Control measure: There are measures in place to ensure that if children’s personal information is shared with others, it is done so in a fair and transparent manner.
Risk: Without appropriate measures, checks and balances in place to govern the potential and actual sharing of children's information, there is a risk of harm, detriment or unlawful disclosure and a breach of articles 5 (1) & (2) of the UK GDPR.
Ways to meet our expectations:
- Provide privacy information to children that makes it clear what, when and who you might share their personal information with.
- Ask senior management to authorise all sharing decisions and document their authorisation.
- Consider and document all the relevant issues and risks to the child associated with any data sharing and ensure you fully mitigate these risks.
- Confirm that the ‘best interests of the child’ are a primary consideration whenever you share children’s personal information.
- Conduct an assessment of the legality of the sharing.
- Undertake due diligence checks with any third parties you share information with to check the adequacy of their data protection practices and limit any further distribution of the information.
- Give children the option to opt out of the sharing of their information, if this is not a core function of your service.
Options to consider:
- When you share children’s information, provide them with explanations in a range of ways that will meet their differing needs and that they will engage with and understand.