What should our general approach be to handling children’s personal information?
In detail
- Why do children merit specific protection?
- What about the data protection principles?
- How do we build in data protection from the start when using children’s information?
- What are the 'best interests of the child'?
- What if we’re unsure whether we’re using children’s personal information or not?
- Do we need to consult with children if we plan to use their personal information?
- How do other regulatory duties affect our use of children’s personal information?
Why do children merit specific protection?
Recital 38 of the UK GDPR explains why children merit specific protection when their personal information is used. It also highlights contexts where this protection is particularly important. It states:
“Children merit specific protection with regard to their personal data as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data. Such specific protection should, in particular, apply to the use of personal data of children for the purposes of marketing or creating personality or user profiles and the collection of personal data with regard to children when using services offered directly to a child.”
The fact that children merit such protection is also reflected in a specific legal requirement for ISS providers under article 25. In particular, if you provide an ISS likely to be accessed by children, you must take children’s needs into account when designing your products or services. (See the section How do we build in data protection from the start when using children’s information? for further details.)
What about the data protection principles?
You must comply with the data protection principles when you handle personal information. These principles are designed to protect people’s rights and interests, and fairness is crucial, particularly where children are involved. The principles apply to everything you do with personal information (except where you’re able to rely on an exemption), and are key to complying with the UK GDPR.
Further reading – ICO guidance
How do we build in data protection from the start when using children’s information?
Data protection by design and default
Article 25 of the UK GDPR says you must put in place appropriate technical and organisational measures to implement the data protection principles effectively and protect people’s rights.
This approach is ‘data protection by design and by default’. You must:
- build data protection into your processing activities and business practices from the design stage right through the lifecycle; and
- limit the personal information you use to what is necessary to achieve your specific purpose.
To do this effectively when handling children’s personal information, you should incorporate child-friendly design features into your processes, products and systems from the beginning. Taking a data protection by design and default approach from the start will also help you comply with many other parts of the UK GDPR, including the accountability principle.
If you provide an ISS covered by the children’s code, you must take children’s needs into account (and be able to demonstrate this) when deciding what technical and organisational measures are appropriate. This is the ‘children’s higher protection matters’ duty. Under article 25(1B) of the UK GDPR, the children’s higher protection matters are:
“(a) how children can best be protected and supported when using the services, and
(b) the fact that children -
(i) merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing, and
(ii) have different needs at different ages and at different stages of development.”
If you already conform to the children’s code, you are likely to comply with this duty.
You could use age ranges as a guide to the typical capacity, skills and behaviours a child may display at different stages of development. This can help you choose design measures that are suitable for children of broadly those age groups. However, these ranges aren’t a perfect guide and won’t reflect every child’s individual interests, needs and evolving capacities.
The ‘children’s higher protection matters’ duty only applies if you provide an ISS covered by the children’s code. However, thinking about children’s needs in this way can still be helpful if you regularly handle children’s information. For example, you may not provide an online service, but you may still use children’s personal information in other contexts. Taking this approach shows that you take their privacy seriously and supports you in meeting your broader privacy-by-design obligations.
Taking a data protection by design and default approach also means building transparency into your processes from the beginning. If you plan to use children’s personal information, you must:
- be clear, open and honest with them from the start about what to expect; and
- provide this information in a way that’s easy for them to access and understand.
(For further detail about what you must tell children and how to provide this information effectively, see the section How does the right to be informed apply to children?.)
There are many ways to incorporate data protection by design and default when handling children’s personal information. Examples include (but are not limited to):
- providing age-appropriate privacy information to children using simple and clear language or visuals that explain how you collect, use and share their information (offering different versions for different age groups as appropriate);
- avoiding design or organisational practices that lead or encourage children to provide excessive or unnecessary personal information (known as ‘nudge techniques’);
- giving children short and timely explanations when they’re about to share their personal information with you:
- in person;
- in writing; or
- through a digital system;
- offering prominent and accessible privacy tools or routes (such as clear contact points, forms or settings) to help children:
- exercise their data protection rights; and
- raise any concerns about your use of their information;
- setting strict access controls by default to ensure that only those with a genuine need can access children’s personal information; and
- taking a cautious and proportionate approach to sharing children’s personal information, including by:
- ensuring this is kept to a minimum by default; and
- only sharing more sensitive information where this is clearly justified.
You could also have your use of personal information certified through an ICO-approved certification scheme. This can help demonstrate your compliance with data protection by design and default. If your organisation has to comply with the children’s higher protection matters duty, you could consider:
- the Age-Check Certification Scheme (ACCS) – this assesses the effectiveness and data protection compliance of age assurance products; and
- the Age Appropriate Design Certification Scheme (AADCS) – this assesses the age-appropriate design of an ISS likely to be accessed by children.
Using an approved certification scheme can also help reassure children and parents that you:
- have taken appropriate steps to protect the children’s personal information; and
- meet recognised data protection standards.
Further reading – ICO guidance
- Data protection by design and default
- Age appropriate design: a code of practice for online services
- The children’s code design guidance
- Age appropriate design code – standard 3: age appropriate application
- Age appropriate design code – annex B: age and developmental stages
- Accountability and governance
- Certification schemes
Data protection impact assessments (DPIAs)
Completing a DPIA will help you:
- think about what child-friendly design features to build into your processes, products and systems; and
- assess and mitigate any data protection risks to children which are likely to result from your use of their information.
If your use of personal information is likely to result in a high risk to the rights and freedoms of children, you must complete a DPIA. This includes (but is not limited to) if you:
- use children’s personal information for marketing, profiling or other automated decision-making purposes; or
- plan to offer online services directly to children.
These activities don’t always result in a high risk to children’s rights and freedoms. You may not know whether they do until after you have completed your DPIA. However, you must always complete a DPIA for these types of activities.
Under article 35(1) of the UK GDPR, you must also assess any proposed use of personal information to decide whether it requires a DPIA before you begin. This assessment:
- helps you identify high-risk processing at an early stage; and
- ensures that you meet your wider DPIA obligations.
Where you are required to complete a DPIA before handling children’s information, you must include (among other things):
- what personal information you plan to use and how;
- how likely your processing activities are to impact or harm children and how severely; and
- whether you can make any changes to your processing activities to reduce or avoid each of the risks you’ve identified.
Further reading – ICO guidance
What are the ‘best interests of the child’?
The concept of the best interests of the child comes from article 3 of the UNCRC. This article states:
In all actions concerning children, whether undertaken by public or private social welfare institutions, courts of law, administrative authorities or legislative bodies, the best interests of the child shall be a primary consideration.
It provides a guiding framework that can help you understand and respect children’s needs when you use their personal information. Although the UK GDPR does not refer specifically to this UNCRC principle, we take it into account when considering compliance. You should do the same when deciding how to use children’s personal information.
The principle covers, among other things, children’s needs regarding:
- safety;
- privacy;
- well-being; and
- the right to be heard.
It also emphasises your responsibility to balance children’s rights and interests against your own.
We were required to take the UNCRC into account when drafting the children’s code. Standard 1 of the code explains that providers of ISS likely to be accessed by children should take the best interests of the child as a primary consideration when designing and developing their online services.
Further reading – ICO guidance
- Age appropriate design code – standard 1: best interests of the child
- Best interests of the child self-assessment
Other resources
What if we’re unsure whether we’re handling children’s personal information or not?
If you aren’t sure whether you’re handling children’s personal information or what age range they fall into, you should take a cautious and risk-based approach. This may mean:
- designing your processes, products and systems so they offer sufficient protection for all service users, including children;
- limiting the personal information you collect to what is necessary to provide your service to both adults and children; and
- enforcing any age restrictions you’ve set by using age-assurance measures proportionate to the risks associated with your use of personal information.
In practice, your design choices may vary depending on:
- the level of risk involved;
- the rights and freedoms of the child; and
- the UK GDPR provisions that apply to your use of personal information (which can differ based on the type of service you provide and your reasons for using personal information).
Even if you’re not actively planning to use children’s personal information (eg if you’re designing a product or service aimed only at adults), you should still consider whether children are able or likely to access your product or service. This also applies if you’re designing a product or service for older children, but you think that younger children are able or likely to use it.
Completing a DPIA can help you assess these risks early and identify appropriate safeguards.
Standard 3 of the children’s code also acknowledges the importance of taking a risk-based approach to recognising the age of individual users and effectively applying the standards to child users.
To support this, we’ve produced an Opinion on age assurance for the children’s code. This explains how age assurance can help mitigate the data protection risks children face online and support ISS providers in complying with the code.
Whether the code applies to you or not, you should consider:
- the target age range for your activities and services; and
- the potential for children outside that range to use your services or provide their personal information to you.
Do we need to consult with children if we plan to use their personal information?
Whether or not it’s appropriate to consult with children depends on your particular processing activities. Where practical, you should invite children to share their views when you are designing your processing activities and include diverse groups who can provide a broad range of feedback. This can help you identify risks, design safeguards and assess understanding.
It also gives you an opportunity to test your system or product with child users.
Consulting children is also consistent with article 12 of the UNCRC, which emphasises the importance of listening to children and taking their opinions seriously.
The United Nations Children’s Fund (UNICEF) recommends that organisations account for children’s views by:
- consulting experts and children’s rights advocates; and
- employing expert third-party facilitators who know how to engage with children in ways that suit their differing ages and abilities.
Taking this approach can help you:
- maintain children’s safety throughout a consultation;
- capture their views and experiences more accurately; and
- better understand their perspectives.
Children in Scotland and the Children’s Commissioner for Wales have also produced guidelines to help organisations that want to engage with children.
Further reading – ICO guidance
Other resources
How do other regulatory duties affect our use of children’s personal information?
It is also important to consider any related duties you may have under other regulations, including the Online Safety Act (OSA), to protect children. These duties can:
- affect how you design your services; and
- help you identify the risks you need to consider to use children’s information fairly and safely under data protection law.
For example, if a service is likely to be accessed by children, the OSA imposes duties on ‘user-to-user’ service providers to:
- use proportionate measures to mitigate and manage the risks of harm to children in different age groups, as identified in the provider’s children’s risk assessment;
- mitigate the impact of harm to children in different age groups presented by content that is harmful to children;
- use proportionate systems and processes to prevent children from encountering ‘primary priority content’ that is harmful to them (as defined in the OSA); and
- protect children in age groups judged to be at risk of harm from encountering other content that is harmful to children.
Thinking about your various regulatory duties together can help ensure your approach is consistent, and that you are protecting children’s rights and interests across all of your processing activities.