The Information Commissioner’s Office has opened up for consultation, the GDPR section on children and the protection of their personal data.
Children these days take to technology, software and the internet like a duck to water. But this frequent use of social media and other apps could put their personal data at risk. This is why careful consideration needs to be given to the legal responsibilities in the General Data Protection Regulation when it comes to the processing of their data.
Back in December, the ICO published draft guidance on processing the personal data of children and the GDPR. Drawing on the expertise of a number of sources including non-government organisations, academics and child advocacy services, the draft, which is up for public consultation until 28th February, covers areas like marketing and automated decision making. So what recommendations have the ICO drafted up?
When we talk about online services, or information society services (ISS), we are referring to things like communication networks, online shops and streaming services.
Now, if these services are directly offered, or marketed to children, legal consent needs to be obtained. Under the GDPR, any organisation offering these services should take reasonable steps to ensure that the child is at least 13 years of age before they can give such consent.
Anyone under that age, the organisation should obtain consent from a parent or guardian. There is an exception where the services are for preventing harm or for counselling for example, where no parental consent should be sought by the provider.
The ICO says that if you consider marketing to children, you must “take into account their reduced ability to recognise and critically assess the purposes behind the processing and the potential consequences of providing their personal data”.
This also comes under the age appropriateness of websites and wording of privacy notices.
“A new amendment will commit my office to produce a code of practice for data controllers on age-appropriate website design. While there are still some issues of detail to work out, it is a measure I support whole-heartedly, particularly as it furthers the concept of data protection by design, which is a key feature of GDPR.”
Information Commissioner
The GDPR places additional restrictions on making automated decisions about a child using their personal data, without human intervention, particularly if this could have legal implications (or similar). This includes profiling.
When it comes to their data, children are protected even more than adults under the new data protection laws. This includes rectification requests, processing objections and the right to erasure.
The right to erasure, or right to be forgotten, is particularly important if consent was given when they were a child. The organisation in question would need to demonstrate that lawful consent was given.
This is obviously a huge subject and an important area for the GDPR to get right. As we said earlier, you still have time to submit your feedback on the draft, as long as you do it by 28th February 2018.
The information in this blog is for general guidance and does not constitute legal advice.
A data subject must be able to express their point of view and “obtain an explanation of the decision and challenge it”. This is obviously more challenging for a child, which is why these restrictions have been brought into place.
100% of our users achieve ISO 27001 certification first time