Singapore | Publication | April 2024
The proliferation of internet-enabled devices has allowed children to access the internet at an increasingly younger age, often sharing their personal data without fully appreciating the risks and consequences of doing so. Accordingly, organisations that collect children’s personal data online have a shared responsibility to ensure that such personal data is collected with the appropriate consent obtained and is adequately protected, and to allow children to safely participate in the online space.
With these concerns in mind, the Personal Data Protection Commission Singapore (PDPC) has published its Advisory Guidelines on the PDPA for Children’s Personal Data in the Digital Environment (Children’s Data Guidelines). The Children’s Data Guidelines, which may be accessed here, clarify how the data protection provisions in the Personal Data Protection Act 2012 (PDPA) apply to children’s personal data in the digital landscape.
The Children’s Data Guidelines apply to organisations whose online products or services are likely to be accessed by children (i.e. individuals who are below 18 years of age). This includes all products and services that children actually access in practice, and is not limited to products and services that are specifically targeted at children.
The Children’s Data Guidelines should be read in conjunction with Chapter 8 of the Advisory Guidelines on the PDPA for Selected Topics, which discusses data protection obligations on general activities for minors (i.e., individuals who are less than 21 years of age). which explains how the PDPA applies to the general activities of minors.
We summarise the main obligations of the Children’s Data Guidelines below:
|
Obligation |
Recommendations |
|
Notification |
When communicating with children, the PDPC recommends that organisations consider the nature of their content and adopt age-appropriate language and media. Organisations must use language that is readily understandable by children so that children may appreciate the consequences of providing and withdrawing consent – this includes notification of purpose and consent clauses, data protection policies, and terms and conditions. |
| Consent for collection, use, or disclosure of personal data |
(a) Children between the ages of 13 and 17 The PDPC clarifies that a child between the ages of 13 and 17 may give valid consent if he or she readily understands the organisations’ policies on the collection, use and disclosure of personal data, as well as withdrawal of consent – this includes ensuring that the child understands the consequences of providing or withdrawing consent. However, where an organisation has reason to believe that a child does not sufficiently understand the nature and consequences of giving consent, the organisation should obtain consent from the child’s parent or guardian. (b) Below the age of 13 Where the child is below 13, the organisation must obtain consent from the child’s parent or guardian. |
|
Reasonable purposes for the collection, use and disclosure of children’s personal data |
The PDPC’s principles-based approach when considering what is reasonable when collecting, using, or disclosing personal data will continue to apply to children’s personal data.1 Organisations are recommended to adopt data minimisation policies to limit the collection and sharing of children’s personal data, such as ensuring that children's account information is not made public and searchable by default. In this regard, the Children’s Data Guidelines state that the PDPC supports the use of age assurance methods by organisations in order to implement relevant safeguards for users who are children. However, unless required by law, organisations are not required to collect national identity documents for age assurance purposes. The PDPC notes that geolocation data, which identifies the geographical location of a device, may allow a third party to determine a child's precise location and therefore poses a risk of misuse. Therefore, organisations should disable the geolocation function by default or only collect approximate location data. |
| Protection of children’s personal data |
The PDPC clarifies that children's personal data is considered sensitive and requires a higher standard of protection. Any organisation that handles children’s personal data should implement, where appropriate, the relevant practices set out in the PDPC’s Guide to Data Protection Practices for ICT Systems, to address potential risks and harms to children in the digital environment. |
| Data breach notification |
In the case of a data breach resulting in significant harm to a child, the organisation remains obliged to inform the affected data subject, even though the data subject is a child. Where the organisation has the contact details of the parents/guardian, the organisation should inform them of the breach so they can mitigate the potential harm from the breach. If not, the organisation should ensure that any notification to the child is in a language that is readily understandable. The organisation should consider advising the child to inform their parents or guardian about the data breach. |
|
Accountability |
To meet the accountability obligation under the PDPA, organisations are encouraged to conduct a Data Protection Impact Assessment (DPIA) before releasing products or services that are likely to be accessed by children, to identify and address personal data protection risks. The Advisory Guidelines provide sample questions for organisations to consider when conducting DPIAs. |
Children are generally more inexperienced, vulnerable and trusting compared to adults and often lack the cognitive ability to fully appreciate the consequences of certain activities. Accordingly, many areas of the law – including contract, civil and criminal law – rightfully distinguish between children and adults. In the field of data protection, there are legitimate reasons to demand higher standards of protection when it comes to collecting and using children’s personal data, especially in Singapore where the primary basis for collecting personal data is consent. The PDPC’s publication of these Advisory Guidelines is therefore timely and helpful.
From the perspective of the protection of children’s data, the clarification of data breach notification obligations involving children’s personal data is also opportune, in light of the recent data breach involving a mobile solutions vendor for a number of Singapore schools. In this regard, organisations should be mindful of the fact that, given the general sensitivity of children’s data and greater risk of harm that could be caused to vulnerable children whose personal data had been compromised, organisations should ensure that they adopt data minimisation strategies and put in place appropriate technical measures to safeguard such data.
The Children’s Data Guidelines closely align with prominent international frameworks, such as the OECD's Recommendation on Children in the Digital Environment, and other privacy laws such as Article 8 of the EU General Data Protection Regulation (GDPR), which outline conditions for obtaining a child's consent. For organisations that already comply with these frameworks and privacy laws when providing products and services to children, complying with the Children’s Data Guidelines should not impose much of an additional regulatory burden.
On the position in Singapore, the Children’s Data Guidelines complement the Code of Practice for Online Safety issued by the Singapore Infocomm Media Development Authority in 2023, which aims at enhancing online user safety for children in particular. These provide organisations in Singapore with greater visibility over the standards that they should comply with when offering their products and services to children.
We would like to thank our trainee Judeeta Sibs, practice trainee at Ascendant Legal LLC, for her contribution to this post.
Publication
EU Member States may allow companies from countries that have not concluded an agreement guaranteeing equal and reciprocal access to public procurement (public procurement agreement) with the EU to participate in public tenders, provided there is no EU act excluding the relevant country.
Subscribe and stay up to date with the latest legal news, information and events . . .
© Norton Rose Fulbright LLP 2023
