The GDPR principles include a requirement on Data Controllers to be ‘transparent’ about the Personal data processing that we do, and for this to include specific and explicit explanations about the purposes of this processing.
The law says that the act of informing a Data Subject requires the following information to be made available:
The required information should be made available to the Data Subject:
In advance of or at the time they share their data with us, or
When it has been shared with us by another organisation:
Where we obtain data directly from the Data Subject this is usually done by asking them to fill in a form (manually or on a website), obtained verbally (we write or make audio/ video recordings of information given) or we take photographs. In advance of or at the time that these events are occurring, we need to make available the information that allows a Data Subject to make a decision about whether they are comfortable with how we intend to process their data.
The Information Compliance Team must approve any Privacy Notice that is developed so that we can ensure it meets the legal standard and so we have evidence of our privacy activities. If an ARU activity is proposing to obtain personal data and the activity is new, we will need to consider the best way of providing Data Subjects with statutory information. Please contact us at email@example.com for advice.
In summary, Privacy Notices covering activity where we intend to obtain personal data from a child should:
The law tells us that we must provide children with the same information about what we do with their personal data as we would give to adults. As one of the reasons why children require specific protection is that they may be less aware of the risks involved in processing their data, it is good practice to explain these risks and any safeguards we have put in place. This will help children (and their parents) understand the implications of sharing their data with us (and potentially others), so they can take informed and appropriate decisions. We should make privacy notices for children clear and accessible and aim to educate the child about the need to protect their personal data.
We should write in a concise, clear and plain style for any information we are directing to children. It should be child-appropriate and, as far as possible addressed directly to the relevant age group. If the target audience covers a wide age range then we could consider providing different versions of a notice for different ages. If we choose to only have one version then we need to make sure it is accessible to all and can be understood by the youngest age range.
We should present the privacy notice in a way that is appealing to a young audience. We should consider using diagrams, cartoons, graphics and videos that will attract and interest them. In an online context, we should consider the use of dashboards, layers, just-in-time notices, icons and symbols.
If you are relying upon parental consent then, in terms of ensuring that the consent is informed, it is the holder of parental responsibility rather than the child who needs to understand what they are consenting to. Providing them with clear privacy information should meet this requirement. However, children do not lose their rights to transparency as data subjects just because consent has been given by a holder of parental responsibility.
In practice this means that we need to give both the holder of parental responsibility and the child clear and accessible privacy information. Again we could achieve this by developing different versions for these different audiences, or by providing a child-friendly version that can also be understood by parents.
This will give the consenting parent the information they need, and also help to inform and educate young children for the future and enable them to exercise their rights on their own behalf in line with their evolving capacity to do so. We could also produce something designed to be used by children and parents together to provide parents with a tool to help with the digital education of the child.
The law recognises that very young or pre-literate children are, in most cases, unlikely to understand even the most basic written or non-written messages concerning transparency. In this circumstance it is obviously appropriate to provide privacy information that can be understood by the parent. However, this does not mean that the requirement to provide child friendly privacy information does not apply. The Commissioner expects controllers whose services are used by very young children to develop privacy information that can be accessed by children as and when they develop the necessary level of understanding, or in conjunction with their parents. You should ensure that this is periodically brought to the child’s attention throughout your ongoing processing relationship with them (for example when providing regular reminders about privacy settings)
Typically the circumstances where we would be obtaining data from children fall into 2 categories: Research projects and promoting the University to prospective students.
Obtaining data from children for Research purposes is likely to cover a broad range of ages up to 18 and data ranging from basic to special category. In most circumstances access to children who will be providing the data for research will be granted by the school or organisation who has responsibility of care for them, and through these contact and approval from parents/ guardians.
The younger the child the more likely it is that the Notice will need to be supported by face-to-face discussion and explanation. Equally, the more simplistic and basic the Notice, the more likely it is that a separate parent/ guardian version will need to be produced in order to discuss some more complicated concepts more thoroughly.
It is difficult to provide template Notices covering all levels of capacity for understanding Data Protection concepts across all the age ranges up to 18, however please see the following document for a template and example notice aimed at Key Stage 1 (5-7 year olds).
The majority of outreach activity to school-age children would focus on the 16-18 age range and therefore we reasonably assume greater maturity and capacity for understanding some data protection concepts that would be inappropriate to try to present in detail to younger children.
However a balance must still be struck between presenting this age group with wording designed for an adult, the need for simplifying the messages and the potential for children to become disengaged if presented with information in a format tailored to a more juvenile age group than theirs.