Any organisation wanting to process a child’s personal data will need to ensure that the data will be processed correctly.
Remember that “consent” as a lawful basis is only valid where given by the child if they are 13 years old or over. This means that you cannot assume that they are old enough without some way of verifying that this is actually so (see “What constitutes appropriate age-verification?” paragraph below).
Where the child is under the age of 13, you must get consent from whoever has parental responsibility for that child.
Note: There are let-outs for this where you offer preventative or counselling services.
You will need to make reasonable verification effort to ensure that the person consenting is an appropriate person (ie the one with parental responsibility for the child). This is not as clear as it needs to be in the guidance.
What constitutes appropriate age-verification?
Unfortunately, this is an unclear area of the legislation and guidance. The ICO website shows a discussion document – see paragraph 26 on page 5, which states “…this will present a significant challenge and place a substantial burden on” (obligated parties). “The Code should be much clearer about what the ICO’s expectations are for age verification…”
As usual when new legislation is introduced, there are gaps and this is one of them. For Children over 18, they are likely to have driving licences, credit cards and the like. Below the age of 18, this is likely to rely on passports – which are clumsy to use for verification purposes and potentially a liability to do so. The jury is out on how this “has” to be done.
Consequently, our advice is to review what will be realistic and ensure it is clear that these steps are being applied. While at one level this could mean just a series of questions, at another level it might involve supporting documentation or persons of responsibility in the community. However, most of the time this will be unworkable.
Remember that if there is an alternate lawful basis for going forwards, then it is likely this will be easier to follow up.
This is an area where case law, further ICO pronouncements and even amendments to future legislation will have to take place for legal clarity – although we all hope for some clearer guidance from ICO going forwards.