The ICO exists to empower you through information.

After you have assessed the impacts of your service’s data processing on children’s rights, and identified actions to address them, you must put them into practice. Specifically, you should:

  1. Implement a plan for regularly testing measures you implement for supporting, or mitigating risks to, children’s rights. Translate your assessment into engineering roadmaps and wider business transformation plans and success metrics. Consider approaches to promote thinking around children’s best interests at every stage of your organisation’s design cycle.
  2. Consult with the ICO on any areas where residual risks are high (after mitigation measures are considered). Don’t process children’s data until you have done so. This is a legal requirement under UK data protection law.
  3. Think about how best to communicate risks identified to your service users. This ensures you conform with the code’s Transparency standard. This standard states that children and parents must be given accessible information. This allows them to make informed decisions about whether to provide data to your service, including the risks and benefits inherent in doing so.
  4. Ensure you review your best interests assessment on an ongoing basis. You should do this whenever you introduce new data-enabled services or product features that are likely to have a significant impact on children’s rights. It is also good practice to set regular periodic reviews to ensure your assessments are still accurate.

You should never treat a best interests assessment as a superficial tick-box exercise. It should be one aspect of your wider commitment to risk management and accountability. Your focus should be on substantively assessing the best interests of children.

Regulators, business partners, children and parents need to see that you are using children’s data responsibly, if you want to earn their trust. This can enhance your reputation and give you a competitive edge, helping your business to thrive and grow.

To demonstrate your accountability you can do the following:

  • Integrate your children’s best interests assessment into your organisation’s wider governance and risk management processes. For example, within your information risk policy, organisational and departmental risk registers, equality and rights impact assessments.
  • Help staff within your organisation escalate data protection concerns about children’s data use. For example, staff forums or anonymous reporting lines.

Tools and further resources

Our Accountability framework provides general guidance on how to embed responsible practice in your organisation, and demonstrate your compliance with data protection law.