The ICO has published a report of its findings of a review which took place over six months last year of over 40 participant financial services firms’ use of children’s’ data.
Providers of products aimed at children, such as current and savings accounts, ISAs and prepaid cards, took part in the review.
The findings are set out under the following heads:
- Governance – although most firms had specific policies on children’s data in place, often they were not reviewed over time; less than 20% of participants delivered specific training regarding handling children’s data
- Transparency – only half of participants reported having age-appropriate privacy information, however this was often ineffective, lacking age-appropriate language or engaging descriptions of information use; moreover information provision was often a one-shot exercise, and not revised as the child got older
- Use of information – often the parent’s consent was used as the basis for use, but this consent was not reviewed as the child got older
- Individual rights – the low incidence of children seeking to exercise their rights seems to be associated with some poor practices, for example employing arbitrary age limits in dealing with requests rather than assessing an individual child’s own competence
- Age verification – this was found to be robust across the board
- Contact and Marketing – although most firms had policies in place preventing marketing to children, often little distinction was made between parents and children in terms of contact details, leading to a risk of breaching communication and marketing requirements.
