Protecting children’s personal data online – how the ICO can help

Parents
21 July 2022
Julia Cooke
Julia Cooke is a Principal Policy Adviser in the Regulatory Futures team at the Information Commissioner’s Office (ICO). She currently works on policy issues at the intersections of data, children’s rights and emerging technologies. Her current areas of focus include the best interests of the child and the use of age assurance technologies. 
The UK’s data protection regulator, the Information Commissioner’s Office (ICO), is helping children and young people understand the power of their personal data as they learn, play and socialise online.

The ICO created the Children’s code, a world-leading data protection code of practice for online services (such as apps, online games and web and social media sites) likely to be accessed by children. The code sets out 15 standards that online services must meet in order to comply with data protection law and to protect children in the digital world.

What does this mean for pupils?

The ICO has created lesson plans and worksheets to teach primary and secondary school pupils how to protect their privacy online and how they can control what online companies and platforms know about them. The resources explain what counts as personal data, how to protect it and how to keep it private on social media. They cover the UK curriculum and you can download them for free from the ICO website.

The ICO recently added a set of lesson plans specifically on the Children’s code. Teachers can use these lesson plans to help children identify where they can go for support. They include detail on what children should do if they suspect an app, game or website is misusing their data or not conforming to the code.

What does this mean for parents?

1. Talk to your children about respect and relationships online

Talk to your children to explain what is expected of them and their friends in online spaces. You should show them how to report any unacceptable behaviour they see or experience. ChildNet has a helpful guide showing you how to report on some of the most frequently used platforms.

Safer Internet Day has tips, videos and activities to help guide you through these conversations.

The Children’s code states that online services should set privacy at high by default. Children can change these settings, so talk with your child about keeping their privacy set to high. This gives them more control over who they share their data with, and who can engage with them online.

2. Look at the platforms’ community and behaviour standards

Many online platforms have community and behaviour standards that set out how their service operates – the ICO’s Children’s code says that these policies should be accessible to parents and children.

These policies also set out what you can expect if users don’t follow behaviour or community standards. Internet Matters’ advice page includes a list of the community standards from the most popular social media sites, live streaming platforms and gaming apps.

3. Raising your concerns

If you’re unhappy with how an organisation has handled your complaint, you have the right to raise a concern. We believe that the organisation responsible should deal with it. We expect them to take your concern seriously and work with you to try to resolve it.

If online platforms and services don’t actively uphold or enforce their own rules and conditions, then you have the right to make a complaint to the ICO.

What does this mean for schools?

Schools themselves do not fall under the scope of the code. However, many of the services schools buy in do fall in scope. Schools need to do due diligence on any technology providers they enter into agreements with to understand what processing happens and that children’s data is protected from commercial purposes. They should seek assurances that these providers conform with the code. Schools can seek advice on this from their data protection officer. We have more detailed information in our FAQs for education technologies (edtech) and schools.

Schools must still always ensure their use of children’s data and activities comply with the UK GDPR and Data Protection Act 2018. You can find more information on the Children’s code on the ICO’s website.