Outside construction of the RPC building.

ICO publishes draft guidance on children and the GDPR

Published on 11 April 2018

What extra requirements must be met when processing the personal data of a child under the GDPR?

The background

Upon coming into force on 25 May 2018, the GDPR will introduce new, specific legal responsibilities for organisations that are processing children's data.  On 21 December 2017, the ICO published draft guidance on children and the GDPR, intended to provide more detailed, practical guidance for UK organisations that are processing children's personal data under the GDPR.

The development

The GDPR contains provisions intended to enhance the protection of children's personal data.  The draft guidance focusses on the additional, child specific considerations necessitated by those provisions.  From a policy perspective, child specific provisions are provided by the GDPR on the basis that children require more particular protection regarding collection and processing of their personal data, as they are likely less aware of the risks involved than an adult.  The guidance broadly splits the relevant requirements of the GDPR into five categories:

  1. Bases for processing a child's personal data

    Organisations need a lawful basis for processing a child's personal data.  Broadly, there are three bases upon which an organisation can rely:

  • Consent – when relying on this basis, an organisation should ensure a child understands what they are consenting to, and there is no exploitation of any imbalance in power which may exist between the child and the organisation.
  • "Necessary for the performance of the contract" – when relying on this basis, it is important that the organisation consider the child's competence, or otherwise, to understand what they are agreeing to, and their competence to enter into a contract.
  • "Legitimate interests" – when relying on this basis, the organisation should ensure it takes responsibility for identifying the risks and consequences of the data processing, and ensure age appropriate safeguards are in place to protect the child.
    1. Offering an Information Society Service (ISS) directly to a child, on the basis of consent
  • When offering an ISS (online service) to a child, located in the UK and on the basis of consent, an organisation must make reasonable efforts to ensure that anyone providing their own consent is 13+ years old (noting that the UK has adopted 13 as the age of consent).
  • Where a child is under the age of 13, an organisation must obtain the consent of the person with parental responsibility over that child when offering the ISS, and make reasonable efforts to verify that the relevant person does indeed hold parental consent over that child.Note that age verification or parental consent is not required when the ISS (online service) offers online preventative or counselling services to the child.
    1. Marketing
  • If an organisation is marketing to children, it should take into account a child's reduced ability to recognize and critically assess the purpose behind any processing, and consider any potential consequences of children providing their personal data as part of that marketing.
  • An organisation should also take into account sector specific guidance on marketing, for example that issued by the ASA, in order to make sure children's personal data is not used in a way which could lead to their exploitation.
  • Where a child asks that an organisation stop processing their personal data for the purposes of direct marketing, it should do so.
  • An organisation should comply with the direct marketing requirements of the Privacy and Electronic Communications Regulations (PECR).
    1. Solely automated decision making
  • Children have a right not to be subject to decisions based solely on automated processing if these have a legal or similarly significant effect on them.
    1. Privacy notices
  • Privacy notices should be clear, and written in plain, age-appropriate language.
  • To assist with this, child friendly ways of presenting privacy information should be implemented.Examples could include: diagrams, cartoons, graphics or videos.
  • If an organisation requires children's personal data, it should explain why it is required, and what it will be used for, in an age appropriate manner.
  • Where relying upon parental consent to process a child's personal data, offer two different versions of privacy notices: one aimed at those holding parental responsibility, and one aimed at children.

More generally, children have the same rights as adults over their personal data.  These rights include the rights of access to personal data, request rectification, the right to object to processing and the right to erasure of personal data. 

If the original processing was based on consent provided when the individual was a child, an individual's right to erasure is particularly important and should be complied with.

Why is this important?

The GDPR does not represent a fundamental change to many of the rights held by children over their personal data; children already enjoy rights under the Data Protection Act (1998) (the DPA), which applies to children as individuals in their own right.  However, the DPA does not provide explicitly for the protection of children's data in the detailed and specific manner which the GDPR does; the GDPR can be said to be more detailed, tailored and widely encompassing in the protection it provides to children, as compared to the DPA.  It also provides more clarity and certainty for organisations.  By reference to the GDPR, organisations can now be more certain that they are doing enough to protect children's data. 

Any practical tips?

The fact that the DPA already provides some protection to children, albeit as individuals in their own right, means that an organisation may well have already adopted procedures that comply with the more detailed requirements of the GDPR.  Nevertheless, it is critical that data processing procedures are reviewed in light of the detail provided, to be sure of GDPR-level compliance.  Perhaps of all areas, children's data collection is one where a 'privacy by design' approach should be adopted when designing and updating systems, and consideration given to the need for Data Protection Impact Assessments.  Given the clear prescriptive guidance now issued by the ICO, it is hard to see her giving much leeway to any businesses that ignore or side-step them.

Finally, don't forget to read the guidance in line with other guidance which overlaps.  For example, the Article 29 Working Party has recently released guidance on consent under the GDPR, and that includes interesting commentary on children and consent – for example, where parental guidance has been obtained, the need for fresh consent to be sent to children when they reach the age of consent.