Original URL: http://www.theregister.co.uk/2009/03/03/child_privacy/
Local authorities must change child privacy practices
Report wants better data protection
Local authorities across England should change their rules on collecting information about children, a new report into the protection of children's privacy has said. The report was produced by children's rights lobby group Action on Rights for Children (ARCH).
The report calls for better training for local authorities in data protection law and information security to help keep children's personal data secure. It also calls into question the basis on which much of the information is gathered.
"The Government asserts in guidance that children in England can generally be presumed able to consent to the sharing of their personal and sensitive data from around the age of 12," said the report. "Many local authorities repeat this advice. It has no basis in English law. We recommend that reference to the age of 12 is removed from all guidance."
The publication of the research comes in the wake of a report by a committee of the EU's privacy watchdogs outlining how children's personal data should be protected. The Article 29 Working Party published its report last month, outlining how privacy law should be applied to children.
"A child is a human being in the complete sense of the word. For this reason, a child must enjoy all the rights of a person, including the right to the protection of their personal data," it said. "The core legal principle is that of the best interest of the child. The rationale of this principle is that a person who has not yet achieved physical and psychological maturity needs more protection than others."
ARCH said that it was asked and funded by the Nuffield Foundation to undertake its research because children's personal data is increasingly being collected, stored and used as the basis of government action.
"Since the UK Government published its green paper: ‘Every Child Matters’ in 2003, there has been a growing emphasis by Government on the need to share information about children across agencies in health, education, social care and youth justice in order to identify those children who may need services, or who are thought to be likely to develop problems in the future," it said. "This policy raises significant questions about who should consent to the sharing of that data."
ARCH said that a crucial issue to be considered is who can give consent for the collection and sharing of information, and when. The question was complicated, it said, by the lack of any court rulings on the matter.
"The Government has said that children from around the age of twelve are usually of sufficient maturity to consent in their own right. Our UK research was aimed at establishing the legal basis for claims about children’s capacity to consent to data-sharing," it said.
"The subject is complex because it involves applying the existing body of law on the circumstances in which children can consent to specific services, such as medical treatment or legal representation, to the more abstract process of sharing personal data. No case specifically about children’s consent to data-sharing has yet been before the courts and thus it is to a large extent uncharted territory."
The question of consent to data sharing is growing ever more urgent, ARCH said, because Government policy is increasingly based on the collection of personal information.
"The reason that this issue has come to the fore is that developments in Information Technology have made it possible to store large quantities of personal information about every child in easily accessible and potentially permanent records, and to share those records rapidly with other people," it said. "Now, a child’s entire education or health record could be despatched to another practitioner in less time than it would take to type the covering email."
"The sheer scale of what is now possible has allowed the development of entirely new government policies based on the monitoring of all children’s progress through the sharing of information about them and their families between the practitioners who work with them across a range of agencies," it said.
The report recognised that the twin desires of respecting a child's right to confidentiality and ensuring they were not being forced into giving consent were difficult rights to reconcile.
"Where the sharing of such sensitive data is involved, the Data Protection Act 1998 requires that the specific consent of the person to whom the data refers (the ‘data subject’) should normally be obtained. This is where the problem addressed in this report begins: who is able to give this consent?" it said. "Should it be the child or his parents – or both? It may be a clear-cut decision if the child is four years old, but what if he is fourteen? What if the data refers to a confidential service which the child has obtained perfectly legitimately without parental knowledge? What if it includes information about siblings and parents?"
ARCH concluded, though, that the common practice of allowing children to issue their own consent from the age of 12 was flawed. Though Scottish law contains a presumption of competence at the age of 12 in some cases, no such presumption exists in English law, the report said.
"Children under 16 in England and Wales may be able to exercise some rights without parental consent when they are sufficiently mature, [but] there is in our view no basis for saying that the age of 12 has significance other than in Scotland," it said.
The report concluded that the Information Commissioner should produce guidelines for local authorities to guide them in training their staff in data protection law so that the right advice is given to anyone working with children.
It also said that the Information Commissioner should produce minimum security standards that must be followed to keep children's personal information private.
The Article 29 Working Party concluded in its report that EU law is mostly effective in making sure that children's personal data has adequate protection, but that those laws must be understood and properly applied by the organisations that deal with children.
Copyright © 2009, OUT-LAW.com
OUT-LAW.COM is part of international law firm Pinsent Masons.