Information Commissioner's Office
Blog: Spotlight on the Children’s Code standards - best interests of the child, detrimental use of children’s data and data minimisation
A blog by Michael Murray, ICO’s Head of Regulatory Strategy
Providing detailed explanations of each standard is one of the ways we’re supporting organisations to conform with the ICO’s Children’s Code.
Our Spotlight blogs are aimed at organisations that are already familiar with the code and the UK General Data Protection Regulation (UK GDPR).
If you’re new to the code and think you may be impacted by it, our Children’s Code video is a good place to start.
Our second post focuses on the standards that compel you to think about what you are doing with children’s data, why you’re doing it, and if it can be justified.
Best interests of the child
The concept of the best interests of the child comes from the United Nations Convention on the Rights of the Child (UNCRC). Put simply, the best interests of the child are whatever is best for any individual child using your service.
You should consider how your use of children's data impacts on the range of rights they hold under the UNCRC.
Highlighted here are four general parts of the UNCRC that organisations should be addressing.
1. Children have the right to be safe from commercial exploitation (UNCRC Article 32).
Internet society services should avoid default personalised targeting of service features that generate revenue. Think about how you can provide transparent information around how children’s data may be monetised. Personalised advertising should not be on-by-default; should abide by the Committee of Advertising Practice standards; and avoid marketing age-inappropriate or fraudulent products.
2. Children have the right to be protected from abuse when they interact with others (UNCRC Article 34).
On-by-default data sharing with other service users might expose children to risks of violence or abuse. Think about privacy settings – are they set at high privacy by default? Do the children who use your service understand how their information is shared? You need to think about how to ensure children’s personal data doesn’t fall into the wrongs hands.
3. Children have the right to have access to a wide range of information and media (UNCRC Article 17).
Think about whether children can find diverse, age-appropriate information as they learn and grow and how they can find it. Online services should not serve personalised news and information that exposes children to information not in their best interests. For example disinformation or content that may be harmful to their health.
4. Children have a right to play (UNCRC Article 31)
This may be as simple as using data analytics to improve gameplay functions or the safe functioning of connected toys or devices. That might mean using children’s personal data to improve their user experience, making it more enjoyable or easier to use.
You must also think about a child’s freedom to join or leave online groups. You should provide clear privacy notices that children can understand and give them control over who they can share information with.
Detrimental use of data
To conform with the detrimental use standard, you must comply with the requirements laid out in the UK GDPR, but also conform with industry codes of practice, other regulatory provisions, or Government advice. Keeping up to date with the relevant guidance for your industry or sector is a good starting point. The ICO has guidance on the relevant provisions that you should consider before marketing, broadcasting, gaming and news publication for children.
We will refer to other codes of practice, such as the Advertising Standards Agency’s CAP code or the Office of Fair Trading’s Principles for online and app based games, or regulatory advice where relevant to help us assess your conformance to this standard.
You must also consider the obligations defined in relevant provisions, and the potential risks and detriment to children, in your DPIA, as set out in our previous blog.
You must be clear about the purposes for which you collect personal data; collect the minimum amount of data you need for those purposes; and store that data for the minimum amount of time.
You need to differentiate between each individual element of your service and consider what personal data is needed to deliver each element and for how long.
Children should be given as much choice as possible over which elements of your service they wish to use and how much personal data they need to provide. Avoid using data beyond its original function, or gathering more data than is necessary to perform this function.
This is particularly important if you are using personal data to ‘improve’ ‘enhance’ or ‘personalise’ your users’ online experience beyond the provision of your core service.
Working through these three standards is a fundamental step towards understanding your responsibilities to children when it comes to handling their personal data online.
There’s much more detail in our dedicated guidance.
Our next blog post will cover transparency, parental controls and online tools.
Michael Murray is the Head of Regulatory Strategy at the ICO.
Latest News from
Information Commissioner's Office
ICO and Ofcom strengthen partnership on online safety and data protection25/11/2022 15:20:00
The Information Commissioner’s Office (ICO) and Ofcom have today set out how we will work together to ensure coherence between the data protection and the new online safety regimes.
International transfers: empowering innovation and growth whilst protecting people’s personal information18/11/2022 12:25:00
Blog posted by: Emma Bate, 17 November 2022.
ICO launches consultation on how it prioritises FOI complaints09/11/2022 10:20:00
The Information Commissioner’s Office (ICO) has launched a consultation on how it prioritises the complaints it receives about public bodies’ handling of Freedom of Information (FOI) requests.
Department for Education warned after gambling companies benefit from learning records database08/11/2022 12:25:00
The Information Commissioner’s Office (ICO) has issued a reprimand to the Department for Education (DfE) following the prolonged misuse of the personal information of up to 28 million children.
ICO and Cabinet Office reach agreement on New Year Honours data breach fine03/11/2022 15:05:00
The UK Information Commissioner has agreed to reduce the £500,000 Monetary Penalty Notice (MPN) imposed on the Cabinet Office in 2021 in relation to the New Year Honours data breach to £50,000, which the Cabinet Office has agreed to pay, reflecting our new approach to working more effectively with public authorities.
Making our employment guidance work for you28/10/2022 09:05:00
A blog by Elanor McCombe, Group Manager - Policy
‘Immature biometric technologies could be discriminating against people’ says ICO in warning to organisations26/10/2022 09:10:00
The Information Commissioner’s Office (ICO) is warning organisations to assess the public risks of using emotion analysis technologies, before implementing these systems.
‘Biggest cyber risk is complacency, not hackers’ - UK Information Commissioner issues warning as construction company fined £4.4 million24/10/2022 12:25:00
The UK Information Commissioner has warned that companies are leaving themselves open to cyber attack by ignoring crucial measures like updating software and training staff.