Children's personal data protection

Apply for SearchInform DLP TRY NOW

Parents rightly concerned about the issue of protection of personal data of children. Often, the duty to protect them is violated by the media that publish information about the child, including his name, school number, and sometimes even the address. In Russian law enforcement practice, this even leads to the closure of individual newspapers. But no less serious is the question of how much the child's personal data is protected in an educational or medical institution, whether their leakage can occur, both accidental and intentional.

Legal regulation of the protection of personal data of children

General issues of personal data protection are regulated by the Federal Law "On Personal Data". He examines the terminology, the concept of the operator, his duties to ensure the information security of the information at his disposal. The child's personal data includes:

  • name, age;
  • information about parents and other family members;
  • data on the place of residence;
  • information about academic performance;
  • medical record data.

All of them can be stored in various departments of a school, college, clinic, both on paper and electronic media. These objects must be protected from both physical and software points of view. Moreover, this obligation applies to both the storage process and the processing of information.

Can a child consent to the processing of personal data

An important task for the operator is to obtain the consent of the subject of personal data for their processing. Its provision implies that the person is familiar with the purposes and methods by which it can be carried out. Not everyone knows whether a minor has the right to sign such consent on his own or whether his legal representatives - parents or guardians - should do it for him.

The regulations provide that the personal data of the child is divided into two groups. Those that are processed in connection with the responsibilities of the institution, in particular, information from its documents that is in a personal file or in a medical record, are processed without special consent. Other data that the institution receives in connection with the provision of guarantees and compensations can only be processed with the written consent of the parents. These include:

  • data on the financial situation of the family;
  • data on the special status of a child or parent, for example, information on the status of a disabled person;
  • health information not related to the medical record.

Who can have access to personal data

An educational or medical institution should delimit the rights of access to the child's personal information as much as possible. The complete information can be accessed by:

  • heads or deputy heads of the organization;
  • employees of the department of the relevant ministry, authorized to do this in the prescribed manner and understanding the degree of responsibility for their disclosure or other illegal use;
  • Educational and medical professionals who have the right to receive information about the child as part of their job, for example, a class teacher or a pediatrician.

When requesting information about a child, medical or educational workers are not entitled to provide them to parents deprived of parental rights. Any information about a child entrusted to the organization will be confidential and cannot be used by employees for their own purposes; if this rule is violated, they will be held accountable.

Obligations of educational and medical institutions for the protection of personal data of children

As an operator of personal data, a medical or educational institution is obliged to implement a set of organizational and technical measures aimed at ensuring the safety of the child's personal data.

Organizational measures include:

  • development of a package of internal documentation, which should include a provision on the procedure for processing data and a format for consent to their preparation;
  • the appointment, by order of the management, of a person or department responsible for quality compliance with the requirements of the law, ensuring data protection;
  • ensuring such a mode of storage of personal files, medical records and other material media, which would exclude access to them by third parties;
  • mandatory establishment of access control at the facility.

Technical measures must ensure that information on electronic media is not destroyed, distorted, disseminated or used for purposes contrary to those stated for their processing. For this, such measures are used as:

  • establishment of anti-virus protection;
  • development of a system for identification and authentication of persons who are responsible for hardware data processing;
  • use of means of cryptographic protection if data is transmitted via telecommunication communication channels;
  • encryption of information on the organization's servers;
  • establishment of firewall and other means of access control.

Responsibility for violation of the child's rights to protect his personal data

Inspections of how well the obligations to protect personal data are performed are carried out by authorized state institutions, which include Roskomnadzor, FSB and FSTEC. The audits should monitor compliance with both organizational and technical requirements. If the requirements of the law and by-laws are grossly violated, the following measures of influence may be applied to the organization:

  • order to eliminate violations;
  • administrative penalty;
  • suspension or termination of activities related to data processing, in particular, the closure of media outlets;
  • bringing to criminal responsibility on the basis of materials collected during the inspection and sent to law enforcement agencies.

Responsibilities of parents

Parents of a child should be aware that they too have a serious responsibility to protect the personal data of their children. They need:

  • track exactly what information the child presents about himself on social networks. Often, destructive groups get the data they need in this way;
  • not transfer any information about the child to unknown third parties or even to persons who introduce themselves as teachers or social workers;
  • warn the child about the actions that he must take for his own protection;
  • use controls on sites visited by your child and restrict the ability to visit certain sites.

It is necessary to understand that photography also refers to biometric information, and it is strictly forbidden to transfer children's photos to third parties, they can also be used for criminal purposes.

Now the problem with the dissemination of personal data of children is becoming critical. Even if we do not talk about the most dangerous criminal acts, such as involvement in terrorist organizations or destructive sects, for example, in the Blue Whale, simply information about the place of residence of a child can attract the interest of criminals. Therefore, the protection of this information must be approached as responsibly as possible by both parents and teachers.