The ICO exists to empower you through information.

Control measure: There is an assessment whether children are likely to access the online service, and an appropriate evidence-based decision taken on whether to apply the code standards.

Risk: If there is no consideration of whether children are likely to access the online service (regardless of whether the service is aimed at children or not), this may mean the code standards are not applied, resulting in a risk to children’s privacy. This may breach UK GDPR articles 5, 8, 12-14, and 35.  

Ways to meet our expectations:

  • Assess whether a significant number of UK children under 18 years of age are likely to access all, or parts, of your online service. Consider whether:
  • the online service is intended for use by children;
  • the online service is adult-only, but accessed by a significant number of children;
  • there is evidence that children are, or are not, a substantive and identifiable user group (lack of evidence that children are using the online service is not sufficient to support that a service is not accessed by children);
  • children can access the online service due to weak age assurance measures;
  • there has been customer contact, support requests, or complaints from children or parents;
  • the online service includes adverts that are targeted at children that might evidence a high number of click-throughs or interest from people on child-focused advertising;
  • there is child-focused content on the online service (eg cartoons, animation, music or audio content, incentives for children’s participation, digital functionalities such as gamification, presence of children, influencers or celebrities popular with children); and
  • children are known to like and access similar online services or content.
  • Complete the assessment before processing the information and document the outcome as part of a data protection impact assessment (DPIA). Include a clear decision and justification on whether children are likely to access all or parts of your online service. 
  • Review the assessment regularly so it remains accurate, particularly before implementing changes to your online service.
  • Implement effective measures to prevent access to children if the service is adult-only. Seek sufficient evidence to support that children cannot access it and are not using the online service as a result.

Options to consider:

  • Conduct your own user testing and market research to see if your service is appealing to children.
  • Review peaks in access (eg after school and during the school holidays).
  • Consider whether there are toys or other products associated with your services that are targeted at children and will encourage use.
  • Look whether there are any clips of teenagers accessing the service that are popular on video streaming sites.

 

Control measure: There is an embedded privacy management framework endorsed by management that supports the development and provision of online services aimed at, or likely to be accessed by, children.

Risk: Without an embedded privacy framework, there is a risk that privacy concerns are not identified, managed or prioritised appropriately. This may breach UK GDPR article 5 (2).

Ways to meet our expectations:

  • Implement an overall governance and privacy management strategy or framework that includes appropriate technical and organisational measures designed to effectively implement the data protection principles.
  • Have data protection policies and procedures in place that you update and review regularly and communicate to all staff.
  • Make senior management accountable for understanding and addressing the risks associated with developing and providing online services aimed at or likely to be accessed by children.
  • Appoint a Data Protection Officer (DPO) or a nominated DP lead with oversight of your online services aimed at, or likely to be accessed by, children.
  • Assign responsibility in job descriptions to ensure your services comply with data protection law.
  • Promote a positive data protection culture across your organisation.

Options to consider:

  • Introduce a steering group, committee or forum that is responsible for overseeing your online services, their use and the associated risks. They can act as a channel for communication of information and risks to senior management.

 

Control measure: Online service developers are appropriately skilled and qualified and have completed data protection training covering children's privacy before starting active development.

Risk: Without specialist training, there is a risk of breaches caused by lack of specialist knowledge. This may breach UK GDPR article 5 (1) (f).

Ways to meet our expectations:

  • Set out the minimum skills and experiences or qualifications required for the role of service developer in recruitment adverts and job descriptions.
  • Complete a training needs analysis for online service developers in privacy considerations and data protection law.
  • Deliver regular up-to-date and appropriate specialised data protection training to key roles.

Options to consider

  • Retrain online service developers following any data privacy and security issues with the system.
  • Make data protection training a mandatory annual event.

 

Control measure: There is an effective risk management strategy in place to capture all the privacy risks during the development and provision of online services aimed at, or likely to be accessed by, children. Risks are tracked at a corporate or management level through an appropriate risk register.

Risk: Without an effective risk management strategy, there may be risks involved in this type of processing that are not mitigated, threatening children's rights and freedoms. This may breach UK GDPR article 5 (1) (f).

Ways to meet our expectations:

  • Implement an overarching risk management strategy for your online services.
  • Complete an assessment of the level of risk and risk appetite that depends on the extent of the use of your online services. 
  • Document and track risks on a risk register.
  • Update management in a timely manner on current risks, their status and any mitigating actions planned.

Options to consider:

  • Use a recognised risk assessment framework to assess the risks involved with processing within your online services.

 

Control measure: There are reports against the standards in the code included in any internal or external accountability reports, and there is a programme of compliance audits and KPIs (key performance indicators) to monitor compliance with code standards.

Risk: Without effective compliance monitoring and reporting, there is a lack of assurance that risk management is sufficient or effective or that it conforms to the standards in the code. If audit findings and KPIs are not properly reported to oversight and governance bodies, they do not have the correct information to make the necessary decisions, potentially causing breaches. This may breach UK GDPR articles 5 (1) (f) and 5 (2).

Ways to meet our expectations:

  • Implement KPIs in areas such as:
  • number of underage and overage users detected and removed from services;
  • access and use of privacy information (click throughs, expansion of layered information, level of engagement with settings);  
  • changes to engagement rates (eg positive nudges and suggestions to save progress or pauses in engagement); 
  • level of complaints and concerns about terms and conditions or content recommendations;
  • number of information access or erasure requests received; and
  • number and nature of revisions to service design.
  • Include commentary on children's privacy and performance to KPIs in your internal and external accountability reports.
  • Report and review KPIs regularly in appropriate meetings.
  • Implement a programme of internal and external audit to monitor compliance to the standards in the code.
  • Feed audit reports and outcomes back to management and track issues or risks on an appropriate risk register.

Options to consider:

  • Create a dashboard giving a high level summary of performance in all related KPIs.

 

Control measure: There is an internal record of processing activities (ROPA) in place.

Risk: Without a ROPA, there may be a breach of UK GDPR requirements. If the ROPA does not have its foundation in a data mapping exercise, it may not be complete or accurate. This may breach UK GDPR article 30.

Ways to meet our expectations:

  • Complete a data flow mapping exercise to document the information that flows in, around and out of your online system or service.
  • Ensure the information documented within your ROPA is in line with the requirements set out in article 30 of the UK GDPR.
  • Review the ROPA on a regular basis to maintain accuracy with current processing activities, policies and procedures.

Options to consider:

  • Document your processing activities in electronic form so information can be added, removed and amended easily.

 

Control measure: There are published rules which govern the behaviour of people who use the service and the conditions for use; and adherence to these rules is monitored. 

Risk: Without the existence and monitoring of adherence to terms and conditions or service user agreements, there is a risk that the service will be misused or abused by someone, having a negative impact on a child. If people sign up or engage on the basis that they (and others) will be subject to particular conditions or rules and these are not upheld, then there is a risk of unfairness.

Ways to meet our expectations:

  • Provide people with appropriate terms and conditions or rules before using your online service.
  • Write terms and conditions or rules in clear language that is appropriate for the age of the intended user and implement different policies depending on the age of the users.
  • Have checks in place to provide assurances that people uphold and adhere to the rules.
  • Communicate how compliance to the rules or terms and conditions is monitored.
  • Introduce systems so that you meet any commitments to people about the content or other aspects of the online service (eg anti-bullying).
  • Include details of the action you take if rules are breached or not adhered to.

Options to consider:

  • Take the age of the child into account when upholding policies.
  • Document evidence to confirm that you have acted on any breaches according to the rules (eg people removed from the service).
  • Make sure that the methods you use to monitor breaches of terms and conditions are proportionate to the risk such a breach may pose.