The processing of personal data in England and Wales is governed by the General Data Protection Regulation and the Data Protection Act 2018 (Data Protection Legislation). Under Data Protection Legislation, children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of their personal data.
Children’s personal data is not automatically classified as “special category data” (this used to be referred to as sensitive personal data). However, the type of data collected may render the data “special category data” if it reveals certain characteristics of the child.
This needs to be taken into consideration when building an app or platform for children to use and/or formulating a business which involves the collection of or processing of children’s personal data.
In order to process personal data, you must establish a lawful basis for doing so. The possible grounds for processing personal data under Data Protection Legislation are:
- Fulfilment of a contract;
- Legal obligation;
- Vital interests;
- Public interests; and
- Legitimate interests.
In theory, all of the bases listed above can be relied on to process a child’s personal data. However, for some of the bases, there are important additional considerations and some may not actually be applicable in most circumstances. This article focuses on consent as the lawful basis for processing children’s personal data. Note that none of the above bases alone are sufficient for the processing of special category data.
The difficulty with consent
In England and Wales, there is no set age at which a child is generally considered to be competent to provide their own consent to the processing of their personal data, save for when an online service is offered directly to children (see below). The competence of children is assessed depending upon the level of understanding of the child and, of course, this varies.
In order to rely on consent as the valid lawful basis for processing children’s personal data, you must give children (or their parents/guardians where appropriate) an informed choice and control over how you use their personal data. Such consent needs to be easy to give and withdraw and the consent must be voluntarily given by the data subject; data subjects should not feel pressured to provide consent. By way of example, consent may be obtained by including a tick-box consent mechanism or by return email – either way, it must be explicit consent.
Consent does not mean that you are exempted from assessing the risks inherent in the processing of children’s personal data and using consent as a lawful basis does not necessarily guarantee that your processing of such personal data is fair.
Most online services like websites, apps and search engines (to name a few) are classed as an ‘information society service’ (ISS). If an ISS is offered directly to a child and consent is the lawful basis on which the online service provider is relying to process the children’s personal data, then at law, a child aged 13 or over can give their own consent. However, if a child is under the age of 13, then their parent or guardian with parental responsibility must provide consent.
If an online service is offered to a child through an intermediary like a school, then this age requirement does not apply and the standard is that there is no set age by which a child can give consent.
It is important to take specialist legal advice in relation to the collection of all types of personally identifiable information; especially if it is in relation to a child because all personal data relating to children requires specific protection. At Stephens Scown, we have expert data protection advisors who can assist with your legal compliance in relation to data protection and the control and processing of personal data.