UK Information Commissioner’s Office publishes review into use of children’s data by financial services

April 8, 2025 |

The Information Commissioner’s Office (“ICO”) has published a review into the gathering of children’s data from services supplying them with current accounts, savings accounts, trust accounts, ISAs and prepaid cards. Given the greater concern about children’s privacy, long overdue, it is prudent to look at the review and consider what is being done in Australia.  What is clear is that failure to maintain proper standards with organisations will, if there is some data breach or other issue, result in acute embarrassment for organisations if the regulator reviews its processes and procedures.  Given the Privacy Commissioner now has powers to issue infringement notices/ compliance notices rather than going to the delay and expense of long and drawn out investigations and civil penalty proceedings this is a factor organisations should consider carefully.

Some of the findings from the review are:

  • 69% of participants had policies and procedures in place to control the use of children’s data;
  • only 67% of those organisations proactively monitored compliance with their policies and procedures.
  • 45% of participants had limited assurance that staff are processing children’s information in line with internal or even legislative requirements.
  • only 14% of participants had assigned responsibility for children’s data in policy or relevant job descriptions
  • while 97% of participants provided staff with general data protection training however, only 18% of participants included content about the use of children’s personal information
  • while 49% of participants say they provided children with age appropriate privacy information ess than a quarter of all participants have carried out any testing to check how easily children would understand their privacy information
  • only 36% of children’s savings account products which are opened by parents but transferred to the child at 16 provided the child with privacy information during the transfer process
  • When opening a child owned savings account, 83% of participants provided children with privacy information
  • 5% of participants also required children to acknowledge that they have read the privacy information, usually recorded by signing the application form
  • only 11% of these participants actually carried out any assessment as to whether children are competent enough to understand their notice
  • 66% of participants indicated it would be the parent’s (where they are present) responsibility to ensure the child understood privacy information and no attempt would be made to confirm the child understood the privacy information
  • 66% of participants reviewed the categories of information they collect on a regular basis to make sure it is limited to what is necessary
  • 40% of participants collected special category data, limited to health data and will only be processed having obtained explicit consent.
  • 24% of participants relied on consent obtained from the child to process their information for specific purposes. However, 42% of those participants relied on acknowledgement of information provided within privacy information or key facts documents to obtain the consent. This did not meet the requirements of the UK GDPR
  • 88% of participants had no process in place to assess a child’s understanding of their data protection rights. For 34% of these participants this was because they had preset age limits which determined whether a child was able to exercise their rights or not.  n most cases this age limit was set at 13 years old although some participants had set this age as high as 16 years old.
  • 20% of participants who offer products which process children’s information, but are controlled by parents, did not allow children to access their information or exercise this right at any age
  • 96% of participants had an embedded process for verifying the age of children when an account is opened
  • 63% of participants had a policy in place to govern communications provided to children, including marketing material. For 83% of participants the policy prohibited the provision of marketing material to children.
  • 75% of participants provided communications which included general information about the service provider and also administrative account information. 29% of participants provided communications containing general organisational administrative information. 8% of participants provided marketing communications to children
  • 33% of participants had a process in place to regularly update the contact information they hold
  • Only 8% of participants required children to have access to their own email and/or phone to enable them to open an account, however if children did have these, then this information was recorded in the majority of cases where the child has some control over the account (current or savings accounts). 76% of participants used parents contact information such as email or phone to provide communications.
  • Of the participants who do allow marketing to children, 75% of them included opt in and opt out options on the account application form.  The remaining 25% of participants sought consent from the parent only.

The Executive Summary provides:

In 2022 the Information Commissioner set out his vision for the regulator we want to be in his ICO25 strategic plan. This plan will empower organisations to use information responsibly and confidently, to invest and innovate and empower people to confidently share their information to use the products and services that drive our economy and our society.

The pace of technological change and innovation means the landscape we regulate is constantly transforming. To empower and support organisations we need to maintain our understanding of how these transformations are being implemented. As part of the ICO25 strategic plan, the ICO’s Assurance department approached organisations within the financial services sector to review their processing of information. 

The review looked at two main areas:

    1. The use of children’s data
    2. The use of AI and automated decision making.

We were also keen to collect the views of organisations within the sector about their experiences of implementing good data protection practice, compliance challenges, competing regulatory or legislative priorities and any general data protection concerns.

Recital 38 of the UK GDPR says that

“children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.”

For these reasons children are identified as a vulnerable group within the ICO25 strategic plan and protecting them through the responsible use of their information is a current priority. The ICO has already published a guide to using children’s information however, this report contains themes and findings drawn from the information provided by a range of organisations within the financial services sector, who offer products and services to children. It does not name or otherwise identify any individual participant. The report highlights good practice as well as areas of risk, or where improvements may be needed. 

The findings of the review of the use of AI and automated decision making in the financial services sector are contained in a separate report.

Methodology

From March to September 2024, we gathered information about the processing of children’s data from participants and in particular those who supply current accounts, savings accounts, trust accounts, ISAs and prepaid cards to children or that use children’s data for their administration. This was done using a mix of questionnaires and direct engagement which provided the views of over 40 organisations (participants).

Several participants provided access to their key documents to support the review process. Where participants engaged directly, we held interviews with key staff who have responsibility or involvement in processing children’s data.

The review of children’s data processing focussed on the following areas:

    1. Governance
      The measures in place to control the processing of children’s data.
    2. Transparency
      The information given to children which tells them what their data will be used for.
    3. Use of information
      What information is processed, for what purpose and which lawful basis is used.
    4. Individual Rights
      How individual rights relating to children’s data are handled, whether received from children, parents 1 or other third parties.
    5. Age Verification
      The methods used to identify, and verify the age of, children.
    6. Further contact and marketing
      How children are contacted about their accounts and information provided to them about other products and services.

The review focussed on these areas with all participants so that common themes could be identified and included in this report for the benefit of other organisations who carry out similar processing. 

This report summarises: 

    • evidence of good practice;
    • evidence of risks to data protection compliance; and
    • instances where we found that improvements may be necessary to data practices.

Key Findings

Children are important customers for many financial services. Several participants highlighted children’s products as a key area of focus for development as they represent the future customer base for the wider range of products and services offered. The review of processing of children’s data provided the following key findings.

Governance

Most organisations had policies in place to control the use of children’s information. However, there was limited monitoring of compliance with these policies. Nearly all organisations provided data protection training to staff however, less than a fifth included specific training about the use of children’s information.

Transparency

Only half of organisations reported having age appropriate privacy information. However, following our review the number that we considered to have effective age appropriate privacy information was lower. The examples of privacy information that were suitable for children included age appropriate language and engaging descriptions of how organisations use their information.

The approach taken by several organisations appears to have passed their own transparency responsibilities onto parents. As a result, there was a significant risk that children are recorded as agreeing to terms and conditions or privacy information that they do not actually understand. Providing privacy information was also often a onetime only exercise and is not revisited as children age and their understanding increases.

Use of information

Most organisations regularly reviewed the categories of children’s data collected to ensure it was limited to what is necessary, particularly for special categories of data. There were effective controls in place to prevent excessive data collection or purpose creep across all organisations observed. 

Consent was used for some purposes for processing however, some organisations asked for parents to provide the consent on behalf of their child in the first instance but failed to keep this consent under review. This means as the child gets older and their ability to understand the processing for themselves increases, the original consent is likely to become invalid until it is refreshed and obtained from the child. 

Individual rights

Respondents reported that requests to exercise the individual rights set out in UK GDPR by, or on behalf of, children are infrequent and low in volume. However, as a result of the issues found with explaining privacy information and their rights to children, parents wishes often, unfairly, supersede those of children. In several cases the decision whether to accept requests for children’s information from the child or their parent is made using a predetermined age limit rather than an assessment of the child’s competence.  

Age verification

Processes to verify the age of children were robust across all organisations.

Contact (including marketing)

Many organisations provided administrative communications. Nearly all had a policy that prevents marketing to children. There is limited distinction between parents and children when communications were provided, which was sometimes based simply on whose contact information is available. This creates a high risk of non-compliance with communications and marketing requirements.

Leave a Reply