The ICO exists to empower you through information.

Data sharing and children

Share Download options

Pages

Format

At a glance

If you are considering sharing children’s personal data, you must take extra care.

You may share children’s personal data as long as you can demonstrate a compelling reason to do so, taking account of the best interests of the child. The best interests of the child should be a primary consideration.

You should build all this into the systems and processes in your data sharing arrangement. A high level of privacy should be your default.

Sharing children’s data with third parties can expose them to unintended risks if not done properly.

You should carry out a DPIA to assess and mitigate risks to the rights and freedoms of children, which arise from your data sharing.

What do we need to bear in mind when sharing children’s data?

The best interests of the child should be a primary consideration. This concept comes from the United Nations Convention on the Rights of the Child (UNCRC), which declares that “In all actions concerning children, whether undertaken by public or private social welfare institutions, courts of law, administrative authorities or legislative bodies, the best interests of the child shall be a primary consideration.” In essence, the best interests of the child are whatever is best for that individual child.

Things you should consider:

  • You may share children’s personal data as long as you have a compelling reason to do so, taking account of the best interests of the child. One clear example of a compelling reason is data sharing for safeguarding purposes; another is the importance for official national statistics of good quality information about children. However, selling on children’s personal data for commercial re-use is unlikely to amount to a compelling reason for data sharing. Even if you have a compelling reason for sharing children’s personal data, you must still carry out a DPIA, because children are a vulnerable group.
  • Use a DPIA to assess and mitigate risks to the rights and freedoms of children, which arise from your data sharing.
  • You have to balance the best interests of the child against the rights of others. For example, it is unlikely that the commercial interests of an organisation will outweigh a child’s right to privacy.
  • Considering the best interests of the child should form part of your compliance with the lawfulness, fairness and transparency requirements. Is it fair to share the child’s data? What is the purpose of the sharing?
  • Children are less aware than adults of the risks involved in having their data collected and processed, so you have a responsibility to assess the risks and put appropriate measures in place. Where appropriate, consider children’s views when designing your data sharing arrangement.
  • Children’s vulnerability means that the risks in sharing their data may be higher than in the similar processing of adults’ data.
  • The privacy information you provide must be clear and presented in plain, age-appropriate language.
  • You should carry out due diligence checks on the organisations with which you are planning to share data. You should consider what the organisation you are sharing the data with plans to do with it. If you can reasonably foresee that the data will be used in a way that is detrimental to the child, or otherwise unfair, then you shouldn’t share.
  • You should ensure that any default settings relating to data sharing specify the purpose of the sharing and who the data will be shared with. Settings which allow general or unlimited sharing are not compliant.
  • Consent is not the only lawful basis to use. Other lawful bases might be more appropriate.
    • If you are relying on consent, you must consider the competence of the child to give their own consent, and whether that consent is freely given (eg where there is an imbalance of power).
    • You should also consider the child’s competence if you are relying on the lawful basis that the sharing is necessary for the performance of a contract.
  • If you (or another data controller in the data sharing arrangement) are a provider of an online service likely to be used by children then you also need to conform to the Age Appropriate Design Code.

Further reading