In a statement of intent, the Government has committed to updating and strengthening data protection laws through a new Data Protection Bill that will bring the European General Data Protection Regulation (GDPR) into UK law.
The Data Protection Bill will.
- Make it simpler to withdraw consent for the use of personal data
- Allow people to ask for their personal data held by companies to be erased
- Enable parents and guardians to give consent for their child’s data to be used
- Require ‘explicit’ consent to be necessary for processing sensitive personal data
- Expand the definition of ‘personal data’ to include IP addresses, internet cookies and DNA
- Update and strengthen data protection law to reflect the changing nature and scope of the digital economy
- Make it easier and free for individuals to require an organisation to disclose the personal data it holds on them
- Make it easier for customers to move data between service providers
Age of consent to be set at 13
A key point for schools is that, under the GDPR, the UK government will legislate to allow a child aged 13 years or older to consent to their personal data being processed. For children under the age of 13, parents will be asked to consent. For much of the data collected by schools, consent will not be the lawful basis for collection but you must consider this when deciding what data to collect and process.