The ICO exists to empower you through information.

5. Risk assessment and age assurance

Share Download options

Pages

Format

Assessment of risk is a key part of your data protection obligations.

Many data-related risks faced by children are similar to those faced by adults. However, in many cases both the likelihood and severity of harms are greater for children than adults.

Recital 38 of the UK GDPR emphasises that:

“children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing…”

You can use a risk assessment to help determine if it would be suitable to implement an age assurance method.

5.1 How the code addresses risk

The protections and safeguards referred to in Recital 38 are explained in the code’s standards. Standard 1 states that:

“The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.”

You should use the United Nations Convention of the rights of the child (UNCRC) to identify and assess information-related risks to children. The UNCRC describes children’s universal rights and freedoms, which when contravened are likely to harm them.

You could use our “Best interests framework” to support you to apply the UNCRC and identify where ISS activities pose risks to children. This looks at the ways that processing of children’s information may have a negative impact on each of the rights in the UNCRC. For example:

  • the right to life, survival and development (Article 6 of the UNCRC) could be negatively impacted by the use of geolocation data sharing leading to physical harm (eg through stalking);
  • the right to development and preservation of identity (Article 8 of the UNCRC) could be negatively impacted by sharing identity information with third parties or profiling that infers characteristics such as ethnicity and gender without adequate protections; and
  • the right to protection from economic exploitation (Article 32 of the UNCRC) could be negatively impacted by personalised advertising or sharing of children’s information for commercial gain without safeguards.

The code and the best interest’s framework only cover risks that arise from processing personal information. Risks to children not related to this type of processing are outside the scope of the code.

Standard 3 of the code on age-appropriate application advises that organisations should take a risk-based approach to recognising the age of individual users. You should either:

  • establish age with a level of certainty that is appropriate to the risks to the rights and freedoms of children that arise from your data processing; or
  • apply the standards of the code to all your users.

We have updated our self-assessment risk toolkit which provides practical steps for you to ensure a proportionate and risk-based approach to protecting children’s information.

Data protection risks may lead to real harms to people. You must consider the information processing risks to people when you consider what age assurance method(s) to use. Our data protection harms taxonomy can assist you in considering the potential harms which may arise through information processing on your platform.

Further reading

Further guidance is available here:

5.2 ISS activities likely to result in high risk to children

Your services will be considered high risk if:

  • the likelihood of harm to children occurring from processing their personal information is high;
  • the impact of the harm is not minimal; or
  • there is a reasonable possibility of serious harm occurring.

In these circumstances, you must complete a data protection impact assessment (DPIA).

You may conclude that the activities are not high risk, or that mitigating measures can reduce the risks. In this case, you must document your decisions to show how you have assessed and mitigated these risks.

If you are unable to mitigate any high risks to children, you must consult with us prior to starting the processing, in line with Article 36 of the UK GDPR. If you fail to do so, we may see this as an aggravating factor in any regulatory action we take.

We published guidance on data processing activities that are considered “likely to result in high risks”. These include:

  • large-scale profiling of children (eg to identify children as belonging to particular groups, for automated decision-making, analysing social networks, or to infer interests and behaviours);
  • invisible processing of children’s information that the ISS did not obtain directly from users (eg list brokering, information sharing with third parties, and online tracking of children);
  • targeting children for marketing and advertising (eg personalising marketing content based on children’s personal information).
  • tracking children – this includes tracking the child’s use on the service, or geolocation tracking (eg web and cross-device tracking, fitness or lifestyle monitoring using connected devices and ISS reward schemes);
  • processing personal information with risks of physical or developmental harm to children (eg information that reveals children’s physical location or health);
  • Processing personal information with risks of detrimental use (eg processing which is demonstrably against children’s wellbeing, as defined by other regulatory provisions, government advice, or industry codes of practice); and
  • processing personal information that involves using innovative technologies (eg artificial intelligence), smart technologies (eg wearables), or some Internet of Things applications which are demonstrably against children’s wellbeing.

The code sets standards for information processing to apply where risks to children are likely to be high (eg around profiling and information sharing).

Further reading

Further guidance is available here:

5.3 High-risk and age assurance certainty

Standard 3 of the code specifies that you should either:

  • apply all standards of the code to all users; or
  • establish the age of your users to a degree of certainty which is appropriate to the risks present on your service.

This ensures that you tailor services and protections to the age profile of your users.

Where services are high-risk, if you choose not to apply the standards of the code to all users, you should introduce age assurance methods that give a high level of certainty on the age of users. If your service is deemed inappropriate for children in all circumstances, you should focus on restricting access to children.

For high-risk services, you should introduce methods with the highest possible level of certainty on the age of users (as opposed to specifying specific appropriate methods). This acknowledges that the certainty will vary across services. This is due to a range of factors including:

  • technical feasibility;
  • whether your service is used by authenticated or non-authenticated users; and
  • the age range and capabilities of your users.

The Commissioner does not consider that self-declaration on its own is an appropriate method for services that are considered high risk. However, you could use self-declaration alongside other age assurance methods where you can demonstrate that the combination is effective.

You should be able to demonstrate that you have considered a wide range of age assurance options. You should evidence your rationale for choosing a particular method, taking into account the level of certainty the method provides.

5.4 Processing children’s personal information which doesn’t pose a high-risk

Age assurance can also be a helpful tool when your service does not present high risks to children. For example, you could introduce the following age assurance methods that process minimal personal information in order to:

  • restrict access for child users who don’t meet your terms of service;
  • identify the age of children to ensure the service you offer is appropriate for their age group; or
  • provide privacy and transparency information suitable to the specific age of the child.

Alternatively, you could choose to apply the standards of the code to all users in a proportionate way to mitigate any further personal information processing risks you have identified. This is also a privacy-friendly approach that has benefits for all users.

If your service presents minimal information processing risks to children, self-declaration may be appropriate. Where you establish that the risk levels are higher, and you require a higher level of age assurance certainty, you could supplement this method with other more accurate age assurance methods. These would provide a higher level of certainty on the age of child users providing this is proportionate to the risks you’ve identified.

5.5 Adult-only sites and age assurance

For services that are age-restricted in law (eg gambling or restricted goods sales), you should not be led to the perverse outcome of making your services child-friendly due to the code. If you provide such services, you should focus on preventing access by children. We will continue to work with Ofcom and the DRCF to ensure that these broader online safety risks are managed.

The code applies to ISS likely to be accessed by a significant number of children. This includes services not specifically aimed or targeted at children, but nonetheless likely to be accessed by under 18s.

If a significant number of children are accessing your service, there are two options. You should:

  • apply the principles of the code to all users in a risk-based and proportionate way; or
  • if it would not be appropriate for children to access your service, apply age assurance methods appropriate to the data processing risks, restricting access by under 18s so that a significant number are no longer likely to access the service. If access is effectively restricted, the code does not apply.

You may also have duties under other legislation to restrict access to children, including online safety and restrictions on access to gambling services. The OSA places a duty on providers of pornographic content to ensure that children do not encounter pornographic content by using age assurance methods. Section 6 of this opinion provides more details on these requirements. Ofcom’s draft guidance on age assurance, and other duties under part 5 of the OSA, is published for consultation.

Further reading

Guidance on how to assess whether your service is likely to be accessed by children under the Children’s code is available here.

5.6 Age-gating

If you use an age-gating page to prevent access to your service to under 18s, it is not within scope of the code if:

  • it ensures that children are not accessing the service;
  • the methods are robust and effective and therefore prevent under 18s accessing the service; and
  • it is not an extension of the adult service (eg. the age-gating page does not allow access to parts of the adult site before age assurance occurs).

Under data protection law, it is unlikely that self-declaration is an effective way to fully restrict access of high risk services to underage users.

You must ensure that your age-gating page is compliant with data protection legislation.