Information Commissioner's Office
Blog: Spotlight on the Children’s Code standards - best interests of the child, detrimental use of children’s data and data minimisation
A blog by Michael Murray, ICO’s Head of Regulatory Strategy
Providing detailed explanations of each standard is one of the ways we’re supporting organisations to conform with the ICO’s Children’s Code.
Our Spotlight blogs are aimed at organisations that are already familiar with the code and the UK General Data Protection Regulation (UK GDPR).
If you’re new to the code and think you may be impacted by it, our Children’s Code video is a good place to start.
Our second post focuses on the standards that compel you to think about what you are doing with children’s data, why you’re doing it, and if it can be justified.
Best interests of the child
The concept of the best interests of the child comes from the United Nations Convention on the Rights of the Child (UNCRC). Put simply, the best interests of the child are whatever is best for any individual child using your service.
You should consider how your use of children's data impacts on the range of rights they hold under the UNCRC.
Highlighted here are four general parts of the UNCRC that organisations should be addressing.
1. Children have the right to be safe from commercial exploitation (UNCRC Article 32).
Internet society services should avoid default personalised targeting of service features that generate revenue. Think about how you can provide transparent information around how children’s data may be monetised. Personalised advertising should not be on-by-default; should abide by the Committee of Advertising Practice standards; and avoid marketing age-inappropriate or fraudulent products.
2. Children have the right to be protected from abuse when they interact with others (UNCRC Article 34).
On-by-default data sharing with other service users might expose children to risks of violence or abuse. Think about privacy settings – are they set at high privacy by default? Do the children who use your service understand how their information is shared? You need to think about how to ensure children’s personal data doesn’t fall into the wrongs hands.
3. Children have the right to have access to a wide range of information and media (UNCRC Article 17).
Think about whether children can find diverse, age-appropriate information as they learn and grow and how they can find it. Online services should not serve personalised news and information that exposes children to information not in their best interests. For example disinformation or content that may be harmful to their health.
4. Children have a right to play (UNCRC Article 31)
This may be as simple as using data analytics to improve gameplay functions or the safe functioning of connected toys or devices. That might mean using children’s personal data to improve their user experience, making it more enjoyable or easier to use.
You must also think about a child’s freedom to join or leave online groups. You should provide clear privacy notices that children can understand and give them control over who they can share information with.
Detrimental use of data
To conform with the detrimental use standard, you must comply with the requirements laid out in the UK GDPR, but also conform with industry codes of practice, other regulatory provisions, or Government advice. Keeping up to date with the relevant guidance for your industry or sector is a good starting point. The ICO has guidance on the relevant provisions that you should consider before marketing, broadcasting, gaming and news publication for children.
We will refer to other codes of practice, such as the Advertising Standards Agency’s CAP code or the Office of Fair Trading’s Principles for online and app based games, or regulatory advice where relevant to help us assess your conformance to this standard.
You must also consider the obligations defined in relevant provisions, and the potential risks and detriment to children, in your DPIA, as set out in our previous blog.
You must be clear about the purposes for which you collect personal data; collect the minimum amount of data you need for those purposes; and store that data for the minimum amount of time.
You need to differentiate between each individual element of your service and consider what personal data is needed to deliver each element and for how long.
Children should be given as much choice as possible over which elements of your service they wish to use and how much personal data they need to provide. Avoid using data beyond its original function, or gathering more data than is necessary to perform this function.
This is particularly important if you are using personal data to ‘improve’ ‘enhance’ or ‘personalise’ your users’ online experience beyond the provision of your core service.
Working through these three standards is a fundamental step towards understanding your responsibilities to children when it comes to handling their personal data online.
There’s much more detail in our dedicated guidance.
Our next blog post will cover transparency, parental controls and online tools.
Michael Murray is the Head of Regulatory Strategy at the ICO.
Latest News from
Information Commissioner's Office
International progress for domestic benefit: why the ICO convened a G7 meeting on data flows20/09/2021 16:15:00
A blog by Elizabeth Denham, UK Information Commissioner
We Buy Any Car, Sports Direct and Saga fined £495,000 after sending millions of ‘frustrating and intrusive’ nuisance messages.15/09/2021 13:20:00
The ICO has today announced fines totalling £495,000 to well-known companies that between them sent more than 354 million nuisance messages.
Blog: Sharing personal data in an emergency – a guide for universities and colleges15/09/2021 09:15:00
A blog by Viv Adams, Principal Policy Adviser in the ICO Parliament and Government Affairs team
G7 data protection and privacy authorities’ meeting: communiqué13/09/2021 09:10:00
The UK Information Commissioner’s Office (ICO) brought together data protection and privacy authorities from G7 countries, as well as guests from the Organisation for Economic Cooperation and Development (OECD) and the World Economic Forum (WEF), for a discussion this week on shared emerging challenges that need closer international collaboration.
Statement in response to DCMS consultation into proposed data protection reform10/09/2021 14:10:00
Statement given yesterday in response to DCMS consultation into proposed data protection reform.
ICO to call on G7 countries to tackle cookie pop-ups challenge07/09/2021 14:10:00
The UK Information Commissioner’s Office (ICO) will today call on fellow G7 data protection and privacy authorities to work together to overhaul cookie consent pop-ups, so people’s privacy is more meaningfully protected and businesses can provide a better web browsing experience.
ICO fines Glasgow company for making half a million nuisance calls05/09/2021 09:10:00
The Information Commissioner’s Office (ICO) has fined Glasgow-based company DialADeal Scotland Ltd (DDSL) for making more than half a million nuisance marketing calls.
Statement on DCMS announcement of next Information Commissioner26/08/2021 12:10:00
The Department for Culture, Media and Sport has today announced that John Edwards is the Government's preferred nominee to be the next Information Commissioner.