Dealing with Children's Data

According to the GDPR, children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerns and their rights in relation to the processing of personal data.

Definition under the DPA

In Scotland, children aged 12 years and over will be presumed to have the ability to give their own consent (with parental consent required for younger children).

Whilst that rule doesn’t apply in the rest of the UK, it does offer a good starting point for determining whether a child is capable of understanding their rights under the DPA.

Otherwise, the DPA is relatively silent on the issue of children’s data.

What does the DPA definition really mean?

The position is clear in Scotland - where you collect or process any data relating to a child aged 11 years or younger, then you must obtain parental consent.

There is no similar rule for the rest of the UK, so the position isn’t as clear cut. However, the Scottish rule does offer a good starting point, and we’d suggest that where you collect or process any data relating to a child aged 11 years or younger, or even an older child where you have reason to believe they don’t understand what it means to give consent, then you should obtain parental consent.

Definition under the GDPR

Any information given to, or communication with, a child must be in “such a clear and plain language that the child can easily understand”.

Where a child asks a business to provide a service for which payment is normally made, parental consent will be required unless the child is aged 16 years or over.

What does the GDPR definition really mean?

The age at which a child can give their own consent is raised to 16 years across the UK. However, the UK is allowed to pass its own national law lowering that age limit to 13 years, but no lower.

In addition, the data controller is under an additional duty to make reasonable efforts to verify that, where consent is given by a parent or guardian, that that person does actually have parental responsibility for the child.

What are the significant differences between the DPA and the GDPR?

Apart from the increase in the age where a child can give their own consent, the GDPR has inserted a requirement for all communications to be in plain and simple English.

What effect will this have on UK businesses?

The “clear and plain language” requirement will affect any business that offers services for children, eg. mobile phone apps, or social media services for children. The terms and conditions for such apps/services will need to be written differently to those targeted at adults.

It will also change the position on children aged 12 to 15, who will no longer be able to give their own consent when downloading apps, etc. In those cases, parental consent will be required, and the business will have to bear the burden of checking that whoever gave consent did have parental responsibility.

Even businesses who don’t provide online services to children, but simply hold data relating to children, it is important to note those children have just the same rights under the GDPR as adults, except that when a child exercises those rights, any response must be written in a way that the child will understand. And that is a very difficult skill.

But note that even young children own their own personal data, and hence are entitled to exercise rights under the DPA. For example, a parent does not have the legal right to make a subject access request in relation to their child’s data. A child’s personal data is not owned by the parent.

What will my business need to do?

First, consider whether any of your services are targeted at children, or used by children. If so, it will be important to ensure that your terms and conditions are updated in order to satisfy the “clear and plain language” requirement.

Secondly, if your business does process any personal data relating to children, review how you obtain consent at the point of collecting that data. Do you take steps to verify the child’s age? Are those steps reasonable? And if the child is under 16 years, how will you ensure that you obtain the consent of someone with parental responsibility for that child?

And then take steps to ensure that, such a data subject ever look to exercise its rights under the GDPR, you verify the age of the data subject before responding …and if the data subject is a child, ensure you respond in suitable language. Or potentially, if the child is particularly young, consider responding instead to somebody with parental responsibility for the child.

 

Q&As

My business is designing and selling mobile phone apps, and I’m pretty sure children are downloading them. So what do I need to do?

Assuming that, as part of the download process or the app itself, you obtain any personal data from the user, then we suggest you employ a three-step process. First, ensure your business’s terms and conditions are written clearly and plainly in a way that a child would understand them. We appreciate that this is easier said than done. Secondly, ensure you verify the age of any person that downloads the app so that, when you come to obtain their consent to you processing their personal data, you know whether they are capable of giving consent (or whether you need to obtain parental consent). And finally, ensure that your app contains some process by which it asks for parental consent if the user is aged 15 years or under, and also contains some attempt at ensuring whoever ticks the box does actually have parental consent (and it is isn’t simply the child ticking the box).
Of course, if you do not collect or process any personal data on behalf of the user, then you don’t need to worry at all.

My 13-year-old daughter wants to find out what information social services are holding about her. Can I make a request on her behalf?

No, the request must come from your daughter because the request relates to her personal data. However, with your daughter’s consent, you can ask social services to respond directly to you. But social services would have to satisfy themselves that you had authority to act on your daughter’s behalf.

So, if I receive a subject access request that appears to be from a five-year-old boy, I have to treat it seriously?

Yes. But you may wish to take steps to identify a person with parental responsibility for the boy, and determine whether your response should be to that person rather than the boy.

I’m an accountant, and I keep details of my clients’ children to assist with claims for child tax credit and other benefits. Do I need to do anything?

You would treat that information in the same way as you’d treat any other personal data, but those children would also have the same rights under the GDPR as any adult.

 

Glossary

  • Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
  • Data subject means the living individual that is identified, or can be identified, from the personal data.
  • DPA means the Data Protection Act 1998, the statute that previously governed the processing of personal data in the UK.
  • GDPR means the General Data Protection Regulation, the EU law that is now in place of the Data Protection Act 1998.
  • Personal data means any data from which a living person can be identified.
  • Process means to do just about anything with personal data, e.g. collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, erasing, destroying or otherwise making the data available to somebody else.

 

Notes
This briefing is based on the law as it stands in July 2017. It is possible (and, indeed, likely) that, before the GDPR comes into force in May 2018, the Information Commissioner’s Office will release a number of guidance notes that will help to interpret the GDPR. These guidance notes may offer additional advice for UK businesses, and may even cause some of the information in this briefing to become incorrect. As a result, this briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.