In responding to the UK government’s recent consultation on “Data: a new direction,” LSE’s Professor Sonia Livingstone and 5Rights Foundation researcher Kruakae Pothong drew on their separate research on Children’s Data and Privacy Online and The Internet on Our Own Terms respectively, and on their research together for the Digital Futures Commission. Their child-rights perspective led them to recommend to DCMS that the Data Protection Act and UK GDPR should not be watered down in the interests of business but, rather, strengthened in children’s best interests. The consultation asked lots of detailed and technical questions – here is an edited version of some of their answers.
The boundary between scientific and commercial uses of personal data
The government should sustain high ethical and public standards for scientific research purposes and public interest research. It should also ensure that research requiring access to data that personally identifies children demonstrates how the acquisition and processing of personal data would affect the data subjects and how the data subjects can exercise their rights, in compliance with the fairness principle, in addition to requirements of lawfulness and transparency.
The government should not open the door to commercial reuse of scientific data. While fully anonymised data may be kept and used for future purposes, provided consent for such processing was originally given by the data subject, for personally identifiable data, renewed and meaningful consent must be obtained for any further processing. For consent to be meaningful, research participants and/or data subjects need to fully comprehend what their participation in the research would involve, how and for what purposes will their data be used.
Should a “limited, exhaustive list of legitimate interests” replace the balancing text?
Research finds that children, parents, and professionals who work with and support children strongly want greater, not lesser, support for children’s data subject rights, including thorough implementation and enforcement of the Age Appropriate Design Code. Currently, legitimate interests can be a lawful basis for processing only when the processing is ‘necessary’ and when there is a balance between the interests of the data subjects’ and others’ interests.
Thus, we support the position of the 5Rights Foundation and Defenddigitalme that whenever the lawful basis of legitimate interests is used to process data about children, the interests of others, especially of those who process children’s data, must always be balanced against the best interests of children, as individuals as well as collectively.
Are additional safeguards needed?
According to Article 3(1) of the UNCRC: “In all actions concerning children … the best interests of the child shall be a primary consideration.” This applies in the digital environment as in any other, as reinforced by the recently adopted General Comment 25 on children’s rights in relation to the digital environment.
We argue against the proposal to remove the requirement for organisations to undertake data protection impact assessments. Instead, as an additional safeguard, we propose mandating the use of both (published) data protection impact assessment (DPIA) and child rights impact assessment (CRIA) before and after the processing of children’s personal data for educational or health or commercial or any other purposes. In effect, the UK government has committed to doing this already in ratifying the UN Convention on the Rights of the Child but now it must require this in practice.
We are delighted that the UK government has set a high standard of data protection for children by design in its Age Appropriate Design Code. Now the government could show the way forward, beginning with its own operations, for instance when providing access to personally identifiable data of children held by government agencies such as the National Pupil Database.
We are concerned that the consultation appears to complicate the meaning of the fairness principle, in line with the submission from Defenddigitalme, Recital 39 of the UK GDPR and the ICO’s explanation of the fairness principle. The government should retain the provision concerning the fairness principle and its definition in a way that is application (context) agnostic. Further, where the processing of AI applications or development is concerned, the decisions made with AI should be explained and CRIA should be mandated in order to satisfy the fairness principle.
Easing not complicating children’s exercise of their data subject rights
We argue against the idea of removing data subject rights in relation to automated decision making, noting the Explanatory Report to the Council of Europe’s Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
We are also against the introduction of a “small nominal fee for processing subject access requests” since this would disproportionately and adversely affect children and their data subject rights. It would undermine the opportunity for children, their legal guardian and professionals caring for or working with them to correct any inaccurate information held about the child which could have long term negative implications on the child, particularly when the inaccurate information is used to inform decisions affecting the child.
Thirdly, we argue against the proposal to remove the existing requirement to designate a data protection officer in certain circumstances. This would be particularly damaging to child users of digital technology, their legal guardians and those who work with or care for them. Our research into the beneficial uses of education data clearly highlights the needs and importance of DPOs, especially in educational contexts where considerable scope and scale of data about children are processed daily, by multiple means.
Against watering down the GDPR
The government asks whether ‘Private companies, organisations and individuals who have been asked to process personal data on behalf of a public body should be permitted to rely on that body’s lawful ground for processing the data under Article 6(1)( e) of the UK GDPR.’ Our response is that this would compound rather than reduce already-existing confusions over the role of data controller and data processor, for example in the context of education and EdTech (for critical analysis, see Governance of data for children’s learning in UK state schools). It would also burden schools with responsibility for the processing undertaken by major global EdTech companies that schools themselves contracted.
Finally, we note with considerable concern that the proposed changes to the UK GDPR are out of step with international human rights and child rights developments, including the UN Convention on the Rights of the Child’s General Comment 25, the Council of Europe’s Recommendation on Children’s Rights in the Digital Environment and on children and data protection), the OECD’s Recommendation on Children in the Digital Environment, and UNICEF’s Manifesto on Good Data Governance for Children (May 2021).
This article gives the views of the authors and does not represent the position of the Media@LSE blog, nor of the London School of Economics and Political Science.