As many more children start to use social media platforms, the ICO continues to remind organisations on the importance of adopting specific protection of children’s personal data. Collection of children’s data remains an area of concern for the ICO and the DPA provides that in the UK a child must be at least 13 years old in order to consent to the processing of their personal data. Children will be less aware about why an organisation may hold their personal data and the associated risks and consequences. In particular, the ICO has made clear that if the processing of a child’s personal data is likely to result in a high risk to the rights and freedoms of the child, the controller must complete a Data Protection Impact Assessment (‘DPIA’).
Transparency is likely to play a key part in raising a child’s awareness regarding their own personal data. The ICO therefore recommends that organisations acts as follows:
- tell children what you, are doing with their personal data
- be open about the risks and safeguards that have been put in place to protect their personal data; and
- let children know what to do in situations where they are not happy with what is being done with their personal data.
It is important to remember that children have the same rights as adults under the GDPR and they may exercise their own rights under the GDPR as long as they are competent to do so. By adhering to the above organisations will ensure and help demonstrate compliance. In addition, if you are offering an information society service (‘ISS’) directly to a child, it is important to verify that children providing their own consent are old enough to do so. Organisations should ensure that their privacy information notices are clearly written to allow children to understand what happens to their personal data and what rights they have under the new law. This is likely to mean that a separate privacy information notice is needed to help children understand what their data is being used for and how the organisation processes it.
In December 2018, a former head teacher was prosecuted by the ICO for illegally obtaining personal data relating to school children from two primary schools where he had previously worked. The information included names, pupil attainment and performance management data for staff. He was fined over £1,000 for breaching section 55 of the Data Protection Act 1998, which prohibited the unlawful obtaining of personal data. The ICO’s Criminal Investigation Group Manager has said that the ICO will “continue to take action against those who we find have abused their position of trust.”