With the ICO’s Children’s Code being  brought into effect last year, it is now a legal requirement that organisations that deal with children’s data uphold their rights as a priority, according to Article 1 of the Code. As a part of this, the ICO have published their ‘Best Interests of the Child Self Assessment’ tool, which provides guidance and information on how to ensure that if you are collecting children’s data, or plan to do so, that you are acting in the best interests of the children whose data you are collecting, as well as in accordance with the United Nations Convention on the Rights of the Child (UNCRC).

Below I go through the Self Assessment tool and the information it provides, please note that you can find the ICO’s full guide by clicking here, where you will find additional information, templates and guides.

Best Interests of the Child Overview

The Children’s code is formally known as the Age-Appropriate design code, and its aim is to “support organisations to design digital services that meet children’s needs, respect their rights, and help them to explore, play and grow online.” The requirement for organisations to act in the best interests of children comes from Article 3 of the UN Conventions on the Rights of the Child, where it states that:

“In all actions concerning children, whether undertaken by public or private social welfare institutions, courts of law, administrative authorities or legislative bodies, the best interests of the child shall be a primary consideration.”

The code creates a standard for ensuring the child’s best interests are upheld, and this standard can be split into three parts. The first is ensuring that when you are processing children’s data, their best interests are a primary concern, and any commercial interests that go against this should not be pursued. Where these conflicts may exist, the best interests of the child are upheld. Next, the code states that you should use the UNCRC as the basis for your assessment. Using the UNCRC will give you details on what it means to act in the best interests of children when processing their data, and allow you to design your digital services with these practical considerations in mind. The UNCRC also provides a list of the rights that children have that you must uphold, and means that you can assess how your proposed processing of their data supports as well as poses certain risks to their rights. Data Protection Impact Assessments should also be used to assess how you use children's data, and the risks that the processing poses to their rights. DPIA’s also allow you to map out the steps you can and should take to mitigate these risks.

The ICO recommends that the following 4 steps are followed to complete a best interest of the child self assessment:

Step 1- Understanding Rights: Gain a deeper understanding of the rights children hold under the UNCRC, which you will need to consider to assess whether you are acting in their best interests.

 Organisations should consider all of the rights that should be upheld in relation to their sector and the types of data that they are collecting. An example of this is the Education technology sector, who are required to consider how their processing of children’s personal data is in their best interests, in relation to Article 28 on the right to education. There are a vast range of children’s rights in relation to data that must be upheld, and the ICO have put them into 3 top level categories, which are as follows:

 

1. Self- Data processing should respect children's rights to physical and emotional wellbeing and development. It should also support their evolving capacity to form and express their own identity, boundaries and sense of self.
2. Support- Data processing should respect children's rights to have access to resources that support them to develop and flourish. These resources include family bonds and guardianship, economic and social capital and legal rights that support their right to participate in decisions that have a bearing on their life.
3. Society- Data processing should respect the rights of groups of children, including those with vulnerabilities and specific needs. It should acknowledge that children have a stake in society's shared resources and institutions.

Step 2- Identifying Impacts: Consider how your use of children’s data impacts on their rights, mapping the demographics of children that use your services and how, why and when your service processes children’s data.

After this mapping you should identify any potential impacts your product or service might pose to the rights of the child. The best interests framework will help you understand how certain data processing activities can affect the rights of the child.

In order to conduct a full and comprehensive assessment, you need to have a complete understanding of how, when, where and why you process children’s personal data. Only then can you fully know the risks that processing might pose to children’s rights, and therefore the steps that you can take to mitigate those risks. As well as this, you need to know which areas of the service you are providing shape how parents, as well as children engage with the processing of their data. This is to ensure that you are complying with the service design-related standards within the code.

Step 3- Assess Impacts: Your assessment should consider the likelihood and severity of potential impacts to the rights of the child. Your assessment must be evidence based, however you have freedom to use the approaches and evidence sources that are best suited to your context.

The ICO’s  self-assessment risk tool helps you to assess code-related risk levels within your organisation.

 

• Now that you have identified potential impacts on children’s rights you must assess the likelihood of these impacts occurring, and the magnitude of these impacts on children if they do. You can do this whichever way works best for your organisation, however the ICO have created the self-assessment risk tool as a template to help.

Once you have a full understanding of the potential impacts on children’s rights your processing of their data may have, it’s important to know how likely it is that these impacts occur, and the possible outcomes on the children if they do end up occurring. The ICO have a self-assessment risk tool, which your organisation can use as a template. You can find this tool by clicking here.

Step 4- Prioritise Actions: Create a plan of action and prioritise how you are going to reduce the risks, and maximise the benefits, to children that have been highlighted in your assessment.

Page two on the self-assessment risk tool will help you here.

It is important to note that the steps in this guidance are not compulsory. You have the freedom to adapt the approach described to ensure it works in your context – as long as you can demonstrate that you have thoroughly considered the best interests of the child, and ensure this assessment informs your data protection impact assessment.

Please take a look at the ICO's full guidance on the rights of the children self assessment, where you will find additional toolkits, links, tips and guidance on how to conduct your self assessment.