The ICO exists to empower you through information.

Once you have identified the potential impacts on children’s rights, you must assess both the likelihood of these impacts occurring and the scale and severity of the impact if they do.

For risks, the below matrix shows a simple and structured way to categorise overall risk levels based on consideration of likelihood and severity. This is taken from the ICO’s guidance on DPIAs. Although you are free to use an alternative approach and framing that is more appropriate to the context of your organisation.

For positive impacts, you can take a similar approach by considering likelihood of positive influence and magnitude of impact to arrive at an assessment of overall benefit.

Likelihood and severity assessments

Your assessment must be evidence-based, and you must strive to be as rigorous and objective as possible. But data protection law and the code are not prescriptive about the tools you must use to assess impacts on children. You have freedom to use the approaches and evidence sources that are best suited to your context. These include the following evidence approaches and sources for you to consider:

  • Consultation with children and parents. The code’s DPIA and best interests standards encourage you to consult children and parents on their needs and views on how you intend to use their data. Approaches for doing this include user surveys, primary research and focus groups, co-design workshops and engagement with youth panels. Our guidance for designers provides artefacts and tools to support you to engage with children and parents in the context of the code.
  • Academic and grey literature. Journal articles, academic publications, research by child advocates and civil society and other open research sources provide a general evidence base on risks to children. The United Nations Digital Library and UNCRC general comment database also offer general theoretical background on the individual rights children hold under the UNCRC.
  • Scenario-based tools. Scenario-based tools offer a structured process for considering how and when different impacts may arise. They do this by developing a range of hypothetical present and future scenarios to consider (eg best-case, most likely and worst-case). They can also support you to identify events and underlying drivers that could trigger these scenarios. For example, through threat modelling or “back-casting” to identify root causes of risks. Some scenario-based tools and approaches are available on an open-source basis.
  • User redress and feedback data. Data from mechanisms allowing children and parents to feedback on your service can be a rich source of evidence. For example, through complaints, data rights requests, or requests for help. Although they are less suitable for assessing impacts that are not visible to children, such as those arising from the use of algorithms. Some online services publish transparency reports on levels of harm and complaints, which also provide a comparative benchmark for you to refer to.
  • Engagement with children’s development and rights specialists. Consultation with third parties with proven expertise in children’s developmental needs and rights and online risks to children can give you assurance on your assessment.
  • External audit and review. Consider commissioning a relevant third party to assess the potential impact of your services on children’s rights.

Regardless of the approach you take to develop your evidence-base, you should always have the following considerations in mind when assessing likelihood and severity:

  • The age ranges of your child users will influence your assessment. In general, the capacity of children to understand and respond to impacts on their rights will increase as they get older and their capacities develop. The severity of risks (and magnitude of benefits) will be influenced by the development stages of your users in some cases. For example, targeted content of age-inappropriate goods like alcohol that impede physical development. The code’s Annex on age and developmental stages gives guidance on considerations across children’s development stages. Our “creating age-appropriate mindsets” workshop supports you to think about different user needs for a range of scenarios.
  • Detrimental uses of data. The code’s detrimental use of data standard states that you must not use data in ways that are demonstrably against the wellbeing of children. This is defined by relevant external bodies, for example the Chief Medical Officer and Public Health England. Risks that come with a tangible chance of breaching such standards are intolerable. You should consider any relevant ones for each of the risks to rights you identify. Our Detrimental use of data article can assist you with this.
  • High risk data processing. Certain code standards were included in recognition of the fact that these forms of data processing pose particularly high risks to children. For example, data sharing, profiling, geolocation and connected toys and devices. Our Examples of processing likely to result in high risk details other activities where we believe risks to individuals are particularly high. Whilst this list is not specific to children, it still applies to them. If you are undertaking any of these processing activities, you need to introduce measures to significantly lower these risks, and develop an evidence-base to demonstrate their effectiveness.

Residual risks and overall impact

For the risks identified, you should take all reasonable mitigation measures to ensure they are as low as practically possible. Where there are opportunities to proactively support children’s rights, you should think about how to realise them.

Many such measures are outlined in the code. The best interests framework highlights code obligations and recommendations that are specific to the rights outlined in the framework.

Once you have identified the risk mitigation measures you will implement, you should make a final assessment of the level of “residual risk” to children that remains after you have done so.

After that, you should balance the residual risks to children’s rights against the benefits to them (for each individual element of the service, not as whole). You can then make your overall assessment about whether you are acting in the best interests of children.

Tools and further resources

To understand regulatory standards for children’s wellbeing that you should refer to in order to conform with the code’s Detrimental use standard, see our guidance on common uses of children’s data in online services and relevant codes, regulations and guidance.

Our self-assessment risk tool helps you to assess code-related risk levels within your organisation.

For further guidance on understanding risks associated with artificial intelligence, see our AI and data protection toolkit.