UK GDPR: at what age can pupils give consent?

There's no statutory age at which pupils can give consent for data processing under the UK GDPR. Learn what age is usually appropriate, and how to manage issues around seeking pupils' consent.

Last reviewed on 26 May 2023
School types: All · School phases: All
Ref: 34892
  1. There's no statutory rule on when children can provide consent
  2. Different types of data may require different ages for consent
  3. Use your professional judgement to decide whether to use data

There's no statutory rule on when children can provide consent

The UK GDPR doesn't define the age at which children can provide consent for their own personal data to be processed. The only exception is biometric data (see below).

The Information Commissioner's Office (ICO) doesn't set an age either, but it does say you need to consider the competence of the child – whether they have the capacity to understand the implications of the collection and processing of their personal data.

If they do have this capacity, they're considered competent to give their own consent, unless it's evident that they're acting against their own best interests.

If you don't consider the child competent, you'll need to seek parental consent, unless it's evident that would be against the best interests of the child.

The Data Protection Act 2018 does say that pupils using online services must be aged 13 or over