6 July 2023
Safeguarding Children in the Digital Age
By Jess Pembroke, Head of Data Protection
In today’s tech-dominated world, where multinational corporations spare no expense in targeting children directly with their alluring technologies, devices and apps, it’s crucial to shed light on the ethical implications and potential harms that arise from the associated endless data collection. One of the main challenges is that these apps and devices are being pushed by both private and public sector companies, into all aspects of life including schooling. The UK Ed tech marketing is thought to be worth £3.5 billion and the volume of data collected through that market is valuable on a different measure than money. This article explores the role of data protection legal requirements in preserving the rights and safety of children, highlighting the need to prioritise their best interests over profit-driven practices.
With the rapid advancement of technology, our children are exposed to an array of devices that collect their personal data, raising concerns about the long-term effects on their mental and physical well-being. Research indicates that extended screen time can lead to health issues such as obesity, diabetes, and even high blood pressure. Moreover, excessive screen use disrupts sleep patterns, potentially affecting both health and cognitive development. Astonishingly, children in the UK now spend upwards of 4 hours every day engrossed in screens, highlighting the urgency of addressing this growing concern.
While online platforms have connected people worldwide, they also pose risks for young users. Social media giants like Facebook and TikTok have faced criticism for their detrimental effects on children’s self-esteem, contributing to increased rates of anxiety, depression and body image issues. Instances of dangerous content surfacing on these platforms, including references to suicide and eating disorders, further illustrate the need for vigilance and protective measures. Additionally, the shift from in-person interactions to online connections can result in a loss of genuine human connection, potentially amplifying the negative impact on children’s well-being.
The pervasiveness of smart devices in our lives has normalised a culture of constant surveillance. Smart speakers in our homes are always listening for commands, and raise concerns about privacy and data security. The National Cyber Security Centre (NCSC) advises people to adjust their settings after purchasing devices, as there have been instances of attackers posing as Father Christmas and engaging in conversations with young girls. This emphasises the importance of maintaining privacy and security measures on an individual level, but do these tech giants do enough to ensure people are aware of how wide these devices and the data they collect can reach? Companies are primarily focused on profiting from the data they gather rather than the devices themselves. It is essential to be mindful of the trade-offs between technology’s benefits and the potential downsides, and not simply assume that surrendering personal data is always worthwhile for a quick solution or fix.
Data protection legal requirements have a vital role in safeguarding the rights and well-being of children in the digital age. The UK/EU General Data Protection Regulation is built upon the objective of safeguarding human rights. It acknowledges the specific need for protecting children’s personal data, considering their limited awareness of risks, consequences and safeguards. Organisations are obligated to prioritise the best interests of the child when handling their data, adhering to principles such as informed consent, transparency and data minimisation.
In line with the GDPR, the Information Commissioner’s Office (ICO) has issued the Children’s Code, which provides additional guidance and recommendations for organisations processing children’s personal data. The code requires Organisations to consider the broader risks to the rights and freedoms of children that may arise from their processing, encompassing potential material, physical, psychological, or social harm. The code highlights the importance of designing services with the child in mind, incorporating privacy by design and defaulting to privacy-enhancing settings. Complying with the ICO Children’s Code enables organisations to create a safer and more child-centric digital environment.
All organisations should respect and acknowledge the wider benefits of compliance with GDPR and data protection laws and guidance. We need to shift organisational thinking away from seeing it as an obstacle to achieving objectives or a box ticking exercise and start recognising that these measures are there to protect society including the most vulnerable. Unfortunately, this burden mostly falls on the Data Protection Officer/Information Governance Practitioner in the organisation, who often is a lone (maybe even ignored) voice in terms of data ethics.
In my experience, some of the ways to bring the organisation on a journey towards ensuring compliance with wider privacy and data ethics issues are to:
- Advocate and consult: Ensure that data subjects are consulted before any new project involving processing of any data (especially children’s data) commences. This consultation is a requirement of a Data Protection Impact Assessment, but many organisations do not undertake it at all or very well.
- Promote Inclusion: Ensure that there are options for those who might not have (or wish to have) online access/presence or devices because often the only choice is to avoid altogether.
- Enhance Privacy by Default: Look to the Childrens Code and other guidance (including internationally) to see what we can do to build privacy enhancing services/options from the start e.g., ensuring Geolocation tracking switched off by default.
- Challenge Data Processors: Undertaking a due diligence process on suppliers, asking them to outline if they are covered by the children’s code and, if so, what assurances can they provide. Even if a supplier isn’t covered by the children’s code scope, if they are processing children’s data, do they have something as simple as a child friendly privacy notice?
- Respect People’s Rights: Make sure that any software, project, or systems have the capacity to and do actually comply with any requests for access and erasure.
- Educate and Share Knowledge: There is a range of excellent resources such as internetmatters.org; getsafeonline.org and nspcc.org.uk/keeping-children-safe/online-safety. Try and tap into people’s wider world and speak to them as a parent or from a wider ethical perspective.
Finally, I offer a plea to all Data Protection Officer/Information Governance Practitioners, to not give up or get disheartened. Good data protection is worth fighting for and the generations of the future may thank you for it.
Jess is a data protection and legal compliance specialist with over 14 years’ experience in senior roles within the public, financial and professional services sectors Jess has a Masters in Information Rights Law and qualifications in audit, risk management and cyber security.
Naomi Korn Associates offer a range of data protection services to help organisations with their data protection responsibilities so that it is managed legally, safely and strategically. We conduct audits relating to Children’s Code Compliance and more general Data Protection Compliance. For more information contact firstname.lastname@example.org.
 Recital 38, General Data Protection Regulations