The ICO’s Assurance department has recently approached organisations in the financial services sector to review how they process information. The review looked at how they use children’s data and how they use AI and automated decision making.
The ICO also wanted to gather views on experiences of implementing good data protection practice, compliance challenges, competing regulatory or legislative priorities and any general data protection concerns.
Recital 38 of the UK GDPR says that
“children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.”
The ICO23 strategic plan identifies children as a vulnerable group and protecting them through the responsible use of their information is a current priority.
The review of children’s data processing focussed on the following areas:
- Governance: the measures in place to control the processing of children’s data.
- Transparency: the information given to children which tells them what their data will be used for.
- Use of information: that information is processed, for what purpose and which lawful basis is used.
- Individual Rights: how individual rights relating to children’s data are handled, whether received from children, parents 1 or other third parties.
- Age Verification: the methods used to identify, and verify the age of, children.
- Further contact and marketing:how children are contacted about their accounts and information provided to them about other products and services.
The review focussed on these areas with all participants so that common themes could be identified and included in the report for the benefit of other organisations who carry out similar processing. It summarises evidence of good practice; evidence of risks to data protection compliance; and instances where the ICO found that improvements may be necessary to data practices.
Key findings
Children are important customers for many financial services. Several participants highlighted children’s products as a key area of focus for development as they represent the future customer base for the wider range of products and services offered. The review of processing of children’s data provided the following key findings.
Governance
Most organisations had policies in place to control the use of children’s information. However, there was limited monitoring of compliance with these policies. Nearly all organisations provided data protection training to staff. However, less than a fifth included specific training about the use of children’s information.
Transparency
Only half of organisations reported having age-appropriate privacy information. However, the ICO said the number that it considered to have effective age appropriate privacy information was lower. The examples of privacy information that were suitable for children included age-appropriate language and engaging descriptions of how organisations use their information. The ICO said that the approach taken by several organisations appeared to have passed their own transparency responsibilities onto parents. As a result, there was a significant risk that children are recorded as agreeing to terms and conditions or privacy information that they do not actually understand. Providing privacy information was also often a onetime only exercise and is not revisited as children age and their understanding increases.
Use of information
Most organisations regularly reviewed the categories of children’s data collected to ensure it was limited to what is necessary, particularly for special categories of data. There were effective controls in place to prevent excessive data collection or purpose creep across all organisations observed. Consent was used for some purposes for processing. However, some organisations asked for parents to provide the consent on behalf of their child in the first instance but failed to keep this consent under review. This means as the child gets older and their ability to understand the processing for themselves increases, the original consent is likely to become invalid until it is refreshed and obtained from the child.
Individual rights
Respondents reported that requests to exercise the individual rights set out in UK GDPR by, or on behalf of, children are infrequent and low in volume. However, as a result of the issues found with explaining privacy information and their rights to children, parents’ wishes often, unfairly, supersede those of children. In several cases the decision whether to accept requests for children’s information from the child or their parent is made using a predetermined age limit rather than an assessment of the child’s competence.
Age verification
Processes to verify the age of children were robust across all organisations.
Contact (including marketing)
Many organisations provided administrative communications. Nearly all had a policy that prevents marketing to children. The ICO noted that there is limited distinction between parents and children when communications were provided, which was sometimes based simply on whose contact information is available. This creates a high risk of non-compliance with communications and marketing requirements.
The findings of the review of the use of AI and automated decision making in the financial services sector are contained in a separate report.
