Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved. The updated Data Protection Act 2018 (DPA 2018) [1] and the UK General Data Protection Regulations (UK GDPR) [2] introduce special protection for children’s personal data, which is mostly relevant to services such as social networking. However, if you process children’s personal data then you should design your systems and processes to ensure that their individual rights are protected in the same way that an adult’s rights are protected.
The (UK) Information Commissioners Office (ICO) has provided specific guidance on how the UK GDPR relates to children:
To comply with the DPA 2018 [1] and the UK GDPR [2], you are required to provide detailed information to the people whose data you hold in the form of a privacy notice (see Privacy Notice). Your privacy notice should be written in a way that children will understand or, alternatively, you should provide a separate age-appropriate privacy notice for children which provides the same information about what you do with their personal data as you provide to adults (see Privacy Notice for Children template). This should be written in language that children will understand and you may wish to consider using child-friendly ways of presenting privacy information, such as diagrams and cartoons.
Children have the same rights as adults over their personal data and competent children should be allowed to exercise their own data protection rights (see Individual Rights). These include the rights to access their personal data, request rectification, object to processing and have their personal data erased.
The right of subject access (see Subject Access Requests) is as relevant to children as it is to adults. The right of access always belongs to the child, although in the case of young children these rights are likely to be exercised by those with parental responsibility for them. In Scotland, a person aged 12 years or over is presumed to be of sufficient age and maturity to be able to exercise their right of access, unless the contrary is shown.
As with adults, you need to have a lawful basis for processing a child’s personal data and you need to decide what that basis is before you start processing (see Lawful Basis). You can use any of the lawful bases for processing set out in the UK GDPR [2] when processing children’s personal data but there are some specific points to consider when your data subject is a child.
- If you wish to rely upon consent as your lawful basis for processing, you need to ensure that the child can understand what they are consenting to, otherwise the consent is not ‘informed’ and therefore is invalid.
- If you wish to rely upon ‘contract’ as your lawful basis for processing, you must consider the child’s competence to agree to the contract and to understand the implications of the processing.
- If you wish to rely upon legitimate interests as your lawful basis for processing, you must balance your own legitimate interests in processing the personal data against the interests and fundamental rights and freedoms of the child.
If you are relying on ‘consent’ as your lawful basis for processing (see Consent), only children aged 13 or over can provide their own UK GDPR consent. For children less than 13 years old, you must get consent from whoever holds parental responsibility for the child. Where UK GDPR consent has been given by a parent or carer, the child has a right to withdraw that consent once they are competent to make such a decision.
Additionally, the right to have personal data erased is particularly relevant when the individual gave their consent to processing when they were a child.
Ensure that your systems allow you to check the ages of your child patients.
Ensure that your practice’s Privacy Notice is suitable for your child patients or put in place a separate age-appropriate Privacy Notice for children (see Privacy Notice for Children template).
- Your Privacy Notice should explain what rights children have over their personal data, why the personal data is required and what will be done with it, in age appropriate language they can understand.
Where a Subject Access Request is submitted by a child, ensure that the child is old enough to exercise their right of access (aged 12 years or older).
- You can allow a parent or carer to exercise right of access on the child’s behalf if the child authorises this, or if it is evident that this is in the best interests of the child.
- Any information provided to a child as a result of a subject access request should be in an accessible form, using clear and plain language where possible. This may not be possible where the information provided is dental records so you should be prepared to explain what is in the record to make it understandable to the child.
Ensure that the lawful basis for processing child’s personal data is clearly stated in your privacy notice and that you have considered the particular issues related to dealing with children’s personal data.
Put in place procedures to obtain DPA 2018 and UK GDPR-compliant ‘consent’ if you process personal information about your child patients under this lawful basis.
- Ensure that any child providing UK GDPR consent is 13 years or older and is competent to give their consent.
- For children less than 13 years old, seek UK GDPR consent from whoever holds parental responsibility for the child.
- Where UK GDPR consent has been given by a parent or carer, the child has a right to withdraw that consent once they are competent to make such a decision and you should state this in your privacy notice.
Put in place a straightforward data erasure procedure to ensure that if someone gave consent to process personal data when they were a child, it is as easy for them to get their personal data erased as it was for them to provide it in the first place.