Privacy and Children’s data

Privacy and Children’s data

Privacy and Children’s data

Part I – Personal data processing in schools


Daily processing

Think of the number of times you see a child walking home from school staring at their mobile device, or when Bob comes home with a picture of himself taking part in some play activity from nursery, or when you receive a school’s newsletters via email containing pictures and names of kids grinning proudly. Parents/ guardians may receive an email from the school asking for their child’s lunch account to be electronically topped up or a school may send you a text message to remind you of some pending activity that you have entirely forgotten about.

These are but a handful of examples of personal data processing that take place at schools on a daily basis. The significant amount of personal data including sensitive personal data (special categories of personal data) processed by the child's educational sector becomes evident. It’s not just the child’s personal data you need to think about, but also yours when you share your personal details as the parent/ guardian or emergency contact.

Privacy laws

The question: With ever limited budgets, how are schools (particularly those funded by local government) ensuring that processing children's personal data (and adults) is compliant with both the General Data Protection Regulation (GDPR) and the Data Protection Act 2018?

Public sectors as well as private sectors fall squarely within the grasp of the GDPR and there are simple steps for schools or educational sectors to be mindful of. 

Practical Tips


1. Control who has access to children’s data and why

Know which teams/ departments have access to personal data and implement access controls to make sure that not everyone at school can access every child’s data. If children’s personal data is captured in the classroom, have a process for storing that data in accordance with your internal information security and privacy policies. If you don’t have one, write one up and implement it properly.


2. Storing personal data in a secure way 

Remember the basic rules on using strong passwords and encryption where possible and how you share data. Don't email the masses if you are sharing personal data and don’t share Bob’s picture with all parents without Bob’s parental/ guardian consent. Obviously if Bob is of the age of being able to give consent then it is Bob’s consent that is needed.


3. Limit the sharing of personal data

Know who you share personal data with and ensure that there are limitations on how personal data is subsequently shared and processed. If you use third party providers (e.g. cloud service providers, website hosting providers, third party educational websites/ apps etc.) be sure to understand what you are buying, how personal data is processed, who it is shared with and what security there is to protect the information you store with them. Don't assume third parties are already compliant. Have security questionnaires ready to help you ask the right questions.


4. Data Subject Rights and Consent

Remember that data subjects have certain rights under the GDPR which they can exercise at will. Put in place a process for data subjects to exercise their rights. Your privacy statement (public facing) should display how data subjects can exercise their privacy rights. Create a privacy mailbox so you have a consolidated point of access. Data subject rights include a person’s right to access the data you hold on them, the right to erasure, right to rectification, right to restriction of processing and the right to object to automated decision making.


5. And when they leave school….?

Have in place a process that allows you to deal with data retention effectively. Don’t hold onto children’s personal data indefinitely. Implement a process that allows you to validate the data you hold and delete data in accordance with your data retention policy. 


Part II – Children’s use of social media and online gaming

Unintended consequences


Media attention has focussed on investigations by data protection regulators against social media giants like Meta (Facebook, Instagram), X (previously Twitter) and Snapchat. We have also seen the hype behind online games like Fortnite (by Epic Games) which has consistently grown in popularity since its release in 2017, especially with younger children. 


The use of social media and online gaming continues to surge, creating unintended consequences that are displayed through children’s behaviour, attitude and wellbeing. Increasing fallouts among children of school ages appear to relate to exchanges on social media platforms, as well as competing in online games that collect player data.

These fallouts between children have a natural consequence on educational sectors   that are left to address impacts on children’s behaviour, attitude and wellbeing.  It is unlikely that schools or educational facilities will consistently be equipped to deal with the impact of social media and online gaming on children unless they develop a better understanding themselves and incorporate aspects of data privacy and data protection into their curriculum.


Picking up the pieces


Attention has been focused on companies’ data privacy compliance regime and ethical responsibility but where does parental/ guardian responsibility fit in all this? Where children sign up to the use of social media and online gaming platforms with the full knowledge and agreement of parents/ guardians it follows that the latter should better equip themselves with knowledge of privacy and security (at a minimum) and develop their own understanding of how personal data is shared, the type of interaction that occurs or that can occur and potential impacts and pitfalls associated therewith.


If parents/ guardians are not aware of what children do online, should that responsibility be transferred to companies that develop the games and apps.


To avoid muddying the waters, there is a distinction between game playing age rating (PEGI rating) and age of consent for uses of social media and other online apps under the GDPR (information societal services). In the U.K. the age at which a child is able to, or required to give consent to the processing of their personal data online is 13. 

Where children are over the age of consent for purposes of playing online games and agree to the use of their personal data by accepting privacy/ consent notices that show up on screen (even if not read), they are deemed to have the necessary capacity to understand and therefore agree to the data sharing that may take place on these platforms. However, it is not unreasonable to recognise that each child’s social development and maturity level differs thereby impacting the way in which interactions (online or offline) are understood. This suggests a disconnect between developmental aptitude of children and the broader privacy concern that legislation aims to address.

Regulators are trying to keep up with the increased pace of technology growth. There is no simple answer as yet, but here are a few tips for those concerned about children’s data whilst online.


Practical Tips


1.  It’s my mobile device, not yours

Check the privacy settings on the device or phone as well as your router settings. These can allow you to apply some filtering on the type of content available online.

2. How many “friends” do you have again?

Parents/ guardians will be familiar with the growing number of “friends” accumulated on social media platforms. Those 500+ friends are not really your child’s friends. Talk to your child about online friends and the potential risks associated with them.

3. Why do you need all those apps?

Educate children on apps and personal data collection e.g., location data and IP address tracking, browser viewing habits, targeted/ non-targeted ads displayed and the broader data sharing that goes on behind the scenes. Majority of social media apps and gaming apps are not designed for children so exercise caution in use.

4. Try it yourself

Access the platforms yourselves and if necessary, sign up to the social media sites or play those online games to understand the in-app occurrences and interaction that goes on to ensure you are comfortable with these.

5. Find out more about protecting your personal data

Enhance your understanding of how personal data is processed in social media and online gaming.

Further information


There are many a number of websites that provide useful information on children’s internet safety and privacy/ personal data processing. 


If you would like further information on the above or wish to discuss other data privacy matters, you can contact us at inform@taceo.co.uk

Part I – Personal data processing in schools


Daily processing

Think of the number of times you see a child walking home from school staring at their mobile device, or when Bob comes home with a picture of himself taking part in some play activity from nursery, or when you receive a school’s newsletters via email containing pictures and names of kids grinning proudly. Parents/ guardians may receive an email from the school asking for their child’s lunch account to be electronically topped up or a school may send you a text message to remind you of some pending activity that you have entirely forgotten about.

These are but a handful of examples of personal data processing that take place at schools on a daily basis. The significant amount of personal data including sensitive personal data (special categories of personal data) processed by the child's educational sector becomes evident. It’s not just the child’s personal data you need to think about, but also yours when you share your personal details as the parent/ guardian or emergency contact.

Privacy laws

The question: With ever limited budgets, how are schools (particularly those funded by local government) ensuring that processing children's personal data (and adults) is compliant with both the General Data Protection Regulation (GDPR) and the Data Protection Act 2018?

Public sectors as well as private sectors fall squarely within the grasp of the GDPR and there are simple steps for schools or educational sectors to be mindful of. 

Practical Tips


1. Control who has access to children’s data and why

Know which teams/ departments have access to personal data and implement access controls to make sure that not everyone at school can access every child’s data. If children’s personal data is captured in the classroom, have a process for storing that data in accordance with your internal information security and privacy policies. If you don’t have one, write one up and implement it properly.


2. Storing personal data in a secure way 

Remember the basic rules on using strong passwords and encryption where possible and how you share data. Don't email the masses if you are sharing personal data and don’t share Bob’s picture with all parents without Bob’s parental/ guardian consent. Obviously if Bob is of the age of being able to give consent then it is Bob’s consent that is needed.


3. Limit the sharing of personal data

Know who you share personal data with and ensure that there are limitations on how personal data is subsequently shared and processed. If you use third party providers (e.g. cloud service providers, website hosting providers, third party educational websites/ apps etc.) be sure to understand what you are buying, how personal data is processed, who it is shared with and what security there is to protect the information you store with them. Don't assume third parties are already compliant. Have security questionnaires ready to help you ask the right questions.


4. Data Subject Rights and Consent

Remember that data subjects have certain rights under the GDPR which they can exercise at will. Put in place a process for data subjects to exercise their rights. Your privacy statement (public facing) should display how data subjects can exercise their privacy rights. Create a privacy mailbox so you have a consolidated point of access. Data subject rights include a person’s right to access the data you hold on them, the right to erasure, right to rectification, right to restriction of processing and the right to object to automated decision making.


5. And when they leave school….?

Have in place a process that allows you to deal with data retention effectively. Don’t hold onto children’s personal data indefinitely. Implement a process that allows you to validate the data you hold and delete data in accordance with your data retention policy. 


Part II – Children’s use of social media and online gaming

Unintended consequences


Media attention has focussed on investigations by data protection regulators against social media giants like Meta (Facebook, Instagram), X (previously Twitter) and Snapchat. We have also seen the hype behind online games like Fortnite (by Epic Games) which has consistently grown in popularity since its release in 2017, especially with younger children. 


The use of social media and online gaming continues to surge, creating unintended consequences that are displayed through children’s behaviour, attitude and wellbeing. Increasing fallouts among children of school ages appear to relate to exchanges on social media platforms, as well as competing in online games that collect player data.

These fallouts between children have a natural consequence on educational sectors   that are left to address impacts on children’s behaviour, attitude and wellbeing.  It is unlikely that schools or educational facilities will consistently be equipped to deal with the impact of social media and online gaming on children unless they develop a better understanding themselves and incorporate aspects of data privacy and data protection into their curriculum.


Picking up the pieces


Attention has been focused on companies’ data privacy compliance regime and ethical responsibility but where does parental/ guardian responsibility fit in all this? Where children sign up to the use of social media and online gaming platforms with the full knowledge and agreement of parents/ guardians it follows that the latter should better equip themselves with knowledge of privacy and security (at a minimum) and develop their own understanding of how personal data is shared, the type of interaction that occurs or that can occur and potential impacts and pitfalls associated therewith.


If parents/ guardians are not aware of what children do online, should that responsibility be transferred to companies that develop the games and apps.


To avoid muddying the waters, there is a distinction between game playing age rating (PEGI rating) and age of consent for uses of social media and other online apps under the GDPR (information societal services). In the U.K. the age at which a child is able to, or required to give consent to the processing of their personal data online is 13. 

Where children are over the age of consent for purposes of playing online games and agree to the use of their personal data by accepting privacy/ consent notices that show up on screen (even if not read), they are deemed to have the necessary capacity to understand and therefore agree to the data sharing that may take place on these platforms. However, it is not unreasonable to recognise that each child’s social development and maturity level differs thereby impacting the way in which interactions (online or offline) are understood. This suggests a disconnect between developmental aptitude of children and the broader privacy concern that legislation aims to address.

Regulators are trying to keep up with the increased pace of technology growth. There is no simple answer as yet, but here are a few tips for those concerned about children’s data whilst online.


Practical Tips


1.  It’s my mobile device, not yours

Check the privacy settings on the device or phone as well as your router settings. These can allow you to apply some filtering on the type of content available online.

2. How many “friends” do you have again?

Parents/ guardians will be familiar with the growing number of “friends” accumulated on social media platforms. Those 500+ friends are not really your child’s friends. Talk to your child about online friends and the potential risks associated with them.

3. Why do you need all those apps?

Educate children on apps and personal data collection e.g., location data and IP address tracking, browser viewing habits, targeted/ non-targeted ads displayed and the broader data sharing that goes on behind the scenes. Majority of social media apps and gaming apps are not designed for children so exercise caution in use.

4. Try it yourself

Access the platforms yourselves and if necessary, sign up to the social media sites or play those online games to understand the in-app occurrences and interaction that goes on to ensure you are comfortable with these.

5. Find out more about protecting your personal data

Enhance your understanding of how personal data is processed in social media and online gaming.

Further information


There are many a number of websites that provide useful information on children’s internet safety and privacy/ personal data processing. 


If you would like further information on the above or wish to discuss other data privacy matters, you can contact us at inform@taceo.co.uk

Part I – Personal data processing in schools


Daily processing

Think of the number of times you see a child walking home from school staring at their mobile device, or when Bob comes home with a picture of himself taking part in some play activity from nursery, or when you receive a school’s newsletters via email containing pictures and names of kids grinning proudly. Parents/ guardians may receive an email from the school asking for their child’s lunch account to be electronically topped up or a school may send you a text message to remind you of some pending activity that you have entirely forgotten about.

These are but a handful of examples of personal data processing that take place at schools on a daily basis. The significant amount of personal data including sensitive personal data (special categories of personal data) processed by the child's educational sector becomes evident. It’s not just the child’s personal data you need to think about, but also yours when you share your personal details as the parent/ guardian or emergency contact.

Privacy laws

The question: With ever limited budgets, how are schools (particularly those funded by local government) ensuring that processing children's personal data (and adults) is compliant with both the General Data Protection Regulation (GDPR) and the Data Protection Act 2018?

Public sectors as well as private sectors fall squarely within the grasp of the GDPR and there are simple steps for schools or educational sectors to be mindful of. 

Practical Tips


1. Control who has access to children’s data and why

Know which teams/ departments have access to personal data and implement access controls to make sure that not everyone at school can access every child’s data. If children’s personal data is captured in the classroom, have a process for storing that data in accordance with your internal information security and privacy policies. If you don’t have one, write one up and implement it properly.


2. Storing personal data in a secure way 

Remember the basic rules on using strong passwords and encryption where possible and how you share data. Don't email the masses if you are sharing personal data and don’t share Bob’s picture with all parents without Bob’s parental/ guardian consent. Obviously if Bob is of the age of being able to give consent then it is Bob’s consent that is needed.


3. Limit the sharing of personal data

Know who you share personal data with and ensure that there are limitations on how personal data is subsequently shared and processed. If you use third party providers (e.g. cloud service providers, website hosting providers, third party educational websites/ apps etc.) be sure to understand what you are buying, how personal data is processed, who it is shared with and what security there is to protect the information you store with them. Don't assume third parties are already compliant. Have security questionnaires ready to help you ask the right questions.


4. Data Subject Rights and Consent

Remember that data subjects have certain rights under the GDPR which they can exercise at will. Put in place a process for data subjects to exercise their rights. Your privacy statement (public facing) should display how data subjects can exercise their privacy rights. Create a privacy mailbox so you have a consolidated point of access. Data subject rights include a person’s right to access the data you hold on them, the right to erasure, right to rectification, right to restriction of processing and the right to object to automated decision making.


5. And when they leave school….?

Have in place a process that allows you to deal with data retention effectively. Don’t hold onto children’s personal data indefinitely. Implement a process that allows you to validate the data you hold and delete data in accordance with your data retention policy. 


Part II – Children’s use of social media and online gaming

Unintended consequences


Media attention has focussed on investigations by data protection regulators against social media giants like Meta (Facebook, Instagram), X (previously Twitter) and Snapchat. We have also seen the hype behind online games like Fortnite (by Epic Games) which has consistently grown in popularity since its release in 2017, especially with younger children. 


The use of social media and online gaming continues to surge, creating unintended consequences that are displayed through children’s behaviour, attitude and wellbeing. Increasing fallouts among children of school ages appear to relate to exchanges on social media platforms, as well as competing in online games that collect player data.

These fallouts between children have a natural consequence on educational sectors   that are left to address impacts on children’s behaviour, attitude and wellbeing.  It is unlikely that schools or educational facilities will consistently be equipped to deal with the impact of social media and online gaming on children unless they develop a better understanding themselves and incorporate aspects of data privacy and data protection into their curriculum.


Picking up the pieces


Attention has been focused on companies’ data privacy compliance regime and ethical responsibility but where does parental/ guardian responsibility fit in all this? Where children sign up to the use of social media and online gaming platforms with the full knowledge and agreement of parents/ guardians it follows that the latter should better equip themselves with knowledge of privacy and security (at a minimum) and develop their own understanding of how personal data is shared, the type of interaction that occurs or that can occur and potential impacts and pitfalls associated therewith.


If parents/ guardians are not aware of what children do online, should that responsibility be transferred to companies that develop the games and apps.


To avoid muddying the waters, there is a distinction between game playing age rating (PEGI rating) and age of consent for uses of social media and other online apps under the GDPR (information societal services). In the U.K. the age at which a child is able to, or required to give consent to the processing of their personal data online is 13. 

Where children are over the age of consent for purposes of playing online games and agree to the use of their personal data by accepting privacy/ consent notices that show up on screen (even if not read), they are deemed to have the necessary capacity to understand and therefore agree to the data sharing that may take place on these platforms. However, it is not unreasonable to recognise that each child’s social development and maturity level differs thereby impacting the way in which interactions (online or offline) are understood. This suggests a disconnect between developmental aptitude of children and the broader privacy concern that legislation aims to address.

Regulators are trying to keep up with the increased pace of technology growth. There is no simple answer as yet, but here are a few tips for those concerned about children’s data whilst online.


Practical Tips


1.  It’s my mobile device, not yours

Check the privacy settings on the device or phone as well as your router settings. These can allow you to apply some filtering on the type of content available online.

2. How many “friends” do you have again?

Parents/ guardians will be familiar with the growing number of “friends” accumulated on social media platforms. Those 500+ friends are not really your child’s friends. Talk to your child about online friends and the potential risks associated with them.

3. Why do you need all those apps?

Educate children on apps and personal data collection e.g., location data and IP address tracking, browser viewing habits, targeted/ non-targeted ads displayed and the broader data sharing that goes on behind the scenes. Majority of social media apps and gaming apps are not designed for children so exercise caution in use.

4. Try it yourself

Access the platforms yourselves and if necessary, sign up to the social media sites or play those online games to understand the in-app occurrences and interaction that goes on to ensure you are comfortable with these.

5. Find out more about protecting your personal data

Enhance your understanding of how personal data is processed in social media and online gaming.

Further information


There are many a number of websites that provide useful information on children’s internet safety and privacy/ personal data processing. 


If you would like further information on the above or wish to discuss other data privacy matters, you can contact us at inform@taceo.co.uk

© 2024 Taceo Limited, Riverbank House, 2 Swan Lane, London EC4R 3TT.

Company registration No. 11059214. All rights reserved.

© 2024 Taceo Limited, Riverbank House, 2 Swan Lane, London EC4R 3TT. Company registration No. 11059214. All rights reserved.

© 2024 Taceo Limited, Riverbank House, 2 Swan Lane, London EC4R 3TT.

Company registration No. 11059214. All rights reserved.