Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Journal Archive
  4. Issues
  5. May 2023
  6. Children under the GDPR

Children under the GDPR

Children have the same rights as adults to data protection, but how are these exercised especially where parents are living separately, and how should requests be handled?
15th May 2023 | Isabelle Bain, Rebecca Roberts

The General Data Protection Regulation (“GDPR”), which modernised the laws that protect the personal data of individuals, has now been in force for almost five years.

While people may be aware that they have rights under GDPR, there tends to be less understanding of children’s rights, how these can be exercised, and the role played by those with parental responsibility.

Do children have data protection rights?

Children have the same rights as adults to data protection. This includes, among other things, the right to access their personal data (known as a data subject access request, or “DSAR”).

The question of when a child may exercise these rights for themselves, and when a parent can step in, is perhaps less straightforward. In summary, a child can exercise their data subject rights if they are competent to do so. Competence requires an understanding of their rights and the consequences of exercising those rights.  In Scotland, a child who is 12 or older is generally presumed to be competent. However, this presumption can be displaced; a child under 12 may sufficiently understand their rights, and conversely a child over 12 may not (e.g. due to specific medical needs or learning difficulties).

This presumption does not apply in England & Wales or in Northern Ireland, where competence is based solely on the understanding of the child.

Where a child does not have sufficient competence to exercise their own data subject rights, an adult with parental rights and responsibilities may exercise the child’s rights on their behalf.

Parental responsibilities and rights in Scotland

In Scotland, parents have parental responsibilities and rights in relation to a child. This means that they are responsible for looking after and promoting the child’s health, welfare and development, and providing the child with direction and guidance. They can also act as the child’s legal representative. Parents’ rights and responsibilities must be exercised in a way which is in the best interests of the child. Parents living separately each continue to have parental rights and responsibilities in relation to a child, even if the child only spends time with one of them.

Handling DSARs made by parents

The question that can arise for some data controllers is when they should allow a child’s parents to exercise their child’s data subject rights. For example, what if a parent submits a DSAR to recover their child’s personal data? This can be particularly sensitive in cases where parents have separated and cannot agree on certain aspects of their child’s upbringing.

Step 1: Establish authority to make the DSAR

First, ascertain that the adult who is looking to exercise the child’s rights holds parental rights and responsibilities. This is normally done by obtaining a copy of the child’s birth certificate, or any court order relevant to the parental rights and responsibilities of the child.

The data controller should also ensure that it is satisfied as to the identity of the person making the DSAR, and if in doubt, should request ID documentation, such as a passport and/or proof of address.

Once this has been established, the child’s capacity should inform the next step.

Step 2: Assess the child’s capacity

When a child is too young or immature to exercise their own rights (or other specific issues impede the child’s competence), it is usually appropriate to let a parent exercise their child’s right for them, provided it is evident that this is in the best interests of the child.

If a child is over 12, they are presumed old enough to understand their rights, subject to any evidence to the contrary. In this case, a parent would only be allowed to exercise the child’s rights if the child consents to this and it is considered to be in the best interests of the child. In the absence of the child’s consent, parents should be advised that the child should make the request themselves. However data controllers must remain alert to the possibility of coercion or pressure on a child to make the DSAR.

There may be some borderline cases where a child is close to 12 and, in those circumstances, if they seem mature enough, it may be appropriate to seek their consent, or even to refuse the parent’s request. The nature of the data, and the impact of its disclosure on the child, will be relevant in informing that decision. If in doubt, it is generally sensible to follow the approach that best respects the rights and interests of the child.

Step 3: Respond in writing

A response should normally be provided within one month of the date of the request. If the data controller has determined that it will engage with the parent on the DSAR, it should provide the information requested, subject to any applicable exemptions or redactions. The response should also include certain supplementary information, including the data controller’s reasons for holding the data and an explanation of how long the data will be held for.

If the data controller has determined that it is not appropriate to engage with the parent, the response should explain its reasons for reaching that decision.

A DSAR response must always indicate that the requester has a right to request a review of the way in which the DSAR was handled, after which they have a right to complain to the Information Commissioner’s Office (the UK data regulator).

Step 4: Record keeping

Remember, data controllers are under a statutory obligation under the GDPR not to disclose a child’s personal data unless there is a lawful basis for doing so. Therefore, the data controller should keep a careful record of its decision to disclose or withhold the personal data requested, in the event that either the parent or the child complains about the way in which this request is handled.

The Author

Isabelle Bain is a solicitor in Family & Divorce, and Rebecca Roberts an associate in Public Law, with Burness Paull

Share this article
Add To Favorites
https://lawware.co.uk/

Regulars

  • People on the move: May 2023
  • Book reviews: May 2023
  • Reading for pleasure: May 2023

Perspectives

  • Opinion: Judith Ratcliffe
  • President's column: May 2023
  • Editorial: Double issue
  • Viewpoints: May 2023
  • Profile: Adrian Ward

Features

  • Vision mission
  • Justice without juries?
  • Life is getting longer
  • Wagatha Christie and Blue Murder at the Tesco Express?
  • No cause for celebration – yet
  • Sky's the limit?
  • Bullying: a curse on working life

Briefings

  • Civil court: Spotlight on the Sheriff Appeal Court
  • Employment: Must do better – the s 23 approach
  • Human rights: Crime, detention and mental health issues
  • Pensions: A question of tax
  • Scottish Solicitors' Discipline Tribunal: May 2023
  • Family: The slide rule of grave risk
  • In-house: A route to diversity

In practice

  • Time to check your terms
  • Public policy highlights: May 2023
  • Fit for the modern world?
  • Risk: Death and taxes – the perils of survivorships
  • AML: room for improvement
  • Tribunal aims for efficient justice
  • Ask Ash: Heart ruling head?

Online exclusive

  • Health and safety failings: behind the corporate veil
  • Children under the GDPR
  • Fearn and actions for nuisance in Scotland
  • Licensing in the wild: the new schemes

In this issue

  • Denovo and Property Searches Scotland join forces
  • Five essential questions for a legal software provider

Recent Issues

Dec 2023
Nov 2023
Oct 2023
Sept 2023
Search the archive

Additional

Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited