Subject access requests: pupil information
Under the Data Protection Act 2018 (DPA) individuals (such as pupils) have the right to obtain a copy of their personal data.Read more
The Children’s Code came into force on 02 September 2020 with a 12-month transition period. Therefore, the deadline has now passed for organisations to ensure compliance.
It is important to note that the Code is not restricted to services specifically directed at children. The Code applies to you if you provide information society services (ISS). For example, if you provide online products or services that process personal data and are likely to be accessed by children, including:
There are circumstances where the Code does not apply because the service being offered does not fall within the definition of an ISS. For instance, if a public authority provides an online public service that is not provided on a commercial basis, that service would not be deemed a relevant ISS and therefore, the Code will not apply.
The ICO has provided some guidance on the services that are covered by the Code and those that are exempt. The guidance can be accessed by clicking on the following link: https://ico.org.uk/for-organisations/guide-to-data-protection/key-data-protection-themes/age-appropriate-design-a-code-of-practice-for-online-services/services-covered-by-this-code/
The Code sets out 15 standards that all ISS must comply with. We have provided details of each in the table below:
|Standard||How to comply|
|Best interest of the child||The best interests of the child should be a primary consideration when designing and developing online services that are likely to be accessed by a child.|
|Data protection impact assessments (DPIA)||Undertake a DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access your service.|
|Age-appropriate application||Take a risk-based approach to recognise the age of individual users and apply the standards set out in this table.|
|Transparency||Information provided to users (including your policies and community standards) must be concise, transparent and suited to the age of the child.|
|Detrimental use of data||Do not use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, regulatory provisions or Government advice.|
|Policies and community standards||Uphold your own published terms, policies and community standards.|
|Default settings||Unless you can demonstrate a compelling reason for a different default setting, settings must be ‘high privacy’ by default.|
|Data minimisation||Collect and retain only the minimum amount of personal data you need to provide the elements of your service in which a child is actively and knowingly engaged.|
|Data sharing||Children’s data should not be disclosed unless you can demonstrate a compelling reason to do so, whilst taking into account the best interests of the child.|
|Geolocation||Switch geolocation options off by default (unless you can demonstrate a compelling reason for geolocation to be switched on by default, taking into account the best interests of the child). Options that make a child’s location visible to others must default to ‘off’ at the end of each session.|
|Parental controls||If you provide parental controls, give the child age-appropriate information about this and let them know they are being monitored.|
|Profiling||You should only allow profiling if you have appropriate measures in place to protect the child from any harmful effects and switch options that use profiling ‘off’ by default unless you have a compelling reason not to do so.|
|Nudge techniques||Do not use nudge techniques to lead or encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.|
|Connected toys and devices||If you provide a connected toy or device ensure you include effective tools to enable conformance to the Code.|
|Online tools||Provide prominent and accessible tools to help children exercise their data protection rights and report concerns.|
As part of the Data Protection Act (DPA) 2018, non-compliance with the Age Appropriate Design Code will be treated in much the same manner as violations against other sections of the Act, depending upon the severity of the violation. The ICO’s enforcement methods include:
If you have not already done so, you should start reviewing your existing services to establish whether they are covered by the Code. If they are covered, you should review your existing DPIA or conduct a new one as soon as possible.
When conducting the DPIA, you should focus on assessing conformance with the standards in the Code and identifying any additional measures necessary to conform.
With the compliance deadline now passed, applicable changes to the service should be made as a matter of urgency.
Should you require any support with complying with the Code or wish to discuss the requirements of the Code further, please call us on 01332 226 130 or complete the form below.
Scroll to next section
Scroll back to the top