Personal Information about Children
in the Information Society
In a seashell
If you as an organisation use children’s personal information about an individual under the age of 14 in provision of a service delivered by means of digital or electronic communications (“information society service”),
you should think about the need to provide the specific protection required by section 16 from the outset and design your processing, products, and systems with this in mind.
This is vital if you regularly or systematically process children's personal information.
It is usually easier to incorporate child friendly design into a system or product as part of your initial design brief than to try and add it in later. We recommend that you use a Privacy Impact Assessment (PIA) to help you with this, and to assess and mitigate privacy and data protection risks to the child. You should also take into account the risk of harm for the child so that their freedom to learn, develop, and explore (particularly in an online context) is only restricted when this is proportionate.
Section 16, Personal information about children in the information society, states that:
(1) Where an organisation uses personal information about a child in the provision of an information society service and—
(a) the service is targeted at children; or
(b) the organisation has actual knowledge that it is using personal information about
children, and consent is relied upon, subject to subsection (2) the organisation must obtain consent from a parent or guardian before the personal information is collected or otherwise used.
(2) An organisation—
(a) shall be reasonably satisfied that consent obtained under subsection (1) is verifiable so that it can be obtained only from the child’s parent or guardian; and
(b) shall establish procedures to verify whether the individual is a child when it is reasonably likely that the organisation will use personal information about a child.
(3) When providing an information society service to a child, an organisation shall not seek to obtain personal information from the child about other individuals, including in particular, personal information relating to the professional activity of parents or guardians, financial information or sociological information except that personal information about the identity and address of the child’s parent or guardian may be used for the sole purpose of obtaining the consent under subsection (1).
(4) When complying with its obligations under section 9, an organisation delivering an information society service to a child shall provide a privacy notice that is easily understandable and appropriate to the age of the child.
(5) In legal proceedings brought against an organisation for failure to comply with a requirement of this section, it is a defence for the organisation to prove that it had taken such care as in all circumstances was reasonably necessary to comply with such requirement.
How important are fairness and compliance with the data protection principles?
As with any other instance of using personal information, the principles of fairness, responsibility, and compliance should lie at the heart of all your use of children’s personal information. The purpose of these principles is to protect the interests of the individuals, and this is particularly important where children, who are often considered vulnerable, are concerned.
These principles apply to everything you do with personal information and are key to complying with PIPA.
What about the best interests of the child?
The principle of fairness requires organisations to consider the best interest of individuals. The notion of the best interests of the child comes from Article 3 of the United Nations (UN) Convention on the Rights of the Child (UNCRC). Although it is not referenced in PIPA, it is something that the Commissioner will take into account when considering compliance, and that you should consider when making decisions about the processing of children’s personal information. Article 3 of the UNCRC states that:
"In all actions concerning children, whether undertaken by public or private social welfare institutions, courts of law, administrative authorities or legislative bodies, the best interests of the child shall be a primary consideration."
What if we’re not sure whether the individuals are children or not?
This can be an issue, particularly with online or other remote use of personal information. If you aren’t sure whether the individuals who personal information you use are children, or what age range they fall into, then you usually need to adopt a cautious and risk-based approach. This may mean:
designing your processing so that it provides sufficient protection for children;
putting in place proportionate measures to prevent or deter children from providing their personal information;
taking appropriate actions to enforce any age restrictions you have set; or
implementing up-front age verification systems.
The choice of solutions may vary depending upon the risks inherent in the processing, the rights, and freedoms of the child, and the particular provisions of PIPA that apply to your use of personal information. You should always think about both the target age range for your use of personal information and the potential for children outside the age range providing their personal information.