However, data protection can feel like an unfamiliar and difficult subject to the parents too. If that is the case, it can be hard to discuss data protection and guide your child in matters like protecting their personal data or exercising their data protection rights.
This article for parents is intended to lay a foundation for discussions and thereby increase the familiarity of both parents and children with data protection. More comprehensive materials for parents will be drawn up and developed together with the parents in the course of the GDPR4CHLDRN – Ensuring data protection in hobbies project. For the purposes of this article, ‘child’ refers to everyone below the age of 18.
1. Think about what data protection means and what personal data is
What thoughts do the words ‘data protection’ give to your child? Does your child know what personal data is? Think about who is collecting your child’s personal data and for which purposes they are using it. What personal data is your child sharing about themselves or others? Encourage your child to take a moment to think before sharing their own data, as well as to respect the privacy of others when sharing data. For example, photographs and videos shared on social media can spread farther than the child intended.
Data protection (the protection of personal data) is a fundamental right that safeguards the rights and freedoms of the data subject in the processing of personal data. Everyone has the right to data protection. The purpose of data protection is to show when and how controllers and processors of personal data are allowed to process personal data and what rights data subjects have regarding the processing of their personal data. The processing of personal data is governed by legislation such as the EU General Data Protection Regulation (GDPR), which states that the personal data of children requires special protection.
Personal data refers to all data related to an identified or identifiable person. Personal data includes an individual’s name, telephone number, home address, health information, personal identity code, location data as well as photographs and videos from which the person can be identified. Processing of personal data means all actions involving personal data, such as the collection, storage, use, transfer and disclosure of personal data.
The data subject is the person to whom the personal data relates.A controller is the party that determines the purposes and means of processing personal data. For example, an association that collects data on its members is a controller. A processor of personal data processes the data on behalf of the controller. Processors of personal data can include IT service providers with access to the personal data held by the controller, for example.
2. Read the information concerning the processing of your personal data
Read the privacy statements and terms and conditions of the services and applications used by your child. What data are the controllers collecting and what is the data needed for? Is the information about the processing of personal data easy to read? The purpose of informing the data subject is to provide a comprehensive and clear overall picture of the processing of personal data. Transparent information creates the basis for exercising your other data protection rights.
Transparency is one of the key principles of processing personal data. The controller is required to provide all information concerning the processing of personal data to the data subjects in a concise, transparent, intelligible and clear form. The data subject must be informed of matters such as who the controller is, the purposes of processing the personal data, the storage period of the personal data, and the ways in which the data subject can exercise their data protection rights. When the personal data of children is being processed, the information must be provided in an intelligible form using plain and clear language.
Data protection principles are the lawfulness, appropriateness and transparency of processing personal data, purpose limitation, data minimisation, data accuracy, storage limitation as well as confidentiality and security. These data protection principles must always be observed when processing personal data. The controller must also be able to demonstrate that the data protection principles are being realised effectively in the processing.
3. Discuss the data protection rights and exercising them
For a child to be able to exercise their data protection rights, they must be aware of the existence of those rights. Go through the data protection rights with your child. If the child then wants to exercise their data protection rights, make the request directly to the controller. The controller’s contact details can usually be found on the controller’s website. As a rule, the controller is required to respond to the request without undue delay and in any case no later than within one month of the request being made.
Data protection rights belong to every child. Among other things, a child has the right to know why and how their personal data is being processed (right to obtain information on the processing of personal data) and the right to check what data relating to them is being processed (right of access to data). A child also has the right to have inaccurate data rectified and incomplete data completed (right to rectification) as well as request the erasure of their data (right to erasure).
The data cannot be edited or erased according to the request in all circumstances, however. If the controller refuses to comply with a request for exercising data protection rights, they must nevertheless state the reason for their refusal. For example, the law can require controllers to store data for a specific time.
A child can exercise their data protection rights independently if they are able to understand the matter in view of their age, level of development and the nature of the matter. The child’s custodian can also support or represent the child in exercising their data protection rights.
4. Discuss data security and review your privacy settings
You can often decrease the probability of personal data breaches and misuse of personal data by being careful. For example, talk with your child about what makes a good password. Tell your child that they should not reply to suspicious messages. For example, messages that ask for the child’s username or password are suspicious. Remind your child that they should always log out of their accounts after using them with other devices than their own. Reset devices that contained personal data when disposing of them, selling them or otherwise passing them on. Also make sure that the devices and software in use have been updated to their latest versions.
Review the privacy settings of the services and applications used by your child. What information is visible to others and what has been set private? Who can see the information? Help your child adjust their privacy settings if necessary. Talk about how careful you are about privacy.
Data security is one way of implementing data protection. Among other things, it refers to organisational and technical measures taken by the controller to ensure the confidentiality and integrity of data, usability of systems and the realisation of the rights of the data subject. Technical and organisational measures can mean instructing personnel on the implementation of data protection, the security of information systems, data encryption and a variety of other safeguards.
According to the principle of data protection by design and by default, controllers must take data protection principles into account when planning the processing of personal data and ensure the implementation of personal data protection with default settings that protect privacy throughout the lifespan of the data.
5. Support your child’s personal data protection and privacy by your own actions
The protection of your child’s personal data requires the contribution of several parties. The data protection awareness and skills of children can be supported by their education provider, the authorities and the practices followed by companies. Under data protection legislation, the controller processing the personal data is responsible for the lawfulness of the processing.
But you as a parent can also contribute to the protection of your child’s data and privacy. Think about what kind of information you share about your child, and to which audiences. Before sharing information, think about whether it is really necessary and what effects it could have. It is good practice to always ask for your child’s permission before posting information concerning them – provided that your child is old and developed enough to understand the significance of the matter. Do not post sensitive information about your child.
In Finland, the protection of personal data is provided for in the Constitution’s provisions on the protection of private life. Personal data can also be information pertaining to private life. When information pertaining to private life can be connected to an identified or identifiable person, that information constitutes personal data.
The GDPR4CHLDRN project provides information about the protection of personal data and data protection rights to children, young people and their parents. Materials targeted at them as well as icons that clarify concepts related to data protection will be developed in the project. In addition, a toolkit to support compliance with data protection legislation and its application will be created for associations and hobby clubs that organise hobby activities for children and young people.
- A two-year project that will end in August 2024.
- The project is funded by the Citizens, Equality, Rights and Values programme of the European Union.
- The project coordinator is the Office of the Data Protection Ombudsman, and its partner in the project is the TIEKE Finnish Information Society Development Centre.
Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or European Commission. Neither the European Union nor the granting authority can be held responsible for them.
