Feeds

Local authorities must change child privacy practices

Report wants better data protection

High performance access to file storage

Local authorities across England should change their rules on collecting information about children, a new report into the protection of children's privacy has said. The report was produced by children's rights lobby group Action on Rights for Children (ARCH).

The report calls for better training for local authorities in data protection law and information security to help keep children's personal data secure. It also calls into question the basis on which much of the information is gathered.

"The Government asserts in guidance that children in England can generally be presumed able to consent to the sharing of their personal and sensitive data from around the age of 12," said the report. "Many local authorities repeat this advice. It has no basis in English law. We recommend that reference to the age of 12 is removed from all guidance."

The publication of the research comes in the wake of a report by a committee of the EU's privacy watchdogs outlining how children's personal data should be protected. The Article 29 Working Party published its report last month, outlining how privacy law should be applied to children.

"A child is a human being in the complete sense of the word. For this reason, a child must enjoy all the rights of a person, including the right to the protection of their personal data," it said. "The core legal principle is that of the best interest of the child. The rationale of this principle is that a person who has not yet achieved physical and psychological maturity needs more protection than others."

ARCH said that it was asked and funded by the Nuffield Foundation to undertake its research because children's personal data is increasingly being collected, stored and used as the basis of government action.

"Since the UK Government published its green paper: ‘Every Child Matters’ in 2003, there has been a growing emphasis by Government on the need to share information about children across agencies in health, education, social care and youth justice in order to identify those children who may need services, or who are thought to be likely to develop problems in the future," it said. "This policy raises significant questions about who should consent to the sharing of that data."

ARCH said that a crucial issue to be considered is who can give consent for the collection and sharing of information, and when. The question was complicated, it said, by the lack of any court rulings on the matter.

"The Government has said that children from around the age of twelve are usually of sufficient maturity to consent in their own right. Our UK research was aimed at establishing the legal basis for claims about children’s capacity to consent to data-sharing," it said.

"The subject is complex because it involves applying the existing body of law on the circumstances in which children can consent to specific services, such as medical treatment or legal representation, to the more abstract process of sharing personal data. No case specifically about children’s consent to data-sharing has yet been before the courts and thus it is to a large extent uncharted territory."

The question of consent to data sharing is growing ever more urgent, ARCH said, because Government policy is increasingly based on the collection of personal information.

"The reason that this issue has come to the fore is that developments in Information Technology have made it possible to store large quantities of personal information about every child in easily accessible and potentially permanent records, and to share those records rapidly with other people," it said. "Now, a child’s entire education or health record could be despatched to another practitioner in less time than it would take to type the covering email."

"The sheer scale of what is now possible has allowed the development of entirely new government policies based on the monitoring of all children’s progress through the sharing of information about them and their families between the practitioners who work with them across a range of agencies," it said.

The report recognised that the twin desires of respecting a child's right to confidentiality and ensuring they were not being forced into giving consent were difficult rights to reconcile.

"Where the sharing of such sensitive data is involved, the Data Protection Act 1998 requires that the specific consent of the person to whom the data refers (the ‘data subject’) should normally be obtained. This is where the problem addressed in this report begins: who is able to give this consent?" it said. "Should it be the child or his parents – or both? It may be a clear-cut decision if the child is four years old, but what if he is fourteen? What if the data refers to a confidential service which the child has obtained perfectly legitimately without parental knowledge? What if it includes information about siblings and parents?"

ARCH concluded, though, that the common practice of allowing children to issue their own consent from the age of 12 was flawed. Though Scottish law contains a presumption of competence at the age of 12 in some cases, no such presumption exists in English law, the report said.

"Children under 16 in England and Wales may be able to exercise some rights without parental consent when they are sufficiently mature, [but] there is in our view no basis for saying that the age of 12 has significance other than in Scotland," it said.

The report concluded that the Information Commissioner should produce guidelines for local authorities to guide them in training their staff in data protection law so that the right advice is given to anyone working with children.

It also said that the Information Commissioner should produce minimum security standards that must be followed to keep children's personal information private.

The Article 29 Working Party concluded in its report that EU law is mostly effective in making sure that children's personal data has adequate protection, but that those laws must be understood and properly applied by the organisations that deal with children.

Copyright © 2009, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.