• 2 min read

Are there any additional considerations if my organisation is processing personal data about children? 

Virtual creative lock illustration with microcircuit on blurry contemporary office building background, cyber security concept. Multiexposure

We have discussed previously that personal data relating to children is considered to require greater protection, but actually there is very little specific mention of children in UK data protection law. As previously noted, special category personal data is given additional protection in law (as is criminal conviction data) but special category data does not include within its scope children’s personal data. 

However, there are some additional considerations when processing children’s personal data. These include: 

1. Consent

If an organisation is offering online services directly to a child then in the UK children under the age of 13 cannot provide their own consent for the processing of their personal data. Instead, an adult who has parental responsibility for the child must provide consent for processing. This means that organisations need a way of ascertaining if they are dealing with a child and, if so, their age. This is why social media platforms like TikTok are only intended for use by children aged 13 and over and why they have built in age checks. 

2. Privacy notice

When an organisation is collecting personal data it must provide to relevant individuals information about, amongst other things, the data being collected and how it will be used. This information is set out in a document typically known as a privacy notice. If personal data is being collected from children, the organisation’s privacy notice needs to be written and presented in a way that children can understand, perhaps using pictures, diagrams and videos to help explain what is happening. 

3. Data Protection Impact Assessment (DPIA)

If an organisation intends to use a child’s personal data to offer an online service to them then a DPIA must be carried out, before such use commences, to establish whether the processing will result in a high risk to the rights and freedoms of those children. This is because offering online services to children is one of the circumstances that the Information Commissioner’s Office (ICO) considers is likely to result in such a risk. 

4. The Children’s Code

An organisation offering online services (for example apps, social media platforms and games) to children (or which is offering online services likely to be accessed by children, even if not targeted at them specifically) needs to be aware of, and comply with the requirements of, the ICO’s Children’s Code (also known as the Age Appropriate Design Code). The code contains 15 standards that online services need to follow in order to protect children online, you can read it here.

For more information, and details of other requirements which may apply to your organisation if it is processing children’s personal data, we suggest you carefully review the ICO’s guidance which you can access here.

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].

Answers are just a click away