Draft ICO guidance clarifying the approach to the processing of children's personal data under the General Data Protection Regulation (GDPR) has been published for consultation.
The draft guidance focusses on a number of key considerations and aims to explain the specific legal responsibilities for organisations processing children's personal data under the new regime from 25 May 2018.
General approach to processing children's personal data
Organisations should afford specific protection to children from the outset (and consider consulting with children), when designing systems and processes. The ICO recommends the use of a Data Protection Impact Assessment for organisations to be able to identify and mitigate data protection risks to children.
Where there is uncertainty as to whether a data subject is a child, the draft guidance proposes the use of a "cautious approach" by taking into account the target age range as well as the potential that children outside this age range may also provide their personal data.
Choosing a basis for processing children's personal data
Any of the lawful bases included in Article 6 of the GDPR can be relied on for the purposes of processing children's personal data (with the exception of the legitimate interests basis on which public authorities acting in the performance of their public tasks cannot rely).
Where organisations use consent as a lawful basis for processing, they must make sure that the child understands what they are consenting to in order to ensure that the consent is "informed" and valid. The ICO's draft guidance should be taken into account when consent is being used as a basis for processing.
If organisations rely on "performance of contract", they must consider children's competence in relation to the contract and understand the implications of processing. The draft guidance recommends the use of legal advice to ensure the validity of the contract in question.
Should organisations rely on the legitimate interest's basis, they must consider the nature and purpose of the processing as well as the potential risks vested in it in order to ensure that appropriate measures are taken to safeguard children against these risks.
Rules about an information society service and consent
In circumstances where organisations are directing an information society service (online service) at a child below the age of 13 (this is the UK age limit as adopted by the Data Protection Bill subject to the passage of the Bill), then consent will be required from the holder of parental responsibility in order for the processing to be lawful. In this context, organisations must make reasonable efforts (using available technology) to verify that anyone giving consent is old enough to do so and holds parental responsibility.
Marketing directed at children
When considering marketing directed at children, organisations should take into account their lack of understanding or their vulnerability and consider ways to mitigate risks. Organisations will need to comply with the Privacy and Electronic Communications Regulations 2003 if they wish to send electronic messages to children and must cease processing data for direct marketing if the child asks them to do so.
Decisions about children based on automated processing
The ICO states that, generally, an organisation should not make decisions about children that are based solely on automated processing (including profiling), if these have a legal (or a similarly significant) effect on the child. Where such processing occurs however (if an organisation relies on the exceptions of Article 22 of the GDPR), organisations must ensure that suitable measures are in place to protect children's rights.
Privacy notices and children's rights
Children have the right to be informed about who the processor is and how their personal data will be used in a clear, transparent and accessible manner (for example by using diagrams or videos). The ICO recommends providing additional information concerning the risks associated with processing as a matter of best practice. Other rights children have include the right to be given a copy of their personal data and to have their personal data erased, which should be made easy for children to exercise.
The draft guidance states that once the ICO has considered the responses to its consultation (which closes on 28 February 2018), it will produce the final version of the guidance. While some details in the guidance are yet to be confirmed, the principles are likely to remain largely unchanged. Organisations should, therefore, refer to the draft guidance to ensure that they comply with the GDPR when dealing with children's data. The draft guidance can be found here.