Faegre Drinker Biddle & Reath LLP, a Delaware limited liability partnership | This website contains attorney advertising.
Filter your search:
Filter your search:
Updates
October 02, 2008

Protecting Children's Personal Data: A Response to the Article 29 Data Protection Working Party's Working Document

Most would agree that information relating to children is by its very nature sensitive, but what are the specific rules governing the protection of children's data and how does this affect your business?

The Article 29 Data Protection Working Party ("the Working Party") adopted its Working Document 1/2008 on 18 February 2008. It aims to give general advice on the processing of children's data with specific reference to school data. This article serves as a summary of the key points data controllers need to consider when dealing with this type of data.

What Constitutes a Child?

The Working Party deems a child to be "someone under the age of 18, unless he or she has acquired legal adulthood before that age" who "has not yet achieved physical and psychological maturity" but is "in the process of developing physically and mentally to become an adult." These factors should be taken into consideration in the protection of children's data.

What Are the Fundamental Principles To Be Protected?

The core principle is that of the best interests of the child, but the Working Party also outlines the following key drivers in protecting children's data:

  • the protection and care necessary for the well-being of children;
  • the right to privacy;
  • the implications of the requirement for legal representation;
  • the importance of adapting to the degree of maturity of the child; and
  • the child's right to be consulted, as he or she gradually becomes more able to make autonomous decisions.

The Working Party acknowledges that the best interests of the child can often conflict with the right of privacy and sometimes with the requirement for the consent of representatives. Examples given are medical and social care situations and here, the best interests of the child must prevail.

How Does Current Data Protection Law Apply?

The Data Protection Directives 95/46/EC and 2002/58/EC are applicable, although they do not specifically refer to the treatment of minors and the Working Party believes this leaves questions as to the specifics of protecting children's data. It is therefore of the opinion that the interpretation of the legislation should bear in mind "varying levels of maturity which determine when a child can start dealing with their own data" and "the extent to which representatives have the right to represent minors in cases where the disclosure of personal data would prejudice the best interest of the child."

The Working Party gives the following further guidance in respect of the principles of data quality, legitimacy, data security and the rights of data subjects:

Data Quality (Directive 95/46/EC). The principle of fairness under Article 6a must be "interpreted strictly when it concerns a child" and data controllers must be careful to observe their duty to keep data up-to-date in light of children's constant development. This links in with data retention in that a controller must be careful not to retain any data about a child once it is outdated, which is a greater onus than in respect of other data.

Legitimacy (Directive 95/46/EC Articles 7 and 8). The Directive requires data processing to be legitimate, which means with the person's "unambiguous consent." This would usually come from a representative in the context of children's data.

The Working Party acknowledges an anomaly where personal representatives of children are required to consent to the processing of their data despite the fact that the child may be legally entitled to enter into a contract which involves data processing without any such consent (examples given are employment and marriage). This arguably negates legitimacy and the Working Party is of the opinion that in such instances, the "children's level of physical and psychological maturity must be taken into account" and their best interests used a guide.

Whilst this is no concrete guide for data controllers, it is understandable why the Working Party has adopted this approach as the circumstances can clearly vary to unidentifiable extents. It is clear, though, that data controllers must be careful not to take a representative's consent as the sole authority for processing children's data when the best interests of the child are likely to be prejudiced by such processing from an objective point of view.

Data Security (Directive 95/46/EC Article 17). The Working Party emphasises that children's data "require a high level of protection" in order to comply with Article 17.

Rights of Data Subjects. The Working Party expands on the right to be informed, the right of access and the right to object in the context of children's data.

It states that when providing information to children, notices should be layered and based on "the use of simple, concise and educational language that can be easily understood." It suggests using a shorter notice when collecting the data which refers to a more detailed notice and warns data controllers to make sure the notices are shown "directly on the screen, prior to collecting the information."

In terms of accessing the information, this will normally be the right of the child's representative, but the Working Party notes that in some circumstances the child's right to privacy may prevail over the representative's right of access. Once again it advises data controllers to look to the best interests of the child, taking into account national practices (for example, in the United Kingdom, teenagers above the age of 12 are entitled to exercise their right of access alone), the age of the child and whether the data was provided in the first instance by the child or the representative.

Protecting Children's Data at School

The Working Party highlighted its concern that data is protected in a school context as well as a family context and looked particularly at student files and school life.

Student Files. The usual principles of data protection apply in respect of student files. The data subject should therefore be informed with the data collection being proportionate and used on a non-discriminatory basis. The Working Party is particularly concerned that the principles of best interest are applied to cultural or economic information and that "clear and unambiguous consent" is obtained for the processing of data that "can cause discrimination."

There is an increased obligation of confidence in a school context regarding "data of a special nature" which includes data involving disciplinary proceedings, recording of violent cases, medical treatment in school and special education of disabled people. The Working Party specifies that such data should only be accessed by the child's representative (or the child where appropriate), school authorities, school inspectors, health personnel and law enforcement bodies.

In respect of the publishing of school results, the Working Party accepts the tradition and its purpose of allowing "comparison of results (to) facilitate possible complaints or recourse." It does stress, however, that any publishing must be only where necessary and after informing the data subjects/representatives of the purpose and their right to object. If results are to be published online, secure Web sites or password protected entry is recommended.

School Life. The Working Party comments on a number of different aspects of school life where data may be collected, the most notable being closed-circuit television (CCTV). It emphasises "the capacity of CCTV to affect personal freedoms" and thus the special attention required of data controllers in schools when installing it. CCTV must be justified and only introduced after "a thorough discussion between teachers, parents and pupils' representatives." It notes that it would be easier to justify the introduction of CCTV at areas such as entrances and exits, where it is possible that people other than the school population may access, than in other places such as classrooms where there is the potential of interference with "students' freedom of learning and of speech…(and).. also with the freedom of teaching."

Schools are also advised to ensure their processing policies in respect of biometric data used as a means of authorising access to various parts of the school, health conditions, school websites, children's photos, pupils' cards and the use of school videophones are consistent with the proper protection of data and privacy.

Conclusion

It would seem that the Working Party is keen to emphasise the exceptionality of children's data in terms of the legislation. Schools and other bodies dealing with information taken from children must be careful to consider these comments in order to avoid falling afoul of data protection legislation in the context of data with greater sensitivity. Perhaps the most difficult task ahead for controllers of children's data is to implement the proposed balancing act between the best interests of the child and the authority of their representatives regarding the most sensitive types of information. There does, however, appear to be some element of flexibility for data processors so long as they employ their duties to inform and be legitimate and proportionate with the overarching core principle of the best interests of the child at the forefront.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Related Legal Services