Why should children’s personal data be protected?

Children are likely to be less aware of the risks associated with sharing their data and the rights they hold in protecting themselves, and so Rwanda’s law on personal data protection and privacy provides for additional protection to guarantee the lawful processing of children’s personal data.

Which article outlines the provision towards protecting children’s personal data?

The provision on ‘Processing a child’s personal data’ (found within article 9) details the specific measures geared towards delivering additional protection for children’s personal data.

Article 9 states:

Where the data controller, the data processor or a third party knows that personal data, belong to a child under the age of sixteen (16) years, he or she must obtain the consent of a holder of parental responsibility over the child in accordance with relevant Laws.

Subject to the provisions of other Laws, the consent obtained on behalf of the child is acceptable only if it is given in the interest of the child. However, the consent is not required to process the child’s personal data if it is necessary for protecting the vital interest of the child.

What are the key takeaways of article 9?

The article observes that:

1. Children’s personal data is any personal data belonging to an individual under the age of sixteen (16) years

2. Before processing children’s personal data, consent must be obtained from a holder of parental responsibility over the child

3. Consent obtained on behalf of the child is only acceptable if it is given in the interest of the child

4. Consent is not required if the processing is deemed necessary for protecting the vital interest of the child

What guiding principles does this provision give to ensure children’s personal data is protected?

1. Parental guardians must approve personal data processing of children they are responsible for

Article 9 declares the need for parents or guardians to be consulted for approval regarding the processing of their children’s personal data.

This ensures that children who may not have a great understanding of the consequences associated with sharing their data, are represented by an adult who can analyse the risks on their behalf.

However, consent is not just obtained by being a holder of parental responsibility, as explained by guiding principle number two.

2. Consent on behalf of a child is acceptable when it is given in the interest of the child

For consent to be obtained, the holder of parental responsibility must demonstrate that this consent acts in the interest of the child. This ensures that not just any parental guardian who may hold parental responsibility, can give consent that would negatively affect the wellbeing of the child in question.