The ICO exists to empower you through information.

  • To help you conceptualise and navigate the range of rights children hold under the United Nations Convention on the Rights of the Child (UNCRC), the Children’s code best interests framework highlights the rights most likely to be impacted by data processing. The ICO has grouped these rights into three overarching categories to help you conceptualise them:
  • Self: Data processing should respect children's rights to physical and emotional wellbeing and development. It should also support their evolving capacity to form and express their own identity, boundaries and sense of self.
  • Support: Data processing should respect children's rights to have access to resources that support them to develop and flourish. These resources include family bonds and guardianship, economic and social capital and legal rights that support their right to participate in decisions that have a bearing on their life.

Society: Data processing should respect the rights of groups of children, including those with vulnerabilities and specific needs. It should acknowledge that children have a stake in society's shared resources and institutions.

Download the Children’s code best interests framework to explore the rights children hold under the UNCRC, reflect on how data processing impacts on them, and understand code recommendations for addressing these impacts.

For simplicity we have not included some UNCRC articles which we believe are less likely to be relevant in the Children’s code context. However, you may need to consider them in a limited number of scenarios, depending on the nature and purpose of your service. To view the full list of children’s rights, refer to the full UNCRC.

The following sections highlight relevant framework content for a number of children’s data processing activities that are commonly practiced by online services covered by the code. The framework highlights both risks to children’s privacy and risks that arise from the use of children’s data. These are referred to as privacy risks and data related risks respectively.