22 12 2017 Insights Childcare

Draft guidance on children and the GDPR

1513935313404 Childholdinghand

By Clare Daly
22 December 2017

Children are provided a specific protection under the GDPR. Recital 38 of the GDPR states that:

“Children require specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.
Such specific protection should, in particular apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.
The consent of the holder of parental responsibility should not be necessary in the context of preventive or counselling services offered directly to a child.”

Helpfully, the UK Information Commissioner’s Office has now published a draft guidance on children and the GDPR, and the draft guidance is freely available online here https://ico.org.uk/media/about-the-ico/consultations/2172913/children-and-the-gdpr-consultation-guidance-20171221.pdf

The Information Commissioner is seeking comments on foot of the draft and, in the meantime, the draft working document itself is being published to provide some clarity and certainty for organisations.

In the introduction to the draft guidance, a helpful summary under the title “What’s New?” is set out as regards the incoming GDPR and the changes that will result, and it provides that:

  • “If you rely on consent as your lawful basis for processing personal data when offering an ISS (online service) directly to children, only children aged 13 or over are able provide their own consent. You may therefore need to verify that anyone giving their own consent in these circumstances is old enough to do so.
  • For children under this age you need to get consent from whoever holds parental responsibility for them - unless the ISS (online service) you offer is an online preventive or counselling service.
  • You must make reasonable efforts (using available technology) to verify that the person giving consent does, in fact, hold parental responsibility for the child.
  • Children merit specific protection when you are collecting their personal data and using it for marketing purposes or creating personality or user profiles.
  • You should not usually make decisions about children based solely on automated processing if this will have a legal or similarly significant effect on them. The circumstances in which the GDPR allows you to make such decisions are limited and only apply if you have suitable measures to protect the interests of the child in place.
  • You must write clear and age-appropriate privacy notices for children.
  • The right to have personal data erased is particularly relevant when the individual gave their consent to processing when they were a child.”

Fairness, transparency and accountability are essential for all data processing, but this is especially relevant when children are accessing online services. The Information Commissioner states that anyone offering online services to children will have to ensure that they are addressed in plain, clear language that they can understand.

There are new rules concerning areas such as automated decision-making, the right to erasure and also around consent. The Information Commissioners office also stressed that where an organisation is providing online services to children and they are relying on the basis of consent, they will need to take action now to get valid consent in place before May.

The guidance is helpful and informative from the Irish perspective. As we await the provisions of the Data Protection Act 2018 it remains to be seen exactly what provisions will be brought into force, particularly as regards the special protections that must be put in place as regard a child’s personal data.

For more information on the content of this Insight contact:
Clare Daly, Solicitor, clare.daly@rdj.ie, +353 21 2332864

SHARE
Stay loop bg
Sign up

Stay in the loop

Sign up to our newsletter

Related Insights

Mobilephone teenager
Cyber and Data Protection 17 05 2018

The “Digital Age of Consent” in Ireland will be 16

It has been recommended that the digital age of consent to be set at 13.

Read more About This The “Digital Age of Consent” in Ireland will be 16
Courthouse Columnsand Clouds
Childcare 28 03 2018

High Court determines that a child protection referral is protected by qualified privilege

Child protection referral made to Tulsa can be protected by qualified privilege

Read more About This High Court determines that a child protection referral is protected by qualified privilege
Childplayingleaves
Childcare 15 12 2017

New Child Protection Procedures in Schools have immediate effect

The Department of Education have released updated Child Protection Procedures.

Read more About This New Child Protection Procedures in Schools have immediate effect
Childholdinghand
Childcare 03 10 2017

Mandatory Reporting- Childrens First Act 2015

By Clare Daly 3 October 2017 Mandatory Reporting and Child Safeguarding Statements will become law in just over 2 months. The remaining provisions of the Children First Act 2015 will come into effect on the 11th of December next. 10 KEY POINTS TO…

Read more About This Mandatory Reporting- Childrens First Act 2015