ICO publishes report following review into use of children’s data by financial services

Acknowledging that 'more can be done by the financial services sector', the report published by the ICO on 1 April 2025 addresses the processing of children’s data, highlighting good practices, areas of risk, and necessary improvements.

In 2022, the Information Commissioner’s Office ('ICO') outlined a vision for its 2025 strategic plan ('ICO25'), aiming to empower organisations to use information responsibly and confidently.

As part of ICO25, the ICO conducted a review within the financial services sector, focusing on the use of children’s data and the implementation of AI and automated decision-making. This also involved collecting views at an organisational level within the financial services sector about their experiences of implementing good data protection practice, and what challenges/concerns they are currently facing.

The ICO has since published its findings in a report which highlights examples of effective practices, ICO identified risks to data protection compliance and areas where improvements in data practices are needed.

Key points

The report covers several critical areas related to the processing of children's data in financial services, namely:

• Governance. The ICO recognises that organisations have policies and procedures to control the use of children's information, but monitoring compliance of these policies and procedures is limited. Further, only a small percentage of the organisations reviewed by the ICO provide specific training on the use of children's data
• Transparency. Only half of the organisations reviewed by the ICO reported having 'age-appropriate privacy information'. The ICO reports that these statistics are even lower for organisations having age-appropriate privacy information that is 'effective'. In addition, the ICO notes that privacy information often relies on parents, risking children's understanding of terms and conditions
• Use of information. Whilst most organisations reviewed by the ICO have effective controls in place to prevent excessive data collection, the ICO found that parental consent is often not refreshed as children age, therefore leading to potential invalidity
• Individual rights. Respondents to the review reported that requests to exercise individual rights by children are both infrequent and low in volume
• Age verification. The ICO reported that of the organisations reviewed, robust processes were in place for verifying children's ages
• Contact (including marketing). Most organisations reviewed by the ICO were found to have implemented policies preventing marketing to children. However, the ICO recognises that there remains a risk of non-compliance due to reliance on parental contact information and there being a limited distinction between parents and children

What this means for organisations

To ensure compliance and protect children's data, organisations should:

• Clearly define and document responsibilities for processing children's data in their policies and job descriptions
• Develop child-friendly privacy information using clear, plain language and engaging methods (for example, cartoons or videos), and regularly update this information as children age and their understanding of data protection evolves
• Ensure that consent is obtained separately from other terms and conditions and any consent obtained is refreshed regularly
• Assess each data request on its merits, considering the child's best interest, and allow children to exercise their rights where have demonstrated competence
• Make children aware of their rights to object to profiling and marketing

Our views

The ICO makes clear the importance of regular and specialised data protection training, which should be provided to all staff. By implementing the above steps, organisations can better protect children's data, comply with UK GDPR requirements, and foster trust with younger customers and their parents.