Our children are growing up with digital devices and an increasingly social Web and are, in the process, sharing their personal information, oblivious to the risks. Parents are increasingly finding themselves in foreign territory with no real idea where to begin to address their children’s privacy. This post is intended to give parents an overview of the privacy frameworks in place and some of the factors to bear in mind.
Protection of Personal Information Bill
This is a draft Bill, making its way through Parliament at the moment. It gives the right to privacy in the Bill of Rights more substance. The Bill focuses on privacy as in informational self-determination, as opposed to privacy as in secrecy. It establishes a framework for what personal information can be collected from whom and what can be done with that personal information. I wrote about this in my post titled “Privacy is about choice“:
While the Bill is still subject to change, we can draw on a few of the trends in the Bill:
- Personal information can only be collected with the data subject’s consent, generally speaking (the term “data subject” is the term used for the person whose personal information is collected);
- Data subjects’ consent must be informed and this means the party collecting the personal information must inform the data subject what personal information is being collected and what it will be used for (this is the rationale for detailed privacy policies);
- Personal information should only be used for the purpose it is collected for and should either be destroyed or anonymised (the Bill talks about “de-identifying” personal information)
- Personal information should be kept secure and only disclosed where the data subject consents to disclosure or where required by legal authority.
Children’s personal information is subject to a further requirement. By children, I am talking about children under the age of 18 (a person is legally recognised as an adult, a major, when that person turns 18 – there are exceptions, though, relating to an incapacity or inability to manage the person’s own affairs). The February 2011 draft of the Bill (the current draft as I type this) requires prior consent from a “competent person” before collecting and using a child’s personal information. A “competent person” is defined as follows:
A “competent person”, for purposes of paragraph (a), means any person who is legally competent to consent to any action or decision being taken in respect of any matter concerning a child
The position with children is different to general personal information processing because it requires prior consent from that competent person (usually a parent or guardian). In practice this can be a little tricky to obtain for various reasons. The first reason is that, when it comes to the major social networks, its not clear that the Protection of Personal Information Bill applies to those social networks. That said, the provisions dealing with data transfers outside South Africa require that countries this personal information is transferred to subscribe to similar personal information protection principles in their laws.
Consumer Protection Act
The Consumer Protection Act highlights another reason obtaining consent from children for collection of their personal information is tricky. As I pointed out in my post “Why Website terms and conditions matter“, a website’s terms and conditions is a contract between the site’s visitors and users and the site owner. This implies that the parties to this contract have the legal ability to enter into a contract in the first place (this is also known as “contractual capacity”). Section 39 of the Consumer Protection Act deals with this issue when it comes to children:
Agreements with persons lacking legal capacity
39. (1) An agreement to enter into a transaction, or for the supply of any goods or services, to or at the direction of a consumer—
(b) is voidable at the option of the consumer, if—
(i) at the time the agreement was made the consumer was an unemancipated minor;
(ii) the agreement was made without the consent of an adult responsible for that minor; and
(iii) the agreement has not been ratified by either—
(aa) an adult responsible for that minor; or
(bb) the consumer after being emancipated or becoming an adult.
(2) Subsection (1) does not apply to an agreement if the consumer, or any person acting on behalf of the consumer, directly or indirectly, by act or omission—
(a) induced the supplier to believe that the consumer had an unfettered legal capacity to contract; or
(b) attempted to obscure or suppress the fact that the consumer did not have an unfettered legal capacity to contract.
The major social networks and services like Facebook and Google’s various services cater for children accessing their services. Facebook’s protections are more robust than Google’s in many respects. Facebook limits who can see children’s Facebook activity. According to Facebook’s Safety Centre –
The only people who can see what teenagers post are their Facebook friends, friends of friends and networks (like the school they attend). We maintain added protections and security settings for teenagers (aged 13-17) that ensure their profiles and posts don’t show up in public search results. Similarly, if teenagers share their location through Places, only their Facebook friends can see it.
Parents should spend some time reading through the information provided in social networks’ privacy information pages. Here are a couple that will probably be pretty relevant:
- Facebook’s Safety Centre and Data Use Policy (nicely formatted and presented);
- Google’s Family Safety Center;
- MXit’s Guidelines for Parents.
Parents should acknowledge that their children are digital natives. Digital is an important part of their daily lives and will be increasingly important in almost all aspects of our daily lives, including the business environment. Trying to block access to this may not work, either for long or at all. Instead parents should engage with their children as much as possible about the services they are using and educate them about the very real risks of disclosing too much information about themselves.
While many parents are unfamiliar with the services their children are using, perhaps even intimidated by those services, they should make every effort to find out more. Often this means creating their own profiles on some of these services and “friending” their kids (even though this would probably mortify your teenagers) so you can keep an eye on what they are doing. That said, children can probably manipulate privacy settings to hide their activities so it falls to parents to learn as much as they possibly can about services like Facebook, Twitter, Google+ and Mxit and what these services’ privacy practices are.
Parents are users too and they should bear in mind that their social activities can comprise their children’s privacy. I wrote about this is a post titled “The privacy myth” a while ago (the post’s main theme is that privacy as in secrecy is a myth online) –
There are two strategies which can help mitigate the effect of the Internet on personal privacy. The first is to proactively manage your identity online. This means using services like ClaimID to create coherent and comprehensive personal profiles online and taking steps to differentiate aspects of your personality from those that either have no link to you or which are misrepresentations or misuses of your identity.
Another simple, yet powerful, strategy is to decide in advance which items of your personal information will never be disclosed online, ever. This strategy depends on the principle that what you don’t disclose can’t be disseminated and misused. Examples of personal information never to disclose may include your identity number, your home address, your home phone number, your children’s school and so on. Particularly sensitive personal information should be closely guarded from disclosure at all times and this requires vigilance.
The major social networks have improved their privacy practices quite a bit in the last few years. There is a common perception that Facebook is inherently insecure but its worth bearing in mind that children may be more at risk when they are out and about in public compared to when they are using Facebook with their privacy settings responsibly configured.
Protecting your children’s privacy is not easy and it is more about controlling what is disclosed and how its used rather than keeping it hidden altogether. That said, it can be done but it require diligence and attentiveness.
Update: I have come across a couple sites dealing with children’s safety online which may be informative: