Skip to main content
Hafan

Executive Summary

Download options

Contents

Introduction

In 2022 the Information Commissioner set out his vision for the regulator we want to be in his ICO25 strategic plan. This plan will empower organisations to use information responsibly and confidently, to invest and innovate and empower people to confidently share their information to use the products and services that drive our economy and our society.

The pace of technological change and innovation means the landscape we regulate is constantly transforming. To empower and support organisations we need to maintain our understanding of how these transformations are being implemented. As part of the ICO25 strategic plan, the ICO’s Assurance department approached organisations within the financial services sector to review their processing of information. 

The review looked at two main areas:

  1. The use of children’s data
  2. The use of AI and automated decision making.

We were also keen to collect the views of organisations within the sector about their experiences of implementing good data protection practice, compliance challenges, competing regulatory or legislative priorities and any general data protection concerns.

Recital 38 of the UK GDPR says that

“children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.”

For these reasons children are identified as a vulnerable group within the ICO25 strategic plan and protecting them through the responsible use of their information is a current priority. The ICO has already published a guide to using children’s information however, this report contains themes and findings drawn from the information provided by a range of organisations within the financial services sector, who offer products and services to children. It does not name or otherwise identify any individual participant. The report highlights good practice as well as areas of risk, or where improvements may be needed. 

The findings of the review of the use of AI and automated decision making in the financial services sector are contained in a separate report.

Methodology

From March to September 2024, we gathered information about the processing of children’s data from participants and in particular those who supply current accounts, savings accounts, trust accounts, ISAs and prepaid cards to children or that use children’s data for their administration. This was done using a mix of questionnaires and direct engagement which provided the views of over 40 organisations (participants).

Several participants provided access to their key documents to support the review process. Where participants engaged directly, we held interviews with key staff who have responsibility or involvement in processing children’s data. 

The review of children’s data processing focussed on the following areas:

  1. Governance
    The measures in place to control the processing of children’s data.
  2. Transparency
    The information given to children which tells them what their data will be used for.
  3. Use of information
    What information is processed, for what purpose and which lawful basis is used.
  4. Individual Rights
    How individual rights relating to children’s data are handled, whether received from children, parents 1 or other third parties.
  5. Age Verification
    The methods used to identify, and verify the age of, children.
  6. Further contact and marketing
    How children are contacted about their accounts and information provided to them about other products and services.

The review focussed on these areas with all participants so that common themes could be identified and included in this report for the benefit of other organisations who carry out similar processing. 

This report summarises: 

  • evidence of good practice;
  • evidence of risks to data protection compliance; and
  • instances where we found that improvements may be necessary to data practices.

Key Findings

Children are important customers for many financial services. Several participants highlighted children’s products as a key area of focus for development as they represent the future customer base for the wider range of products and services offered. The review of processing of children’s data provided the following key findings.

Governance

Most organisations had policies in place to control the use of children’s information. However, there was limited monitoring of compliance with these policies. Nearly all organisations provided data protection training to staff however, less than a fifth included specific training about the use of children’s information.

Transparency

Only half of organisations reported having age appropriate privacy information. However, following our review the number that we considered to have effective age appropriate privacy information was lower. The examples of privacy information that were suitable for children included age appropriate language and engaging descriptions of how organisations use their information.

The approach taken by several organisations appears to have passed their own transparency responsibilities onto parents. As a result, there was a significant risk that children are recorded as agreeing to terms and conditions or privacy information that they do not actually understand. Providing privacy information was also often a onetime only exercise and is not revisited as children age and their understanding increases.

Use of information

Most organisations regularly reviewed the categories of children’s data collected to ensure it was limited to what is necessary, particularly for special categories of data. There were effective controls in place to prevent excessive data collection or purpose creep across all organisations observed. 

Consent was used for some purposes for processing however, some organisations asked for parents to provide the consent on behalf of their child in the first instance but failed to keep this consent under review. This means as the child gets older and their ability to understand the processing for themselves increases, the original consent is likely to become invalid until it is refreshed and obtained from the child. 

Individual rights

Respondents reported that requests to exercise the individual rights set out in UK GDPR by, or on behalf of, children are infrequent and low in volume. However, as a result of the issues found with explaining privacy information and their rights to children, parents wishes often, unfairly, supersede those of children. In several cases the decision whether to accept requests for children’s information from the child or their parent is made using a predetermined age limit rather than an assessment of the child’s competence.  

Age verification

Processes to verify the age of children were robust across all organisations.

Contact (including marketing)

Many organisations provided administrative communications. Nearly all had a policy that prevents marketing to children. There is limited distinction between parents and children when communications were provided, which was sometimes based simply on whose contact information is available. This creates a high risk of non-compliance with communications and marketing requirements.

1    Parent refers to the individual(s) who has parental responsibility for a child as defined by s 3(1) Children Act 1989.