The Information Commissioner’s Office has published the Age-Appropriate Design Code (the Children’s Code).

In what circumstances does the Children’s Code apply?

The Children’s Code defines “children” as people aged under 18 years. The Children’s Code applies where the University provides “information society services” which are likely to be accessed by children. This definition is likely to include children who are prospective or current undergraduate students (typically aged 16 and 17 years).

“Information society services” are services normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. This definition is likely to include the University’s e-learning platforms. Websites which only provide information about a real-world organisation or service are not caught by this definition.

What are the requirements of the Children’s Code?

We comply with the standards set out in the Children’s Code:

1. The best interests of the child are the primary consideration when we design and develop online services.
2. We conduct Data Protection Impact Assessments to assess and mitigate risks to the rights and freedoms of children who are likely to access our services, and we take into account children’s differing ages, capacities and development needs.
3. We take a risk-based approach to recognising the age of individual users and treat children accordingly.
4. Our privacy notices are concise, prominent and use clear language suited to the age of the child.
5. We must not use children’s personal data in ways that have been shown to be detrimental to their wellbeing or that go against industry codes of practice, other regulatory provisions or statutory guidance.
6. We uphold our published terms, policies and standards.
7. Our settings are ‘high privacy’ by default except where we can demonstrate a compelling reason for a different default setting.
8. We collect and maintain the minimum amount of personal data needed to provide the elements of our service in which a child is actively and knowingly engaged.
9. We do not share children’s personal data unless we can demonstrate a compelling reason to do so taking into account their best interests.
10. We switch geolocation options ‘off’ by default unless we can demonstrate a compelling reason to switch them ‘on’ by default.
11. We will give children age-appropriate information about any ‘parental controls’ that we provide.
12. We switch profiling options ‘off’ by default unless we can demonstrate a compelling reason to switch them ‘on’ by default, and we only allow profiling where appropriate measures are in place to protect the child from any harmful effects.
13. We do not use ‘nudge techniques’ to lead or encourage children to provide unnecessary personal data or weaken or turn ‘off’ their privacy protections.
14. We include effective, prominent and accessible tools to help children to exercise their data protection rights and to report concerns (including in any toys or devices which we may provide).

What are the key considerations if working with children aged 16 or 17 years?

By this age many children have developed reasonably robust online skills, coping strategies and resilience. However they are still developing cognitively and emotionally and should not be expected to have the same resilience, experience or appreciation of the long term consequences of their online actions as adults may have.

Technical knowledge and capabilities may be better developed than their emotional literacy or their ability to handle complex personal relationships. Their capacity to engage in long term thinking is still developing and they may still tend towards risk taking or impulsive behaviours and be susceptible to reward based systems.

Parental support is more likely to be viewed as one option that they may or may not wish to use, rather than as the preferred or only option, and they expect a reasonable level of autonomy. Signposting to other sources of support in addition to parental support is important.

If relying on consent as a lawful basis for processing in the context of offering an online service directly to a child, UK children aged 16 or 17 years can provide their own consent to the processing of their personal data.