Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
What do you mean by ‘data sharing’?
Data sharing usually means disclosing personal data to third parties outside your organisation. It can also cover the sharing of personal data between different parts of your own organisation, or other organisations within the same group or under the same parent company.
Data sharing can be done routinely (for example the provider of an educational app routinely sharing data with the child’s school) or in response to a one-off or emergency situation (for example sharing a child’s personal data with the police for safeguarding reasons).
Data sharing includes making a child’s personal data visible to a third party.
Why is it important?
It is important because if you share children’s personal data with third parties or with other parts of your own organisation it needs to be fair to the child to do so. Sharing children’s personal data with third parties, including sharing data inferred or derived from their personal data, can expose children to risks arising from their processing of personal data, which go beyond those inherent in your own processing.
The GDPR provides that:
“5(1) Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”.
Articles 13 and 14 of the GDPR require you to tell data subjects who you share the personal data with (the recipients or categories of recipients of the personal data).
How can we make sure that we meet this standard?
Consider the best interests of the child
The best interests of the child should be a primary consideration for you whenever you contemplate sharing children’s personal data.
If you have already made sure that your privacy settings are set to ‘high privacy’ by default, then the amount of data sharing that takes place should already be limited; with children having to actively change the default settings to allow you to share their personal data in many circ*mstances.
You should not share personal data if you can reasonably foresee that doing so will result in third parties using children’s personal data in ways that have been shown to be detrimental to their wellbeing. You should obtain assurances from whoever you share the personal data with about this, and undertake due diligence checks as to the adequacy of their data protection practices and any further distribution of the data.
Any default settings related to data sharing should specify the purpose of the sharing and who the data will be shared with. Settings which allow general or unlimited sharing will not be compliant.
Ultimately, it is up to the person you have shared the data with to ensure they comply with the requirements of the GDPR (in their role as a data controller for the personal data they receive). However, you are responsible for ensuring that it is fair to share the personal data in the first place. You should not share personal data unless you have a compelling reason to do so, taking account of the best interests of the child.
One clear example of a compelling reason is data sharing for safeguarding purposes, preventing child sexual exploitation and abuse online, or for the purposes of preventing or detecting crimes against children such as online grooming.
An example that is unlikely to amount to a compelling reason for data sharing is selling on children’s personal data for commercial re-use.
Consider the specific issues and risks raised at each stage of your DPIA
You should assess the issues and risks raised at each individual step of your DPIA process. These steps are set out and explained in the section of this code on DPIAs.
Further reading outside the code
For further reading on data sharing see our Data Sharing Code of Practice
As an expert in data protection and privacy, I bring a wealth of knowledge and experience in navigating the complex landscape of safeguarding personal information, especially when it comes to children's data. My expertise is grounded in a comprehensive understanding of legal frameworks, particularly the General Data Protection Regulation (GDPR), which sets stringent standards for the processing and sharing of personal data.
Let's delve into the key concepts presented in the provided article:
Data Sharing:
Definition: Data sharing refers to the disclosure of personal data to third parties outside an organization. It can also encompass sharing personal data within different parts of the same organization or among organizations under the same parent company.
Types of Data Sharing:
- Routine Sharing: Occurs regularly, such as an educational app provider routinely sharing data with a child's school.
- Emergency Sharing: Happens in response to one-off or emergency situations, like sharing a child's data with the police for safeguarding reasons.
Importance of Data Sharing:
Data sharing is crucial, but it must align with the principles outlined in the GDPR, emphasizing lawfulness, fairness, and transparency. Articles 13 and 14 of the GDPR mandate informing data subjects about the recipients or categories of recipients of their personal data.
Best Interests of the Child:
Primary Consideration: The best interests of the child should be the foremost consideration when contemplating data sharing.
Privacy Settings: Organizations should set privacy settings to 'high privacy' by default, limiting data sharing unless children actively change these settings.
Assurances and Due Diligence: Before sharing personal data, organizations should obtain assurances from recipients, conduct due diligence on their data protection practices, and ensure compliance with GDPR.
Compelling Reasons for Data Sharing:
Safeguarding Purposes: Data sharing for safeguarding, preventing child exploitation, and detecting crimes against children (e.g., online grooming) constitutes a compelling reason.
Commercial Re-use: Selling children's personal data for commercial re-use is unlikely to be a compelling reason for data sharing.
DPIA (Data Protection Impact Assessment):
Organizations should conduct a Data Protection Impact Assessment (DPIA) at each stage of the process. This involves assessing the issues and risks associated with data sharing.
Compliance with GDPR:
While the recipient is responsible for complying with GDPR as a data controller, the organization sharing the data must ensure fairness and have a compelling reason to do so, considering the best interests of the child.
Further Reading:
The article recommends referring to the Data Sharing Code of Practice for additional guidance on data sharing.
In conclusion, my expertise underscores the importance of a nuanced approach to data sharing, especially concerning children's personal data, ensuring compliance with legal frameworks and prioritizing the best interests of the child.
