Protecting children’s privacy rights online
Last week alone I saw on Whatsapp and listened to at least two voice notes of children participating in online classes and their pronouncements. these publications on Whatsapp were apparently meant to provide comic relief or entertainment. If we were to be generous we could assume that it was to bring to the attention of the public the plight of children learning online. Notwithstanding the reason for the publication, assuming the children did not publish it themselves, their publication is in no uncertain terms a breach of the children’s privacy right and a breach of the Data Protection act, as individuals on Whatsapp have processed the biometric data of the children without any lawful basis to do so.
This is doubly concerning. First, as the recording of the voices of the children represent their biometric data. Under the Data Protection Act biometric data is regarded as sensitive personal data. Personal data is generally classified as sensitive personal data when the unauthorised disclosure of the data, by virtue of the nature of the data, could lead to greater risk or harm such as discrimination or actual harm to the data subject.
For example, if one were to release the medical condition of an individual this could lead to discrimination and also limit the individual’s job opportunities, to cite two examples. In order to safeguard this sensitive personal data it follows that there are more onerous processing standards that have to be complied with before one can process the data. By virtue of the voice recordings being sensitive personal data it follows that the sanctions attached to breaching processing standards are much more severe.
Section 2(1) of our Data Protection Act includes “biometric data” in the definition of “sensitive personal data”. When one thinks of biometric data, voice recordings may not be the first thing that comes to mind. The information commissioner for the UK brought clarity to this issue when he handed down a decision in relation to Her Majesty’s Revenue and Customs (HMRC), in which HMRC was using voice authentication (voice ID) as a means to identify its customers. The commissioner, in his decision, clearly stated that, “The characteristics of a person’s voice constitute biometric data.” This follows as one’s voice is a biological feature that can be used to identify an individual. In the HMRC case they were using voice ID for customer verification on some of its helplines.
The other concerning issue is that this sensitive personal data belongs to children. The impact of this is that children are not in the same position to protect their rights as adults are. Furthermore, the risks associated with a breach of children’s privacy rights is much greater than that of an adult, given their tender age and limited experience. Unlike the European General Data Protection Regulation, our Data Protection Act does not make any special provision for protecting the privacy rights of children. By virtue of our constitution however, all Jamaican children have a right to such measures of protection as are required by virtue of the status of being a minor or as part of the family, society, and the State. In light of this guarantee provided for by our constitution, additional measures should be put in place as are required by virtue of the fact that they are children.
The two publications of the voice recordings of children give rise to the broader questions as to the safety of our children and the identity of our children online. We have to bear in mind that tens of thousands of children will now be going on the Internet who, prior to now, may not have had access to it before. From the onset of COVID-19 in Jamaica, as far back as March, I wrote an article entitled ‘Protecting our children online’, in which I argued that in moving education online the Government is obliged to ensure that appropriate controls are also put in place to protect the right of privacy of our children. At that time, we feared the issue of protection of our children online was being overlooked.
This concern was echoed on October 8, 2020 at a public think tank hosted by Jamaica Information Service (JIS) by the head of the Jamaica Cyber Incident Response Team (JACIRT), Lieutenant Colonel Godphey Sterling , when he said: “In going digital, the pillars of access to information, e-commerce, e-learning, and an enhanced medical and security framework must be underpinned by modern harmonious laws that facilitate innovation and research. However, all this must be wrapped in a robust cyber security framework that is geared at supporting Jamaica’s national interest within cyberspace. The Government must be able to monitor the threat landscape and provide a requisite warning...” As members of civil society I am sure we cannot begin to appreciate the Herculean effort the Ministry of Education has made and is making to ensure the continuation of the delivery of educational instruction to all our children. Moreover, there are more fundamental issues that still have to be addressed, such as access devices, access to the Internet, costs of data services, content for electronic delivery, electronic delivery platforms, the ability to deliver content remotely, and the financial viability of private schools and supporting industries. These are just but a few of what are several issues the Ministry of Education has to deal with. Notwithstanding the foregoing, we cannot ignore the inherent danger our children are now going to be exposed to online.
We have heard of tens of thousands of teachers being trained to deliver educational instructions remotely. What training, if any, has been given to administrators and teachers of the data processing standards that have to be implemented in order to protect our children? What technical measures have been put in place to protect the personal data of children?
The reality is that thousands of children who have never been on the Internet before will now be required to go on to receive their educational instructions. What technical and organisational measures are being put in place to protect our children in this new frontier?
Both Education Minister Fayval Williams and junior minister Robert Morgan are well placed to implement the requisite technical and organisational measures along with the other data processing standards that would have to be implemented to protect our children given the role they both played in successfully shepherding the Data Protection Act through Parliament. Design Privacy also stands ready to help equip our administrators and teachers with the necessary knowledge to help protect our children online and create a safe place where our children can learn.
Chukwuemeka Cameron, LLM, is an attorney, trained data protection officer, and founder of Design Privacy, a consulting firm that helps you comply with privacy laws and and build trust with your customers. send comments to the Observer or ccameron@designprivacy.io.
...the risks associated with a breach of children’s privacy rights is much greater than that of an adult, given their tender age and limited experience. Unlike the European General Data Protection Regulation, our Data Protection Act does not make any special provision for protecting the privacy rights of children. By virtue of our constitution however, all Jamaican children have a right to such measures of protection as are required by virtue of the status of being a minor or as part of the family, society, and the State. In light of this guarantee provided for by our constitution, additional measures should be put in place as are required by virtue of the fact that they are children.