In today’s digitally-connected world, children are growing up surrounded by technology. From the moment they start school, tablets, smartphones, and computers become integral tools for learning, shaping how they engage with their education.
However, educational purposes aren’t the sole reason children may be accessing the internet. Many children quickly venture beyond the classroom, creating online gaming profiles on platforms like Xbox Live or PlayStation Plus, setting up social media accounts to stay connected with friends, or signing up for entertainment services like Spotify. With an increasing range of apps on the market designed for children, whether for educational purposes or designed to support children with additional needs, the younger generation are spending more time online than ever before.
While the internet offers a world of opportunities for young people, it also raises concerns about the protection of children’s personal data. That’s why it is so important for parents, educators, institutions and other companies that store children’s data to understand children’s data privacy rights.
Why is Data Privacy for Children Crucial?
Children are particularly vulnerable online due to their lack of awareness about the implications of sharing personal data. Whether they’re signing up for an educational platform or using a social media app, their personal information can be collected, shared, and even sold without them fully understanding the risks. This is why data protection laws are more stringent when it comes to minors.
Key Laws and Regulations That Protect Children’s Data
In the UK, children’s data protection is governed by the following key regulations:
1. General Data Protection Regulation (GDPR) – Although GPDR is an EU regulation, it has been adopted into UK law post-Brexit and sets the benchmark for data privacy standards. It provides specific protections for children, recognising they are less aware of the risks involved with sharing personal data.
Under GDPR, schools, websites and apps targeting children must ensure transparency about what data is being collected, how it’s used and for how long it will be stored. Parental consent is required for processing the personal data of children under 13.
2. Data Protection Act (DPA) 2018 – This UK-specific legislation works alongside GDPR and includes enhanced provisions to protect children’s data. It establishes guidelines around the fair processing of processing personal data, ensuring that organisations handle children’s data responsibly and in accordance with the law.
3. Information Commissioner’s Office (ICO) Children’s Code – The Children’s Code, also known as the Age Appropriate Design Code, is a British internet safety and privacy code of practice created by the ICO. It is written to be consistent with GDPR and DPA, meaning that compliance with the Code is enforceable.
It applies to any internet-connected product or service that is likely to be accessed by a person under the age of 18. It requires services to be designed in the “best interests” of children and their health, safety and privacy. This might involve the restriction or removal of certain features for children, such as having privacy settings at the highest level by default, non-essential location tracking turned off, and an end to ‘nudges’ encouraging children to lower their privacy settings, and children and their legal guardians being given more control of privacy settings.
Children’s Data Privacy Rights
Children, like adults, have specific data privacy rights under GDPR and the Data Protection Act 2018. These include:
1. Right to be Informed – Children (and their parents or legal guardians) have the right to know how their data is being used. This means that educational platforms, social media apps, and other organisations must clearly outline what data they collect, for what purpose and where it may be shared.
2. Right to Access – Children and their parents can request access to the personal data held by schools, websites, or any other institution. This is particularly important in education, where data such as academic performance, behavioural reports and health records are collected and stored.
3. Right to be Forgotten – Under certain circumstances, children (or their legal guardians) have the right to request that their data is deleted. This could be relevant if a child has shared personal information online that they later regret or if a school no longer needs certain data.
4. Right to Object and Restrict Processing – If a child or legal guardian feels that their data is being misused or processed unlawfully, they have the right to object or request restrictions on how that data is used.
5. Age of Consent – In the UK, the age of consent for data processing is 13. This means that, for most online services and apps, children under 13 require consent from a legal guardian before their personal data can be collected or processed. For older children, they may be able to give their consent but should still be fully informed about how their data is handled.
Children’s Data and Cyber Security in Education
Given the amount of personal information collected in educational environments, schools, colleges and universities are subject to stringent data protection obligations.
For children under 13, schools must obtain explicit consent before collecting any personal data. They must only collect information such as contact details, health records and learning assessments. They are required to only collect the data necessary for a particular purpose. For instance, if a school is using an online learning platform, it should only collect the minimum amount of information needed for educational purposes.
Just like any other organisation, educational institutes must ensure that personal data is stored securely. Often encryption is used to prevent unauthorised access, which is crucial given the sensitive nature of children’s data which can contain anything from medical conditions to legal guardian information.
Many implement firewalls, filters, and monitoring software to protect children from online dangers such as inappropriate content and cyberbullying, but they also help prevent unauthorised access to personal information.
If there is a data breach that affects a child’s personal information, the educational institute must notify the relevant authorities within 72 hours. Parents or guardians must also be informed if their child’s data has been compromised.
Protecting Children’s Privacy Online: A Shared Responsibility
While schools and institutions play a pivotal role in protecting children’s data, parents or guardians must also share responsibility, particularly when the internet is used in a non-educational manner.
Here are some things you can do to ensure your child’s privacy is protected:
1. Review privacy policies – Before allowing a child to use a new app or platform, review its privacy policy to understand how the child’s data will be used.
2. Teach online safety – Educating children about the importance of not sharing personal information, such as their name, address, or school online is key. Not only does this maintain their digital privacy, but it will also help to safeguard them from any other dangers that pose a threat to children.
3. Parental controls – Ensure parental controls that are offered by web browsers, internet service providers and devices are switched on. For example, most search engines offer the ‘safe search’ filter which will prevent your child from seeing and accessing explicit material.
4. Know who your child is speaking to online – As adults, we know that some people online aren’t who they say they are, but younger people can be naive. Whether your child is gaming online or using a social media app, make sure you’re in the know. Your child may push back on having you ‘sticking your nose in’ but speak to them openly and honestly about the dangers of speaking to people they have met online.
In February 2024, OFCOM (Office of Communications), reported that 99% of children spend time online. Despite most social media platforms having a minimum age input of 13, six in 10 children aged eight to 12 are signed up with their own profile, meaning they’ve already processed their personal information onto a platform that will collect and store their data, keeping in mind that the age of consent for processing data is 13.
This is one of the many examples as to why protecting children’s personal data must be a top priority. While UK laws, including GDPR and the DPA 2018, provide a robust framework to safeguard children and their rights online, it is crucial that parents and institutions remain vigilant in ensuring children’s data is handled responsibly and securely.
By understanding and monitoring children’s ever-increasing online activity, a safer online environment can be created for our younger generation, and we can ensure their privacy is kept as secure as possible.
Barings does not currently take on data breach compensation claims where children have been affected, however we do look at claims for adults who have been affected.
We are currently taking on multiple data breach claims against organisations that have failed to safeguard its stored data. If you believe that you have been a victim of a data breach, we will act on your behalf on a no-win no-fee basis.
All you need to do is click the below button and fill in a quick-and-easy form to get the ball rolling. From there our legal experts will assess your case to see if you have a valid claim and will contact you to talk you through the process.
At Barings Law, your legal concerns are our top priority. Whether you need guidance on a complex legal matter or have questions about our services, our team is ready to assist you.
Copyright © 2024 Barings Law.
All rights reserved.