Protecting the privacy rights of young people
November 28, 2023
Privacy Act Bulletins are intended to offer lessons learned, best practices and other important privacy news, trends and information related to privacy protection in the federal public sector. We encourage you to share this information with colleagues.
It is important to keep the best interests of the child in mind in the digital era, as it presents significant new concerns for the privacy and personal information of younger generations.
Children and young people, who experience much of their lives in a largely online world where there are minimal safeguards in place, require special protections so that they may benefit from technology and be active online safely and free from risks of being targeted, manipulated, or harmed as a result.
Last month, federal, provincial, and territorial information and privacy authorities passed a joint resolution calling on public and private sector organizations to adopt measures to protect the personal information of children and young people.
“The personal information of children and young people is particularly sensitive, and we are calling on public and private sector organizations to treat it accordingly,” says Privacy Commissioner of Canada Philippe Dufresne, who has identified children’s privacy as a strategic priority for his Office.
The Commissioner encourages all federal institutions to consider this group’s vulnerability and specific needs when collecting and managing their personal information, and to take steps to ensure that their privacy is adequately protected.
This could involve giving special consideration to the privacy risks in programs involving personal information of young people when conducting privacy impact assessments (PIAs). When designing programs and undertaking privacy risk analysis, institutions should also consider the greater potential for harm to this age group should a breach occur. They should ensure that adequate risk mitigation measures are in place for any risks identified through the PIA process.
The resolution that was passed in October outlines best practices for organizations to consider when developing initiatives that involve young people or their data. Some of the key takeaways for federal institutions include:
Privacy by design
Ensure that young peoples’ best interests are considered at the outset of any initiative that will affect them and built in at the design stage. This could mean adapting traditional PIA process to ensure that consideration of the experiences of young people is done before collecting their information.
Consider the age of your target population and their maturity level. The OPC considers children under the age of 13 to be unable to meaningfully consent, which implies different privacy measures than for adults or for young people older than 13. Programs must always have not only consent but also legal authority for collection.
Organizations could also make use of Gender Based Analysis (GBA) Plus to address the specific privacy risks to vulnerable groups of young people (e.g. those with disabilities, Indigenous, 2SLGBTQI+).
Transparency
Section 5(2) of the Privacy Act gives individuals the right to be informed of the reasons why an institution is collecting their information.
Consider your audience’s reading level when formulating privacy notice statements that are aimed at minors. Use plain language and clearly explain ideas in a way that is understandable to young people. Consider using interactive tools, graphics, or videos to explain information.
You might also involve user experience design professionals to test how well your audience understands the information that you present to them.
Collection, storage and deletion
Young people may not understand how organizations collect and use their information. They also may not be aware of how this could have a negative impact in the future.
Any privacy analysis for an initiative targeting young people should acknowledge that children’s actions and experiences should not follow them into adulthood.
Data retention policies should keep this group’s best interests in mind. Young people should have, where possible, the ability to delete personal information, de-index web pages linked to that information, and should have the means to correct it. Organizations should give young people the means to correct mistakes made with their personal information or to withdraw personal information they once shared but later regret.
Access to and correction of information
The right of access to personal information is fundamental to ensuring that the information that is held is accurate, up to date, and retained for appropriate purposes. Section 6(2) of the Privacy Act requires institutions to ensure that personal information is as accurate and up to date as possible. To facilitate compliance with this obligation, you can shorten personal information retention periods, or be proactive by offering young people the opportunity to withdraw their personal information, or plan to obtain their consent again when they reach the age of majority.
Young people’s changing relationship with their parents must also be considered. People whose parents made privacy-related decisions for them when they were young children may disagree with those decisions later in their lives. There should be mitigations in place to address this.
Many young people may wish for privacy from their parents, and institutions should take this into account as well, in accordance with section 5(1) of the Privacy Act, which requires institutions to collect information directly from individuals. This is particularly important for sensitive information such as medical and health records.
Resources:
- Companion document – Putting best interests of young people at the forefront of privacy and access to personal information
- How organizations can help protect young people online
For more information on how to obtain meaningful consent from children, consult the OPC’s Guidelines for Meaningful Consent. Although aimed at a private-sector audience, many points of advice in the guidelines remain good practices for federal institutions.
Sign up for future Privacy Act Bulletins by subscribing to our RSS feed.
- Date modified: