The CBA Sections agree with the need to include risk assessment in privacy impact assessments (PIAs) involving children and also that Livingstone’s categorization of the 4Cs of online harm to children, related to content risks, conduct risks, contact risks and contract risks offer a helpful categorization of harms to be considered20 The United Kingdom’s Information Commissioner Office has also provided a useful list of harms in their age-appropriate design code at section 2 (Data protection impact assessments).21 They explain that harm can be physical, emotional, developmental or material, and provide some examples:
- physical harm;
- online grooming or other sexual exploitation;
- social anxiety, self-esteem issues, bullying or peer pressure;
- access to harmful or inappropriate content;
- misinformation or undue restriction on information;
- encouraging excessive risk-taking or unhealthy behaviour;
- undermining parental authority or responsibility;
- loss of autonomy or rights (including control over data);
- compulsive use or attention deficit disorders;
- excessive screen time;
- interrupted or inadequate sleep patterns;
- economic exploitation or unfair commercial pressure; or
- any other significant economic, social or developmental disadvantage.
However, to protect children’s right to privacy, PIAs alone are not sufficient. A standard which seeks to intentionally protect and promote children’s privacy by design should include a full Child Rights Impact Assessment (CRIA), recognizing the interdependence among all children’s rights and, in particular, the strong nexus between a child’s privacy, general principles of children’s rights and their enjoyment of their family life, their freedoms of conscience expression and belief, their enjoyment of their right to play and minority linguistic, cultural and religious rights, as well as their right to be protected from all forms of violence. The best interest of the child demands that service providers and content developers providing content or services that are likely to be accessed by children turn their minds to the development of the whole child and how their offerings might impact that end user. Special regard is also needed for vulnerable populations of children including children in poverty, children with disabilities, LGBTQ2+ youth as well as street children, unaccompanied migrants, and children from minority or indigenous communities. The question is not how can PIAs be augmented by a best interest of the child lens. The question must be: how can CRIAs accompany and augment PIAs when designing products or services that children may access?
When considered in this way, it becomes clear that child participation becomes essential in the impact assessment process. Scotland and Wales have developed robust practices to support child participation in CRIA processes and the OPC should look to those practices for guidance as to how to develop similar practices in Canada.22 Using a child rights lens, the forms of harm from the digital environment may also take on a broader scope encompassing not only physical but mental, emotional and psychological harms to children, the impact of their increased sedentariness or isolation from non virtual and in-person contact time with their friends, peers and family members. The specific privacy rights of children in detention, in formal systems of care, in hospital settings, and educational settings are also made more explicit through CRIAs. The Federal Department of Justice has recently developed a helpful CRIA tool and the OPC should adopt it in its own processes.23 The OPC should also recommend its use and adoption by industry, together with the PIA process, when designing with children in mind.