The Article 29 Working Party, a committee of European countries'
data protection officials, has said that when a child becomes
mature enough to make their own decisions anyone processing their
sensitive data must ensure they have the child's permission and not
just that of the child's representative. 'Sensitive personal data'
is defined in data protection legislation and includes information
about someone's ethnic origin, religious beliefs, health and
more.
The Working Party has outlined the requirement in its guide to
children's data protection. It said that data protection policies
for children must be sensitive to the point at which a child is
mature enough to make his or her own decisions, and must respect
those.
"If the processing of a child's data began with the consent of
their representative, the child concerned may, on attaining
majority, revoke the consent," said the guidance. "But if he wishes
the processing to continue, it seems that the data subject need
give explicit consent wherever this is required."
"For example, if a representative has given explicit consent to
the inclusion of his child in a clinical trial, then upon attaining
majority, the controller must make sure he still has a valid basis
to process the personal data of the data subject. He must in
particular consider obtaining the explicit consent of the data
subject himself in order for the trial to continue, because
sensitive data are involved," said the Working Party.
The Working Party also warned of the dangers posed to children's
privacy by new digital recording technologies such as the video
recording features on many models of mobile phones. It said that
schools must take responsibility for making children aware of one
another's rights to privacy.
"Schools should warn their students that unrestrained
circulation of video recordings, audio recordings and digital
pictures can result in serious infringements of the data subjects’
right to privacy and personal data protection," it said.
The guidance also said that any organisation that holds data on
a child must be more than usually vigilant about deleting that data
because it will lose its relevance more quickly than data about an
adult.
"Because children are developing, the data relating to them
change, and can quickly become outdated and irrelevant to the
original purpose of collection. Data should not be kept after this
happens," said the guidance.
The Working Party also advised that schools be particularly
careful about collecting data on children, and said that children
should be able to opt out of biometric access systems which are
increasingly used in schools to control access to the school. It
should be simple for children or their representatives to object
and be issued with an access card instead, it said.
The guidance also warned schools about their use of websites. It
said that private information posted online should be protected,
and that schools should exercise caution when using photographs of
pupils, obtaining their permission first.
