ICO seeks comment on draft Children and GDPR guidance

By Elizabeth Denham, Information Commissioner.

GDPR-children-blog-rbgChildren today are truly digital natives. With that in mind, we need to ensure that they have the tools to be contributing digital citizens. This means that the protection of children’s personal data is fundamentally important.

That is why the General Data Protection Regulation (GDPR) will introduce new, specific legal responsibilities for organisations processing children’s data from 25 May 2018.

I am pleased that the special case of children’s privacy rights is part of the wider conversation about the UK’s digital future. Protecting children online is the shared responsibility of lawmakers, companies, platforms, parents and regulators and we need to get this right.

Encouraging children to interact with creative and educational opportunities online is an increasingly important part of growing up. We have to allow kids to develop agency while ensuring their fundamental interests and rights are protected. This is an area of focus for the ICO.

We have sought expert opinion from a variety of sources, including academics, child advocacy services, NGOs and industry about how to do this. We have now published draft guidance on children and the GDPR and seek your comments.

Once we have considered the responses, we will produce final guidance. In the meantime, this draft is aimed at providing some clarity and certainty for organisations. Even if some details are yet to be confirmed, the principles are likely to remain largely unchanged.

And while we want as many people and organisations as possible to respond to our consultation, we also want stress that organisations need to be working towards compliance now.

Data controllers that follow the advice in this guidance and can show that they have given proper consideration to children’s privacy should be well placed to demonstrate their compliance with the GDPR. Data Protection Impact Assessments (DPIAs) and audit trails of decision making will help in this respect.

There will, however, be no excuses for those that don’t, and which consequently place children at risk through systemic problems in processing their personal data.

Fairness, transparency and accountability are essential for all data processing, but this is especially relevant when children are accessing online services. Anyone offering online services to children will have to ensure that they are addressed in plain, clear language that they can understand.

There are new rules concerning areas such as automated decision-making, the right to erasure and also around consent. Between now and May, organisations offering online services to children will need to review their existing processing, clarify under what lawful bases they will process data in the future and make sure they meet the relevant requirements. If they are providing online services to children and are relying on the basis of consent, they will need to take action now to get valid consent in place before May.

This doesn’t mean consent will always be required, though – organisations may be relying on a different basis for processing (such as legitimate interests) and it may be that a different basis is better for both the data controller and the child.

Children’s information rights are also likely to be given added protection in the Government’s Data Protection Bill, currently proceeding through Parliament and which will complement the GDPR.

A new amendment will commit my office to produce a code of practice for data controllers on age-appropriate website design. While there are still some issues of detail to work out, it is a measure I support whole-heartedly, particularly as it furthers the concept of data protection by design, which is a key feature of GDPR.

Children’s privacy rights are extremely important. That’s why, as well as producing this draft guidance, the ICO has also funded independent research into this key area through our Grants Programme.

More GDPR guidance will be coming in the New Year and the resources on the ICO website will be the first place to look for the latest news and advice.

elizabeth-denham-blogElizabeth Denham was appointed Information Commissioner in July 2016. Her key goal is to increase the UK public’s trust and confidence in what happens to their personal data.


This entry was posted in Elizabeth Denham and tagged , , . Bookmark the permalink.

10 Responses to ICO seeks comment on draft Children and GDPR guidance

  1. Anonymous says:

    Excellent steps.

  2. Pingback: UK's DPA seeks comment on draft Children and GDPR guidance « Data Protection News

  3. Halai says:

    The ICO needs to make it clear that the consent for capturing children data is not just for online services but where children data is captured. Also, when it comes to submitting a SAR, the organisation responding to the SAR should make sure that the parent is made aware of the SAR and any response is sent to the parent well.

    • Martin says:

      It is a shame the ICO is not responding to these comments, as I can not agree 100% with Halai’s post, in particular around responding to SARs.
      SARs are information about the individual, some of which could be sensitive or special category information. Therefore my organisation, which deals directly with ‘children’ and their information, will NOT be accepting a SAR from anyone other than the data subject. That means NOT responding if a parent makes a SAR about their child (unless consent from the child is obtained to do so) or, as Halai suggests, send them a copy of the response when the data subject/child makes a SAR.
      If further guidance is forthcoming from the ICO around this, or case law against another organisation holding the same view point states this is an erroneous processing judgement, then we will review this position.

  4. Pingback: ICO seeks comment on draft Children and GDPR guidance « Data Protection News

  5. Andy says:

    I’m interested to know about the age of consent for non online services. e.g. does 16 (13 according to Data Protection Bill) apply to other consent, like using a photo?

  6. DEL says:

    Andy, check out page 11 of the guidance that covers competence.

    Note that s.191 of the Bill gives specific guidance with respect to children in Scotland.

  7. Anonymous says:

    The ‘Lawfulness of Processing’ section of the GDPR text specifically calls out the need to protect the interests, freedoms & rights of children (article 6, section 1(f)) when deciding the legal basis for processing:

    “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

    However, the guidance “in particular where the data subject is a child.” appears to be missing from the ICO version of the original text.

  8. Caroline says:

    I don’t think it is clear enough at what age a child can exercise their rights. It is clear about on line services and a child under 13 years needing PR consent but it isn’t clear whether the age of 13 and above can consent to processing or the exercise of rights. A child around 12 with the ability to understand the process needs to consent if a parent makes a sar on their behalf-and could exercise their own rights-Schools currently seek parental consent where the student is under 16. For school photographs outside usual activity in schools can a child over 13 consent to the processing ? We need clarity on the questions: at what age can a child consent to processing and at what age can a child exercise DPA rights: sar/erasure/stop processing.

  9. Paul says:

    Personally I think the age limit for children’s consent is wrong. It should be at least 16 for non parental consent, and preferably 18 in my opinion. Children may be “Digital Natives” but their real world experience is that of years younger than it used to be. More thought, and discussion is required.

Leave a Reply