The ICO exists to empower you through information.

Data sharing with a third-party organisation concerns how service-owners share user’s:

  • personal characteristics;
  • profiles;
  • service behaviours (such as social media posts, searches or gameplay stats); and
  • other personal data

with organisations. This data could, for example, be shared:

  • for commercial purposes;
  • to fulfil a legal requirement;
  • for research; or
  • to safeguard children.

It may be done on an ad-hoc basis, or as part of an ongoing exchange. 

The Children’s code Data sharing standard outlines expectations for online services likely to be accessed by children that share children’s data with third parties. The links below give examples and information on how data sharing with a third-party organisation impacts children’s rights under the UNCRC. We also offer code recommendations on how to positively support and mitigate risks to these rights in this context.

Article 6: Life, survival and development

Children have an inherent right to life and survival. Their physical and emotional development should not be impeded.

Data sharing with third parties can support this right where it is for safeguarding purposes. It could also be to fulfil a regulatory requirement relating to children’s wellbeing and safety.                                    

Article 8: Development and preservation of identity

Children have a right to develop and preserve their identity, including:

  • nationality;
  • name;
  • family relations;
  • gender; and
  • other personal identity characteristics.

This right is at risk where services share children’s identity data with third parties without a compelling reason to do so, in the best interests of the child.

Article 12: Respect for the views of the child

Children who are capable of forming their own views have rights to express them, in all matters that affect them.

Services can support this right where privacy settings give children (and parents where appropriate) informed choices about how services share their data. This right is at risk where services do not provide privacy settings, or don’t meet the principles of the Transparency or Data Sharing standards.

Article 16: Protection of privacy

Children have a right to be protected from arbitrary or unlawful interference with their privacy.

Services can support this right by using privacy-preserving technical measures (for example pseudonymisation or encryption) when sharing children’s personal data.

Article 19: Protection from violence, abuse and neglect

Children have a right to be protected from all forms of physical or mental violence, abuse, maltreatment or exploitation.

Data sharing with third parties can support this right where it is for safeguarding purposes. It could also be to fulfil a regulatory requirement relating to protecting children from abuse, neglect or violence (for example with social care bodies).

Article 32: Protection from economic exploitation

Children have a right to be protected from economic exploitation of all forms.

Data sharing with third parties can support this right where it is for safeguarding against economic exploitation (for example economic fraud and identity theft). Services can risk this right where it is for commercial gain and against the best interests of the child, or done without adequate transparency.

Article 34: Protection from sexual exploitation

Children have a right to be protected from all forms of sexual exploitation and abuse. This includes coercion into unlawful sexual activity or creation of sexual content.

Data sharing with third parties can support this right where it is for safeguarding purposes. It could also be to fulfil a regulatory requirement relating to prevention of sexual exploitation (for example with police).

Children’s code recommendations on data sharing with third parties:

  • Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.
  • Obtain assurances, and do due diligence, on third parties you are sharing data with. This is to ensure they are not using children’s data in ways that are not in the children’s best interests.
  • Any default settings related to data sharing should specify the purpose of the sharing and who you are sharing the data with. Settings which allow general or unlimited sharing are not compliant.
  • Provide clear information about what you do with children’s personal data in more specific, ‘bite-size’ explanations. Do this at the point at which you share the personal data. This is sometimes referred to as a ‘just-in-time notice’.
  • Depending on the child’s age and the risks inherent in the processing, you should prompt them to speak to an adult before they activate any new use of their data. You should also say to not proceed if they are uncertain.
  • Allow users the option to change their data sharing settings either permanently or just for the current use.
  • Retain inter-user data sharing choices or high privacy defaults when you update the software.

Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or turn off privacy protections. Nudge techniques are design features which lead or encourage users to follow the designer’s preferred paths in the user’s decision making. For example, presenting one choice more prominently than another, or framing one alternative more positively than another.