Data protection law plays a crucial role, supporting organisations to share information when required for the protection of children. Withholding necessary information can be more harmful than sharing it. In many instances, reviews of cases involving harm to children have highlighted the importance of information gaps as contributing factors to safeguarding failures.
In a collaborative effort to strengthen child protection measures, the Information Commissioner’s Office (ICO) has joined forces with key stakeholders in education, law enforcement, and social services. Together, they aim to dispel myths surrounding data protection laws and promote responsible data sharing as a powerful tool in safeguarding children.
Best Interests
The United Nations Convention on the Rights of the Child (UNCRC) places the best interests of the child as a primary consideration in all actions concerning them. When sharing children’s personal data, a compelling reason, such as safeguarding, is necessary. However, commercial re-use of children’s data is unlikely to be deemed a compelling reason. Organisations must conduct a Data Protection Impact Assessment (DPIA), considering the vulnerability of children before sharing information.
Sharing child data can help make relevant authorities aware of neglect, mistreatment or any risks to a child’s well-being and mental or physical harm. This enables appropriate decisions to be made about how a child can be protected and the level of risk associated.
Balancing Interests
The best interests of the child must be balanced against the rights of others. Commercial interests, for instance, should not outweigh a child’s right to privacy. This consideration becomes integral to complying with the requirements of lawfulness, fairness, and transparency in data-sharing arrangements.
Assessing Risks
Children’s vulnerability underscores the need for thorough risk assessments and appropriate privacy measures in data sharing. Organisations should factor in the higher risks associated with sharing children’s data compared to adults. Privacy information must be clear, presented in plain, age-appropriate language, and due diligence checks on recipient organisations are essential.
For online services used by children, adherence to the Age Appropriate Design Code is mandatory. Consent is not the sole lawful basis for data sharing, other bases may be more appropriate. When relying on consent, assessing the child’s competence and ensuring it is freely given is crucial. Additionally, considering the child’s competence is vital when justifying data sharing as necessary for the performance of a contract.
