The GDPR does not represent a fundamental change to many of the rights that children have over their personal data. The Data Protection Act 1998 (The 1998 Act) does not specifically mention children however its provisions apply to them as individuals in their own right. For example, children have the right to request a copy of their personal data under both pieces of legislation and have the right to request that you stop processing their data. Unlike the GDPR, the 1998 Act does not explicitly require that children’s data is protected and does not require that privacy notices must be clear and accessible to a child or tailored specifically for them. However, you may well have already adopted procedures that comply with these requirements as a matter of good practice.
Fairness and compliance with data protection principles remain key concepts under the GDPR and should still be central to all your processing.
The concept of competence (the child’s capacity to understand the implications of their decisions) remains as valid under the GDPR as under the 1998 Act. If a child is not competent to exercise their own data protection rights or consent to processing themselves then it will usually be in their best interests to allow an individual with parental responsibility to act on their behalf. If a child is competent then your overriding consideration should still be what is in their best interests however, in most cases it should be appropriate to let the child act for themselves.
You may have processed a child’s personal data applying the ‘legitimate interests’ condition for processing under the 1998 Act and, unless you are a public authority, this is an equally valid basis for processing under the GDPR. Public authorities now need to consider whether the processing is necessary in the performance of a task carried out for their functions or if one of the other Article 6 bases for processing applies.
We already advise data controllers to adopt a privacy by design approach, and to take into consideration the rights and freedoms of the particular data subjects whose personal data they are processing when designing new systems and processes. Data controllers who have adopted this approach for children should find they have already implemented many of the specific requirements of the GDPR.
However, it is recommended that you review any processing you undertake to ensure that it is compliant with the new GDPR requirements set out in this guidance and the Guide to GDPR, as there are some new requirements particularly about online processing.
The GDPR explicitly states that children’s personal data merits specific protection.
It also introduces new requirements for the online processing of a child’s personal data.
In circumstances where an ISS is offered directly to a child, and you rely on consent as your basis for processing, in the UK only children aged 13 or over are able to give their own consent. For children under this age, unless the ISS is an online preventive or counselling service, consent needs to be provided by the holder of parental responsibility over the child.
This means that if you make your ISS available to children, and you wish to rely on consent to legitimise your processing, you need to verify that anyone providing their own consent is old enough to do so.
You are also required to make reasonable efforts (using available technology) in these circumstances to verify that consent provided on behalf of a child under the age of 13 has, in fact, been provided by the holder of parental responsibility for that child.
The GDPR also states explicitly that specific protection is required where children’s personal data is used for marketing purposes or creating personality or user profiles. So you need to take particular care in these circumstances.
The GDPR says that you should not subject children to decisions based solely on automated processing (including profiling) if these have a legal or similarly significant effect on them. Although there are exceptions to this prohibition they only apply if suitable measures are in place to protect the rights, freedoms and legitimate interests of the child, and Recital 71 to the GDPR gives a clear indication that they should not be the norm. So if you currently make these types of decisions about children you need to carefully review this processing.
Finally, the GDPR requires the provision of age-appropriate privacy notices for children, and says that the right to have personal data erased is particularly relevant when processing is based upon the consent of a child.
These issues are discussed further within this guidance:
- What should our general approach to processing children’s personal data be?
- What do we need to think about when choosing a basis for processing children’s personal data?
- What are the rules about ISS and consent?
- What if we want to target marketing at children?
- What if we want to profile children or make automated decisions about them?
- How does the right to be informed apply to children?
- What rights do children have?
- How does the right to erasure apply to children?