When the GDPR came into force it introduced specific controls relating to children:
- If you rely on consent as the lawful basis for processing personal data when offering an online service aimed at children, then you also need parental consent for any child 12 or under (and that means you’ll need a mechanism for identifying the age of the child and that the person giving consent for under 13s do in fact have parental responsibility)
- When processing their data for marketing purposes
- You shouldn’t usually use automated decision making processes relating to children if this will have legal or similar affect on them
- Privacy notices need to be written, when addressing children, in a way a child would understand
And of course a child has the same rights as an adult when it comes to data protection compliance in general.
As well as enforcing the GDPR and its application to children, the ICO are obliged to (via the Data Protection Act 2018) produce a code of practice on age appropriate design. The Code will set out the expected responsibility for those building online services likely to be accessed by children. At the time of writing this post, the consultation has closed and we’re awaiting the output, i.e. the Code.
The ICO also funded, via its grant scheme a research project by the London School of Economics (LSE): “Children’s data and privacy online: Growing up in a digital age“. This makes for an interesting read, mainly providing insight into what children think about data privacy. The highlights (although the report covers much more than these):
- Children are often early adopters when it comes to new technologies, processing activities, etc. and often ahead of adults
- Children care about their privacy and “engage in a wide range of strategies to keep their devices, online profiles and personal information safe from unwanted interference“
- For children, there can be a confusion between privacy in the context of e-safety and that with regards to data protection
- Children focus on the data they know they give but don’t focus on how other data may be collected about them so they won’t necessarily understand that an organisation may process the data they provide in other ways, or collect other data about them (e.g. for profiling)
- Children don’t always understand the data privacy terminology they’re confronted with when data is being asked for
The report also takes a look at some teacher perspectives. Whilst teachers tend to be like other adults in terms of not keeping up with what children are doing with technology there is certainty that schools are “GDPR compliant” although perhaps not so in terms of some of the systems they are using.
That last point is an interesting one. Teachers often use third-party systems to process pupil data for their day to day processes (e.g. SIMs, Arbor, iSAMS information management systems), but they’re also using other third-party systems that they perhaps don’t have a better understanding of how the systems are processing the pupil (and teacher) data. Of course most schools are mandated to have a DPO so they should be taking responsibility for how personal data is being processed by these third-party data processors.
We offer DPO and data compliance services to schools, multi-academy trusts, etc. and we think this report has very important messages for DPOs across the education sector:
- Don’t underestimate just how data privacy savvy children are – they probably have a better understanding than a lot of the adults around them
- Be prepared for more and more children to challenge how their data is being used – the report highlights that children “expect the internet to be mostly fair, and they expect parents, educators, regulators and companies to act responsibly and in children’s interests” and they want to make their own “decisions about their online participation and in protecting their privacy, but also see this as a shared responsibility of all the stakeholders involved“
- Children want things explained in a way they’d understand, they want child friendly terms and conditions and want to understand more about how their data is being processed, having it explained in a way they’ll understand fully.
- Children expect the adults around them (i.e. teachers within school) to help them understand if they need help – the trouble is, those adults may not understand it themselves
For the DPO in the school, academy, trust, etc. this brings into question whether their role as DPO is much wider than worrying about internal compliance but also how they can help pupils understand how their data is used in the school and be prepared to explain this to teachers. So maybe there’s a role for the DPO to help teachers deal more with their pupil’s data expectations, to educate more and support more than dealing with daily data compliance tasks.
If you’re a DPO in a school, Academy or trust we’d be interested in hearing your thoughts on the report – it’s worth a read if even to give a perspective around how children perceive data privacy. And of course, if you’re looking for support for your establishment, get in touch to see how we can help you.