New Zealand

What is the age threshold for children?

There is no general legal distinction between a child and an adult for the purposes of New Zealand privacy law. New Zealand privacy law does not expressly impose an age threshold or legal capacity in the context of an organisation's collection and processing of personal information. That said, a person's age will still be relevant in the context of a number of obligations imposed on agencies that collect, use, and disclose personal information from children and young adults.

In general, the following principles should be considered:

• under the Contract and Commercial Law Act 2017, a contract with a 'minor' (that is, a person aged under 18) is generally (with limited exceptions) unenforceable against the minor; and
• the Age of Majority Act 1970 contemplates that for the purposes of New Zealand law, a person will attain 'full age' at 20 years. However, the 'age of majority' is not a term used by New Zealand privacy law (nor frequently used in New Zealand law generally).

Are there any special rules in relation to children's personal data?

Obtaining children's consent

New Zealand privacy law does not generally require an agency to obtain prior consent to process personal information (irrespective of the age of the individual concerned).

An agency may be required to rely on the 'authorisation' of an individual in circumstances where its processing of that individual's personal information is for a purpose other than that for which the information was obtained (or a directly related purpose), or is not otherwise in accordance with the grounds for using and disclosing personal information prescribed by the information privacy principles ('IPPs'), namely IPP 10 and IPP 11, which are set out in the Privacy Act 2020 ('the Privacy Act').

There is no statutory 'bright line test' as to what constitutes 'authorisation' – whether in the context of children or otherwise. Accordingly, the assessment of whether an individual, including a child, has 'authorised' an agency to process their personal information is largely contextual. In the context of a child, additional care should be taken to ensure that the authorisation was clearly and freely given (either by the child if of an age readily expected to understand the consequences, or by the child's parent or guardian). 

Informing children and other privacy policy practices

When collecting personal information from children, an agency is required to take 'all reasonable steps' to ensure the child is aware of matters prescribed by IPP 3(1), including the fact and purpose of collection. Agencies generally fulfil this obligation by disclosing a privacy statement (although the fact of disclosing a privacy statement does not in itself fulfil the obligation; the context in which the privacy statement is disclosed is also important).

The guidance of the Office of the Privacy Commissioner ('OPC') is that parents or guardians can be treated as the minor's representative in cases where it is not practical to give notice in this manner (for example, to young children who are unable to themselves understand the matters of which the agency is required to make the child aware).

In any event, the notice needs to be appropriately tailored to take into account the target audience. An overly technical or complicated description of the agency's collection, use, and disclosure of personal information may not suffice in the case where children are the intended targets.

Children's rights to access, rectify, erasure, etc.

There are no special rules concerning the exercise of children's rights of access and correction provided by the Privacy Act. There is also no minimum age limit of individuals making an access or correction request. A child can ask a parent or guardian can make a request on their behalf.

However, an agency must provide an individual (including a child) who wishes to make or is making an access request with 'reasonable assistance'. Consideration as to whether assistance is 'reasonable' will be more nuanced in the case of a child who wishes to make an access request. The OPC's guidance is for agencies to take a practical approach when responding to access requests where parents or guardians are acting on their children's behalf (where children has provided consent or are too young to ask for themselves). 

Among other exceptions to an individual's right to receive access to their information (applicable irrespective of the age of the requestor), an agency may also refuse to provide a child aged under 16 with access to their personal information if disclosure would be 'contrary to the interests' of that child.

Other obligations

Under IPP 4, an agency must collect personal information 'by a means that, in the circumstances of the case (particularly in circumstances where personal information is being collected from children or young persons) is fair'.

An agency's assessment as to whether the circumstances surrounding the collection of personal information are 'fair' will be more nuanced when the individual is a child. In this regard, the requirements under IPP 4 are unlikely to be met where the agency collects information in a way that is not obvious to a child or where disclosures made to the child are 'legalistic' such that they cannot be understood.

Further guidance

The OPC regularly releases guidance on issues related to children and privacy on its website¹.

Philippines

What is the age threshold for children?

The age of legal capacity in the Philippines is generally 18 years².

Are there any special rules in relation to children's personal data?

To date, the National Privacy Commission ('NPC') has not published rules and regulations specifically governing children's personal data and its protection. However, the NPC has issued several advisory opinions providing guidance in respect thereof, as will be discussed below.

Obtaining children's consent

Under the Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act'), the data subject's consent is among the criteria for lawful processing of personal data. Consent of the data subject under the Act is defined as 'any freely given, specific, informed indication of will, whereby the data subject agrees to the collection and processing of personal information about and/or relating to him or her'. It must be evidenced by written, recorded, or electronic means and may be given on behalf of the data subject by an agent specifically authorised by the data subject to do so.

In NPC Advisory Opinions No. 2017-049 and No. 2019-046, the NPC explained that minors generally cannot provide the consent as defined under the Act. As such, prior to the processing of children's personal data, the consent of their parents or legal guardians should first be obtained.

Nonetheless, we note that there are other grounds for lawful processing of personal data (other than consent). In NPC Advisory Opinion No. 2017-049, the NPC clarified that in some instances, 'the teacher may search through a minor student's cell phone in order to protect vitally important interests of the student, including his life and health or probably to respond to national emergency'. In NPC Advisory Opinion No. 2020-046, regarding the posting of students' personal data in the school's bulletin board or official social media account, the NPC mentioned that schools may therefore rely on pertinent issuances of the Department of Education or Commission on Higher Education as lawful bases, if any, provided that the said issuances guarantee personal data protection.

Informing children and other privacy policy practices

The processing of personal data of data subjects shall be allowed subject to adherence to general data privacy principles which include the principle of transparency. As such, the data subject must be aware of the nature, purpose, and extent of the processing of his or her personal data, including the risks and safeguards involved, the identity of personal information controller ('PIC'), their rights as a data subject, and how these can be exercised. Any information and communication relating to the processing of personal data should be easy to access and understand, using clear and plain language.

In this regard, in NPC Advisory Opinion No. 2018-013, the NPC noted that PICs are required to appraise the data subject of the following:

• description of the personal data to be processed;
• purposes for processing;
• basis of processing;
• scope and method of processing;
• recipient/classes of recipients to whom the personal data are or may be disclosed;
• identity and contact details of the PIC;
• retention period; and
• existence of rights as data subjects.

Furthermore, the NPC has defined a privacy policy or privacy notice as a statement made to a data subject that describes how the organisation collects, uses, retains, and discloses personal information. This document is an embodiment of the observance of the principle of transparency and upholding the right to information of data subjects.

In NPC Advisory Opinion No. 2020-046, where the guidance of the NPC was sought regarding the processing of students' including children's personal data for 'legitimate school-related purposes', the NPC advised that the school should have policies in place, including social media policy and internet etiquette guidelines, to serve as a guide on how schools handle students personal data, the duties and responsibilities of teachers and other school personnel, as well as rules for the students themselves. 

Children's rights to access, rectify, erasure, etc.

While no special rules have been issued by the NPC specifically in relation to the exercise of children's rights as data subjects, the NPC emphasised in NPC Advisory Opinion No. 2020-046 that PICs, such as schools, must have mechanisms in place whereby the students, by themselves or through their parent or legal guardian, would be able to exercise their rights as a data subject. This includes the ability to provide consent and withdraw the same, object to the processing of personal data, request for erasure, among others, as may be appropriate and subject to the provisions of the Act and the Implementing Rules and Regulations of Republic Act No. 10173 ('IRR').

Further guidance

As mentioned, the NPC has not published rules and regulations specifically covering children's personal data. Notwithstanding this, the NPC recognises that processing operations performed about vulnerable data subjects like minors, or in any other case where an imbalance exists in the relationship with the data subject, require special protection. Notably, children merit specific protection, as they may be less aware of the risks, consequences, and safeguards concerned and their rights in relation to the processing of personal data.

Furthermore, the following Philippine laws and issuances also take into consideration the protection of children's personal data: 

• The Child and Youth Welfare Code of 1974 (Presidential Code No. 603) provides for the destruction of all records of a youthful offender whose charges have been dropped, or upon acquittal, dismissal of the case or upon their commitment to an institution and subsequent release. It also prohibits the disclosure of a minor's birth record unless it is upon the request of the guardian or institution legally in-charge of them, or of the court or proper public official whenever absolutely necessary to determine the identity of the child's parents or other circumstances surrounding their birth.
• The Family Courts Act of 1997 (Republic Act No. 8369) provides that all hearings and conciliation of the child and family cases shall be treated in a manner consistent with the promotion of the child's and the family's dignity and worth and shall respect their privacy at all stages of the proceedings. Further, records of the cases shall be dealt with the utmost confidentiality and the identity of parties shall not be divulged unless necessary and with authority of the judge.
• The Special Protection of Children Against Child Abuse, Exploitation and Discrimination Act of (Republic Act No. 7610) makes it unlawful for any entities involved in printed materials, television and radio broadcasting, and the film industry to cause undue and sensationalised publicity which results in the moral degradation and suffering of the offended party (i.e. victims of child abuse, exploitation, and discrimination).
• The Anti-Violence Against Women and Their Children Act of 2004 (Republic Act No. 9262) mandates that all records pertaining to cases of violence against women and their children shall be confidential and all public officers and employees and public or private clinics to hospitals shall respect the right to privacy of the victim. It further penalises the publication of the name, address, telephone number, school, business address, employer, or other identifying information of a victim or an immediate family member, without the latter's consent.  
• The Juvenile Justice and Welfare Act of 2006 (Republic Act No. 9344) requires the confidentiality of all records and proceedings involving children in conflict with the law from initial contact until the final disposition of the case. This is echoed in the revised rules and regulations, which also required all concerned duty-bearers to undertake all measures to protect the identity of the child, and to uphold the confidentiality of proceedings. In this regard, media practitioners must observe the guidelines on reporting and coverage of cases involving children, particularly the Guide for Media Practitioners on the Reporting and Coverage of Cases Involving Children³.
• The Expanded Anti-Trafficking in Persons Act of 2012 (Republic Act No. 9208) institutes policies to eliminate trafficking in persons, especially women and children.  It requires the confidentiality and non-disclosure of the name and personal circumstances of the trafficked person, or any other information tending to establish the identity of the trafficked person and their family.
• The Rule on Examination of a Child Witness (Supreme Court Administrative Memorandum No. 004-07-SC) expressly recognises the right of a child not to testify regarding personal identifying information, including his or her name, address, telephone number, school, and other information that could endanger their physical safety or their family. It also imposes sanctions on the unauthorised publication of identifying information of a child who is or is alleged to be a victim or accused of a crime or a witness thereof, among others.

Singapore

What is the age threshold for children?

There are several age thresholds in Singapore for legal capacity. For instance, the age for entering into a contract is 18⁵.

However, with regards to data activities relating to minors, a practical rule of thumb will be applied such that a minor who is at least 13 years old will be regarded as having the requisite capacity to consent on their behalf.

If an organisation has reason to believe that the minor is incapable of understanding the nature and consequences of their consent, then it will need to obtain consent from the minor's parent or legal guardian (who is legally able to consent on the minor's behalf)⁶.

Are there any special rules in relation to children's personal data?

Obtaining children's consent

See the above guidance.

Informing children and other privacy policy practices

There are no specific requirements in terms of informing children. An organisation that processes a child's personal data will need to ensure it has the necessary consent, obtained as per the above guidance, or that an exception applies.

Children's rights to access, rectify, erasure, etc.

The same data subject rights (of access, correction, and withdrawal of consent where consent is required) will apply to children that are above the age of 13, subject to the above guidance by the Personal Data Protection Commission. Notably, there is no right of erasure under the Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA') in Singapore.

Other obligations

All other obligations under the PDPA will apply, in particular, making reasonable security arrangements to prevent any unauthorised access, disclosure, or other similar risks to the children's personal data, and notifying the PDPC (and affected individuals) of a data breach in accordance with the PDPA.

Karan Chao Senior Privacy Analyst
[email protected]

Comments provided by:
Campbell Featherstone Partner
[email protected]
Dentons Kensington Swan, Wellington

Mary Thel Mundin Partner
[email protected]
Gatmaytan Yap Patacsil Gutierrez & Protacio, Makati

Charmian Aw Counsel
[email protected]
Reed Smith LLP, Singapore

1. See: https://privacy.org.nz/tools/knowledge-base/view/2; https://www.privacy.org.nz/blog/revisiting-the-commissioners-messages-on-protecting-children/
2. See: Article 234 of the Family Code of 1987 (Executive Order No. 209) (as amended).
3. See: https://www.doj.gov.ph/files/2016/THE GUIDE FOR MEDIA PRACTITIONERS.pdf
4. See: Section 35(1) of the Civil Law Act 1909.
5. See: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Selected-Topics/Advisory-Guidelines-on-the-PDPA-for-Selected-Topics-4-Oct-2021.pdf?la=en