Singapore Personal Data Regulator issues guidelines for processing children’s personal data


On 28 March 2024, the Singapore Personal Data Protection Commission (“PDPC”) issued advisory guidelines (“Guidelines”) that clarify how the data protection provisions in the Singapore Personal Data Protection Act 2012 (“PDPA”) would apply to children’s personal data. In today’s increasingly digitalised environment where children start using the internet at a young age, the PDPC takes the view that organisations play a significant role in ensuring that their products and services adopt a data protection by design approach (i.e. data protection measures are considered and built into products / services as they are being developed).

The Guidelines are meant to apply to organisations whose online products and/or services are likely to be accessed by children (which is not limited to products and/or services that are designed for or targeted specifically at children). Some examples of these online products and services include social media services, technology aided learning, online games, and smart toys and devices.

We set out a summary of the Guidelines below.

A. Notification Obligation

When informing children of the purposes of the collection, use or disclosure of their personal data, organisations must use language that is readily understandable by children. To that end, age-appropriate language (e.g. using plain and simple language) and the use of media (e.g. infographics, video clips, and audio aids) are encouraged. This enables the child to understand the consequences of providing and withdrawing consent.

Further, the Guidelines state that when communicating with children, the organisation’s data protection policies and terms and conditions must also be in language that is readily understandable by children.

B. Consent Obligation

The PDPC considers that a child aged between 13 and 17 is able to give valid consent to satisfy the consent obligations under the PDPA, provided that the policies on collection, use and disclosure of their personal data and the withdrawal of consent, are readily understandable by the child.

The focus is on ensuring that the child understands the consequences of providing and withdrawing consent, and that the child can withdraw consent as easily as providing it. Notably, if the organisation has reason to believe that a child does not have sufficient understanding of the nature and consequence of providing consent, the organisation is required to obtain consent from the child’s parent or guardian.

If the child is below 13 years of age, the organisation must obtain consent from the child’s parent or guardian, and the parent and guardian should be notified of the purpose(s) for which the child’s personal data will be collected, used, or disclosed. Further, consent that was obtained from the parent / guardian remains valid when the child reaches 18 years of age.

When organisations use age assurance methods to ascertain a user’s age (e.g. self-declaration, age estimation, and age verification), organisations should practice data minimisation and collect the minimum amount of data necessary for those age ascertainment purposes. For example, unless required by applicable laws, organisations are not required to collect national identity documents for age assurance purposes. Further, to the extent that age assurance methods collect and analyse the behavioural and telemetric data of users to build profiles that are in turn used to ascertain the age of users, organisations must take note that once the user can be identified from the data, the user profile will be considered as personal data under the PDPA and subject to the accompanying data protection obligations.

C. Purpose Limitation Obligation

In deciding whether a purpose (for which an organisation collects, uses or discloses a child’s personal data) is reasonable, the PDPC will continue to adopt a principles-based approach. Generally, what would be reasonable would include:

  1. Collecting and using a child’s personal data for age assurance / age ascertainment so that only age-appropriate content is accessible to the child;
  2. Collecting and using a child’s personal data to protect the child from harmful and inappropriate content; and
  3. Using the behavioural data of the child (e.g. use of high-risk search terms such as terms relating to self-harm or suicide) to direct the child to relevant safety information.

An unreasonable purpose would be the use of the child’s personal data to target harmful or inappropriate content (as defined in the Code of Practice for Online Safety – e.g. sexual, violent, self-harm, and cyberbullying content) at the child.

D. Protection Obligation

Personal data of children is considered to be sensitive personal data and must be accorded a higher standard of protection under the PDPA. The Guidelines state that organisations that handle children’s personal data should implement, where appropriate, the Basic and Enhanced Practices listed in PDPC’s Guide to Data Protection Practices for ICT Systems to address the risks and harm to children.

Some examples of the Basic and Enhanced Practices include: (i) developing and implementing ICT security policies for data protection; (ii) assessing and mitigating the security risks involved in engaging external parties for ICT services; (iii) using OTP or 2FA / MFA for admin access to personal data; and (iv) conducting network penetration testing prior to the commissioning of any new ICT system.

Additionally, if geolocation data is collected, organisations should adopt a data minimisation approach and implement relevant safeguards considering how the organisation’s product or service would be used by children. One safeguard would be disabling the geolocation function by default so that precise location data of the child is not automatically collected. Other safeguards recommended by the PDPC include collecting users’ approximate location rather than precise location.

E. Data Breach Notification Obligation

In the event of a data breach resulting in significant harm to individuals who are children (i.e. a notifiable data breach), the organisation remains obligated to inform data subject notwithstanding that they may be a child.

The PDPC recognises that if the organisation proactively informs the child’s parent / guardian of the data breach, the parent / guardian would be able to take steps to mitigate the harm of the data breach (e.g. monitoring the emails sent to their child’s account for suspicious content).

However, if the organisation does not have the contact details of the child’s parent or guardian, the organisation should ensure that the notification to the child is in a language that is readily understandable so that the child may understand the consequences of the data breach. The organisation is also encouraged to consider advising the child to inform their parents about the data breach.

F. Accountability Obligation

Organisations are encouraged to conduct data protection impact assessments  before releasing products or services that are likely to be accessed by children so that personal data protection risks can be identified and addressed. Some sample questions have been proposed in Annex A of the Guidelines.

Overall, these Guidelines are helpful in shedding some light on how organisations should deal with children’s personal data, especially for companies whose online products and/or services are likely to be accessed children.

Please get in touch with us if you wish to understand any of the above in more detail or the practical implications of the Guidelines to your business.

The information provided above does not, and is not intended to, constitute legal advice pertaining to the Guidelines; information, content, and materials stipulated above is based on our reading of the Guidelines and are for general informational purposes only.