The Information Commissioners Office (ICO) has published draft guidance on GDPR and children and is seeking comments on the proposed guidance. The consultation is currently open, and will close on 28 February 2018.
General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, and the regulations will introduce new, specific legal responsibilities for all organisations that process children’s data. This will include schools, charities, community groups, councils and any organisation that stores or processes personal data of children.
Elizabeth Denham, Information Commissioner, said, “I am pleased that the special case of children’s privacy rights is part of the wider conversation about the UK’s digital future. Protecting children online is the shared responsibility of lawmakers, companies, platforms, parents and regulators and we need to get this right.”
GDPR identifies children as “vulnerable individuals” who need “special protection” and therefore you should consider how the child-specific rules will affect your organisation, and start preparing for the new regulations now. Final guidance will be published after the consultation period ends, but the ICO stresses that the principles “are likely to remain largely unchanged.”
GDPR principles regarding children and data protection include:
- Children must be given particular protection when their personal data is collected and processed, as they may be less aware of the potential risks.
- If an organisation process children’s data, or thinks that they might at some point in the future, then they must consider the need to protect children from the outset, and design their methods and processes with this in mind.
- Compliance with data protection principles should be at the heart of all processing of children’s data.
- There must be a lawful basis for processing a child’s personal data. Consent is one possible lawful basis, but it is not the only option and an alternative basis may be more appropriate and provide better protection for the child.
- If you rely on consent as the lawful basis for processing personal data, only children aged 13 or over are able to provide their own consent in relation to an online service. With regards to children aged under 13, consent must be obtained from whoever holds parental responsibility – unless it is a counselling or preventative service.
- Data Protection Impact Assessments (DPIAs) should be used to assess and mitigate the risks to children.
- Transparency – organisations should make it clear to children how they will be using their personal data. They should ensure they are open about the risks involved and the safeguards in place. Organisations should make it easy for children to understand what to do if they are unhappy about how their data is used.
- Organisations should use clear and easy to understand language in relation to children and when offering online services to children.
- The individual’s ‘right to erasure’ is particularly relevant if consent to data processing was originally given as a child.
- It is good practice to consult with children when designing processing models, and organisations are encouraged to test their processes and seek feedback from children.
Recital 38 of GDPR states, “Children require specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.
Such specific protection should, in particular apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child. The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.”
The full consultation regarding GDPR and children can be downloaded from the ICO website, and documents to respond to the consultation are also available.
Talk To Us
Stackhouse Poland as a leading provider to the education, communities and charity sectors. If you would like to learn more about the GDPR, ways in which your organisations can prepare for it and how insurances can transfer risks and complement your business processes and readiness, please feel free to contact a member of your Stackhouse Poland team.