Insights Information Commissioner’s Office publishes blog post on data protection impact assessments in relation to the Children’s Code

The ICO has launched a new blog series to support organisations to comply with the Children’s Code. Organisations have until 1 September 2021 to comply.

The first blog post covers data protection impact assessments, reminding all organisations in the scope of the Children’s Code that they are obligated to complete a DPIA. Undertaking a DPIA is one of the standards set out in the Children’s Code and is also a key part of organisations’ accountability obligations under the UK GDPR.

The ICO explains that a DPIA is “a process to help you assess and mitigate the data protection risks of your service to the rights of children who are likely to access it”. In the context of the Code, it is the vehicle through which to assess whether an organisation’s services are designed to support the best interests of children.

The ICO says that a DPIA will help identify and document the questions that need to be answered in order to conform with the Children’s Code. It will also help identify risks and design appropriate changes to mitigate them and conform with the Code, i.e. privacy by design. The ICO says that it can also bring cost savings and broader benefits for both children and the organisation. It reassures parents and builds trust.

When undertaking a DPIA, organisations need to follow the usual DPIA process set out in the ICO’s separate guidance on how to conduct a DPIA, as well the Children’s Code DPIA standard. The blog post also sets out the steps that organisations should consider taking:

  • describe the processing of personal data planned;
  • consult with children and parents;
  • assess necessity, proportionality and conformance; and
  • assess how the processing undertaken impacts on the best interests of child users.

The ICO encourages publication of the DPIA as a way of demonstrating compliance and building trust and confidence in the service.

The ICO advises completing a DPIA on existing or legacy services now to understand if any changes need to be made in order to comply with the Code. Organisations should also use a DPIA during the early design of any new services before starting to process any personal data.

The ICO says that it will be producing some DPIA examples before the end of the Code transition period. In the meantime, it has published a template that organisations can use. There is also more detail on DPIAs in the ICO’s dedicated guidance on its website. To read the blog post in full and for links to the template and further guidance, click here.