A blog by Michael Murray, ICO’s Head of Regulatory Strategy
28 July 2021
Providing detailed explanations of each standard is one of the ways we’re supporting organisations to conform with the ICO’s Children’s Code.
Our Spotlight blogs are aimed at organisations that are already familiar with the code and the UK General Data Protection Regulation (UK GDPR).
If you’re new to the code and think you may be impacted by it, our Children’s Code video is a good place to start.
Our second post focuses on the standards that compel you to think about what you are doing with children’s data, why you’re doing it, and if it can be justified.
Best interests of the child
The concept of the best interests of the child comes from the United Nations Convention on the Rights of the Child (UNCRC). Put simply, the best interests of the child are whatever is best for any individual child using your service.
You should consider how your use of children’s data impacts on the range of rights they hold under the UNCRC.
Highlighted here are four general parts of the UNCRC that organisations should be addressing.
1. Children have the right to be safe from commercial exploitation (UNCRC Article 32).
Internet society services should avoid default personalised targeting of service features that generate revenue. Think about how you can provide transparent information around how children’s data may be monetised. Personalised advertising should not be on-by-default; should abide by the Committee of Advertising Practice standards; and avoid marketing age-inappropriate or fraudulent products.
2. Children have the right to be protected from abuse when they interact with others (UNCRC Article 34).
On-by-default data sharing with other service users might expose children to risks of violence or abuse. Think about privacy settings – are they set at high privacy by default? Do the children who use your service understand how their information is shared? You need to think about how to ensure children’s personal data doesn’t fall into the wrongs hands.
3. Children have the right to have access to a wide range of information and media (UNCRC Article 17).
Think about whether children can find diverse, age-appropriate information as they learn and grow and how they can find it. Online services should not serve personalised news and information that exposes children to information not in their best interests. For example disinformation or content that may be harmful to their health.
4. Children have a right to play (UNCRC Article 31)
This may be as simple as using data analytics to improve gameplay functions or the safe functioning of connected toys or devices. That might mean using children’s personal data to improve their user experience, making it more enjoyable or easier to use.
You must also think about a child’s freedom to join or leave online groups. You should provide clear privacy notices that children can understand and give them control over who they can share information with.
Detrimental use of data
To conform with the detrimental use standard, you must comply with the requirements laid out in the UK GDPR, but also conform with industry codes of practice, other regulatory provisions, or Government advice. Keeping up to date with the relevant guidance for your industry or sector is a good starting point. The ICO has guidance on the relevant provisions that you should consider before marketing, broadcasting, gaming and news publication for children.
We will refer to other codes of practice, such as the Advertising Standards Agency’s CAP code or the Office of Fair Trading’s Principles for online and app based games, or regulatory advice where relevant to help us assess your conformance to this standard.
You must also consider the obligations defined in relevant provisions, and the potential risks and detriment to children, in your DPIA, as set out in our previous blog.
Data minimisation
You must be clear about the purposes for which you collect personal data; collect the minimum amount of data you need for those purposes; and store that data for the minimum amount of time.
You need to differentiate between each individual element of your service and consider what personal data is needed to deliver each element and for how long.
Children should be given as much choice as possible over which elements of your service they wish to use and how much personal data they need to provide. Avoid using data beyond its original function, or gathering more data than is necessary to perform this function.
This is particularly important if you are using personal data to ‘improve’ ‘enhance’ or ‘personalise’ your users’ online experience beyond the provision of your core service.
Working through these three standards is a fundamental step towards understanding your responsibilities to children when it comes to handling their personal data online.
There’s much more detail in our dedicated guidance.
Our next blog post will cover transparency, parental controls and online tools.
Michael Murray is the Head of Regulatory Strategy at the ICO.