Skip to main content
Hafan

Overview and key definitions

Contents

Overview

  • Children merit specific protection when you handle their personal information because they may be less aware than adults of the risks involved.
  • If you handle children’s personal information (for non-ISS purposes), you must implement appropriate technical and organisational measures to protect their data protection rights. Among these, you should include designing your systems and processes with children’s needs in mind from the start.
  • If you offer an ISS likely to be accessed by children, you must take their needs into account when designing your services. We explain this requirement in further detail within this guidance.
  • You must comply with the data protection principles when you handle children’s personal information. In particular, you must use their personal information fairly and within their reasonable expectations.
  • You must have a lawful basis for processing a child’s personal information. Consent is one possible lawful basis, but it’s not the only option. Sometimes, using a different basis is more appropriate and can offer stronger protection for the child (eg by providing clearer safeguards).
  • If you offer an ISS directly to a child and want to rely on the consent lawful basis, note that only children aged 13 or over can give their own consent. If the child is under 13, you must get consent from whoever holds parental responsibility for the child unless the online service you’re offering is a preventive or counselling service.
  • Children merit specific protection in particular when you use their personal information for marketing purposes or to create personality or user profiles. You should exercise caution if you plan to use children’s information for these purposes, and must implement appropriate safeguards where required under the law.
  • You should avoid making decisions about children based solely on automated processing if this will have a legal or similarly significant effect on them.
  • Children have the same rights as adults over their personal information, including the rights to: 
    • access their personal information; 
    • request rectification; 
    • object to the use of their personal information; and 
    • have their personal information erased.

You should consider the capacity of the child or young person to exercise their own rights.

  • You must explain to children what you will do with their personal information and what rights they have. You must do this in a way that is easy for them to access and understand, using clear and plain language.
  • You must consider a child’s right to request the erasure of their personal information.
  • If you offer an ISS likely to be accessed by children, you should conform to the children’s code. If you don’t follow this code, you’re likely to find it harder to demonstrate that your use of children’s information is fair and complies with data protection law.

Key definitions

Who is defined as a child?

When we refer to a child, we mean anyone under the age of 18. This follows the definition within the UN Convention on the Rights of the Child (UNCRC), which the United Kingdom has ratified.

Other resources

What does ‘parental responsibility’ mean?

When we refer to someone with parental responsibility for a child, we mean someone who, according to the law, has the legal rights and responsibilities for a child that parents normally have. This is not always a child’s ‘natural parents’. Parental responsibility can also be held by an organisation (eg a local authority).

Where we use the term ‘parent’ throughout this guidance, we mean anybody who holds parental responsibility for the child, where relevant.

What is an ISS?

An ISS is defined under article 1(1)(b) of Directive (EU) 2015/1535 as:

any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.

For the purposes of this definition:

(i) ‘at a distance’ means that the service is provided without the parties being simultaneously present;

(ii) ‘by electronic means’ means that the service is sent initially and received at its destination by means of electronic equipment for the processing (including digital compression) and storage of data, and entirely transmitted, conveyed and received by wire, by radio, by optical means or by other electromagnetic means;

(iii) ‘at the individual request of a recipient of services’ means that the service is provided through the transmission of data on individual request.

This means that most online services are ISS providers, even if the ‘remuneration’ (funding) of the service doesn’t come directly from the end user. For example, an online gaming app that is free to a child user but funded by advertising is still defined as an ISS.

It generally includes:

  • websites; 
  • apps; 
  • search engines; 
  • online marketplaces; and 
  • online services providing content (eg on-demand music, games, video and downloads).

If you offer an ISS directly to a child, or your ISS is likely to be accessed by children, you have additional responsibilities to consider when handling children’s personal information. We discuss these responsibilities in more detail throughout this guidance.

Further reading – ICO guidance