Draft Guide on Children’s Personal Data and the GDPR

UK Information Commissioner Elizabeth Denham has launched a consultation on proposed guidance when processing children's personal data under the GDPR (General Data Protection Regulation). The consultation runs until 28th February 2018

Children today are truly digital natives. With that in mind, we all need to ensure that they have the tools to be contributing digital citizens. Encouraging children to interact with creative and educational opportunities online is an increasingly important part of growing up. We have to allow kids to develop agency while ensuring their fundamental interests and rights are protected.

This means that the protection of children’s personal data is fundamentally important to everyone concerned. From the children and their parents through organisations processing their personal information to regulators.

With only four months to go before the GDPR comes into force, the proposals aim to help organisations comply with the new law. Plus, it gives help and advice to parents on what to expect from those organisations that process their children's data.

Processing Children's Personal Data

  • Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.
  • If you process children’s personal data then you should think about the need to protect them from the outset, and design your systems and processes with this in mind.
  • Compliance with the data protection principles and in particular fairness should be central to all your processing of children’s personal data.
  • You need to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.
  • If you are relying on consent as your lawful basis for processing personal data, when offering an online service directly to a child, only children aged 13 or over are able provide their own consent.
  • For children under this age you need to get consent from whoever holds parental responsibility for the child - unless the online service you offer is a preventive or counselling service.
  • Children merit specific protection when you use their personal data for marketing purposes or creating personality or user profiles.
  • You should not usually make decisions based solely on automated processing about children if this will have a legal or similarly significant effect on them.
  • You should write clear privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have.
  • Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased.
  • An individual’s right to erasure is particularly relevant if they gave their consent to processing when they were a child.

Further information

Please visit https://ico.org.uk/about-the-ico/consultations/children-and-the-gdpr-guidance to view the consultation documents.