children? For further information on the right to withdraw consent please see the section on What rights do children have?
The GDPR also has some specific provisions about children’s consent in an online context. It seeks to recognise the difficulties of assessing competence remotely by allowing Member States to set an age at which children can give their own consent to the processing of their personal data when an ISS is offered directly to children. The issues surrounding online consent and children are discussed in the next section: ‘What are the rules about an ISS and consent?’
What if we’re relying on ’performance of a contract’?
The GDPR gives you a lawful basis to process personal data when this is necessary to fulfil a contract you have with the data subject. For further information on this basis for processing please see our Guide to the GDPR.
“the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering a contract”
- Article 6(1)(b)
When you wish to enter into a contract with a child you must consider their competence to agree to the contract and understand the implications of the associated processing of their personal data.
The legal age of capacity to enter into contracts is 16 in Scotland (with some exceptions which allow contracts with children younger than this). In the rest of the UK there is no definite age at which a child is considered to have the legal capacity to enter into a contract. The basic rule is that children over the age of 7 are generally able to enter into contracts, but (with some exceptions) the contracts they make may be ‘voidable’. This means that you can’t hold the child to what they have agreed to, or enforce the terms of the contract against them – they can effectively cancel the contract at any time. If the contract is voided then you do not have a lawful basis for processing their personal data.
This applies in all circumstances, including where you are offering an ISS.
This is a complex area of law so if you are considering entering into a contract with a child, we would strongly recommend that you seek your own legal advice about the validity of the contract. This is important both so that you can ensure that your underlying business model is legally sound and because it may affect whether or not you have a lawful basis for processing their personal data. Similarly if you are thinking about allowing a parent to agree to a contract with you on behalf of a child you should again take legal advice. You should not rely upon this summary as a full explanation of the law.
What if we’re relying on ‘legal obligation’?
“processing is necessary for compliance with a legal obligation to which the controller is subject.”
- Article 6(1)(c)
If you are relying upon legal obligation as your basis for processing a child’s personal data then your basic approach should be the same as when you process an adult’s personal data under this lawful basis. You need to identify the legal obligation that underpins the processing (this could be an explicit statutory obligation or a clear common law obligation) and then establish that the processing is ‘necessary’ to comply with that obligation. For further detail on how to apply this test please see our Guide to the GDPR.
What may be different when processing children’s personal data is the underlying legal obligation. This is because there are some laws which specifically concern or seek to protect children, or which apply different standards or requirements where children are concerned.
Also, when considering whether the processing is a proportionate way of achieving compliance (and therefore whether it is ‘necessary’) what is proportionate in relation to adults and children could differ. You need to judge this in the circumstances of your processing, taking into account the best interests of the child.
What if we’re relying on ‘vital interests’?
“processing is necessary in order to protect the vital interests of the data subject or of another natural person”.
- Article 6(1)(d)
Again your basic approach should be the same whether your data subject is an adult or a child. In order for this lawful basis to apply the processing must be necessary to protect someone’s life. Because children are more vulnerable than adults there may be a difference in what is necessary to protect the vital interests of a child and what is necessary to protect the vital interests of an adult. You need to judge this taking into account the context of your processing. For further detail about the basic test to apply please see our Guide to the GDPR.
What if we're relying on 'public task'?
“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
- Article 6(1)(e)
You can rely on this lawful basis if your processing is necessary for your performance of a task carried out in the public interest, or in the exercise of an official authority that has been vested in you. It usually applies to the functions of public authorities, although it can sometimes be used by private organisations that exercise official authority or carry out tasks in the public interest.
Some public authority tasks are likely to involve processing children’s personal data, for example those undertaken by Children’s Services or the Family Courts. The basic test for this lawful basis is the same whether your data subjects are children or adults; you need to identify what your function or power is and make sure that the processing is necessary for this task. What is proportionate (and therefore necessary) in relation to the processing of children’s personal data may however be different to what is proportionate in relation to the processing of adults personal data and the best interests of the child should prevail. We expect controllers relying on this basis to apply their expertise and knowledge about their functions to the child specific context. For further details of how this lawful basis applies please see our Guide to the GDPR.
What if we're relying on 'legitimate interests'?
The GDPR allows controllers (apart from public authorities acting in the performance of their tasks as a public authority) to process personal data under the lawful basis of legitimate interests. For further information on this basis for processing please see our Guide to the GDPR.
“the processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.
- Article 6(1)(f)
Under this basis for processing you need to:
- identify the legitimate interest;
- show that the processing is necessary to achieve it; and
- balance this against the child’s interests, rights and freedoms.
This is sometimes referred to as doing a Legitimate Interests Assessment and the steps you need to go through are considered in more detail in the Guide to the GDPR. You need to make some judgements about the nature of the processing and the potential risks it poses and take appropriate measures to safeguard against those risks.
Article 6(1)(f) places particular emphasis on the need to protect the interests and fundamental freedoms of data subjects when they are children. This recognises Recital 38 which says that children require specific protection with regard to their personal data because they may be less aware of the risks and consequences of the processing, the safeguards that could be put in place to guard against these, and the rights they have.
When using ‘legitimate interests’ as a lawful basis for processing children’s personal data, you therefore have a responsibility to protect them from risks that they may not fully appreciate and from consequences that they may not envisage. It is up to you, not the child, to think about these issues and to identify appropriate safeguards. You should be able to demonstrate that you have sufficiently protected the rights and fundamental freedoms of the child and that you have prioritised their interests over your own when this is needed.
Using legitimate interests as your lawful basis for processing a child’s personal data puts the onus on you, rather than the child (or adult acting on their behalf), to make sure that their data protection interests are adequately protected. You need to consider what the child might reasonably expect you to do with their personal data, in the context of your relationship with them.
In practice this means that if you intend to process children’s personal data you need to design your processing from the outset with the child, and their increased need for protection, in mind. You should take into account the age range of the children that you are designing your processing for when doing this, as this may affect their level of understanding and the amount of protection that they need. Although there are no defined rules on this, younger children generally need more protection and have less autonomy than older children. The freedom of children to learn, develop and explore should only be restricted if this is proportionate response to the identified risks. We recommend that you use a data protection impact assessment to help you to decide this, and if the processing is likely to be high risk then you must do a DPIA. It is also good practice to consult with children as part of your design process as this may be your best method of assessing need and understanding.
Even if you aren’t actively seeking to process children’s personal data (for example if you are designing a product or service that is aimed at adults not children) you need to think about whether children are able or likely to access the product or service, as if they are you may end up processing children’s personal data anyway. In this circumstance you need to consider the data protection risks and either put in place appropriate safeguards to protect against them or take measures appropriate to the risks involved to deter children from providing their personal data.
Similar considerations apply if you design a product for older children, but think that younger children are likely to use it.
What if we’re processing special categories of personal data?
If you are processing ‘special categories’ of personal data, such as health data, then as well as needing a lawful basis for processing under Article 6 you also need to identify a condition for processing under Article 9 of the GDPR. This is because Article 9 prohibits the processing of this kind of personal data unless specific conditions are met.
You need to read the conditions in Article 9 in conjunction with Sections 10 and 11 and Schedule 1 of the Data Protection Act 2018. This Schedule provides the detailed circumstances in which the UK has proposed that certain Article 9 conditions will apply. They tend to apply in very specific circumstances and many of them include a necessity test. If a necessity test applies then, the protection of children’s personal data may be a particular consideration when applying this test. You need to use your sector specific expertise to decide what is proportionate and in the best interests of the child. The condition for the safeguarding of children and individuals at risk has obvious relevance when processing children’s personal data in a child protection context, but other conditions may equally apply when processing children’s personal data.
Further detail on the conditions for processing special categories of personal data please see our Guide to the GDPR. Further guidance on the detailed provisions of schedule 1 will be provided in due course.