By Elizabeth Denham, Information Commissioner.
Children today are truly digital natives. With that in mind, we need to ensure that they have the tools to be contributing digital citizens. This means that the protection of children’s personal data is fundamentally important.
That is why the General Data Protection Regulation (GDPR) will introduce new, specific legal responsibilities for organisations processing children’s data from 25 May 2018.
I am pleased that the special case of children’s privacy rights is part of the wider conversation about the UK’s digital future. Protecting children online is the shared responsibility of lawmakers, companies, platforms, parents and regulators and we need to get this right.
Encouraging children to interact with creative and educational opportunities online is an increasingly important part of growing up. We have to allow kids to develop agency while ensuring their fundamental interests and rights are protected. This is an area of focus for the ICO.
We have sought expert opinion from a variety of sources, including academics, child advocacy services, NGOs and industry about how to do this. We have now published draft guidance on children and the GDPR and seek your comments.
Once we have considered the responses, we will produce final guidance. In the meantime, this draft is aimed at providing some clarity and certainty for organisations. Even if some details are yet to be confirmed, the principles are likely to remain largely unchanged.
And while we want as many people and organisations as possible to respond to our consultation, we also want stress that organisations need to be working towards compliance now.
Data controllers that follow the advice in this guidance and can show that they have given proper consideration to children’s privacy should be well placed to demonstrate their compliance with the GDPR. Data Protection Impact Assessments (DPIAs) and audit trails of decision making will help in this respect.
There will, however, be no excuses for those that don’t, and which consequently place children at risk through systemic problems in processing their personal data.
Fairness, transparency and accountability are essential for all data processing, but this is especially relevant when children are accessing online services. Anyone offering online services to children will have to ensure that they are addressed in plain, clear language that they can understand.
There are new rules concerning areas such as automated decision-making, the right to erasure and also around consent. Between now and May, organisations offering online services to children will need to review their existing processing, clarify under what legal bases they will process data in the future and make sure they meet the relevant requirements. If they are providing online services to children and are relying on the basis of consent, they will need to take action now to get valid consent in place before May.
This doesn’t mean consent will always be required, though – organisations may be relying on a different basis for processing (such as legitimate interests) and it may be that a different basis is better for both the data controller and the child.
Children’s information rights are also likely to be given added protection in the Government’s Data Protection Bill, currently proceeding through Parliament and which will complement the GDPR.
A new amendment will commit my office to produce a code of practice for data controllers on age-appropriate website design. While there are still some issues of detail to work out, it is a measure I support whole-heartedly, particularly as it furthers the concept of data protection by design, which is a key feature of GDPR.
Children’s privacy rights are extremely important. That’s why, as well as producing this draft guidance, the ICO has also funded independent research into this key area through our Grants Programme.
More GDPR guidance will be coming in the New Year and the resources on the ICO website will be the first place to look for the latest news and advice.
|Elizabeth Denham was appointed Information Commissioner in July 2016. Her key goal is to increase the UK public’s trust and confidence in what happens to their personal data.