GDRP makes several references to processing children’s data, this includes a reference in article 8 to a child being under the age of 13. Schools should not be confused by this article. A child under GDPR remains anyone under the age of 18. Article 8 is focused purely on “information society services,” or ISS. As a school you do not provide ISS so article 8 is aimed at Google, Facebook, Snapchat etc.
As a school most of your pupils will be under 18 and be treated as children under the GDPR. The ICO recommends that:
Children need protection when you are collecting and processing their personal data because they may be less aware of the risks involved.
If you process children’s personal data then you should think about the need to protect them from the outset, and design your systems and processes with this in mind.
Compliance with the data protection principles and fairness should be central to all your processing of children’s personal data.
You need to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.
Children merit specific protection when you use their personal data for marketing purposes or creating personality or user profiles.
You should not usually make decisions based solely on automated processing about children if this will have a legal or similarly significant effect on them.
You should write clear privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have.
Children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased.
To achieve all the above, the ICO recommends that you consult with children as appropriate when designing processes.
The ICO guidance states that you should not seek parental consent where you are providing online preventative or counselling services to a child. This is an exception to the requirement to gain parental consent for information society services. Although schools are unlikely to provide online preventative or counselling services, where the child is being counselled in person the logic of not asking for parental permission holds true.
For a school writing clear privacy notices is critical. The ICO recommends that:
Privacy notices are clear, and written in plain, age-appropriate language.
Use child friendly ways of presenting privacy information, such as: diagrams, cartoons, graphics and videos, dashboards, layered and just-intime notices, icons and symbols.
Explain to children why we require the personal data we have asked for, and what we will do with it, in a way which they can understand.
As a matter of good practice, we explain the risks inherent in the processing, and how we intend to safeguard against them, in a child friendly way, so that children (and their parents) understand the implications of sharing their personal data.
We tell children what rights they have over their personal data in language they can understand.
As a matter of good practice, if we are relying upon parental consent then we offer two different versions of our privacy notices; one aimed at the holder of parental responsibility and one aimed at the child.
Our Schools GDPR template pack, includes separate privacy notices for children and for adults.