Complaining to the ICO About a Child's Data
Children's personal data is protected by the UK GDPR and the Data Protection Act 2018. The Information Commissioner's Office (ICO) is the UK regulator. The Age-Appropriate Design Code, also known as the Children's Code, sets 15 standards that online services likely to be accessed by children must meet by design and default, including data minimisation, high privacy defaults, and transparency. If a school, app, social media platform, or other service has mishandled a child's data, you can raise it with the organisation first and, if not resolved, complain to the ICO.
Immediate danger — call 999
A data breach is rarely a 999 matter, but if a child has been identified, located, or contacted by someone who should not have their details, treat it as a safeguarding concern: call 999 if there is immediate physical risk, 101 if there is not, and the NSPCC on 0808 800 5000 for advice.
What to report
- •A school that has shared a child's records, photos, or behaviour information without a lawful basis
- •An app or website that has not honoured a request to delete a child's account or data
- •A platform that targets advertising or profiling at children in ways that may breach the Children's Code
- •A data breach — for example, a class list, SEN records, or contact details sent to the wrong person
- •A refusal or delay to respond to a Subject Access Request (SAR) about a child within one month
How to report
Raise it with the organisation first
When to use
Before approaching the ICO — the regulator expects you to give the organisation a chance to put things right
How to contact
Write to the organisation's Data Protection Officer (DPO) or data protection contact. Set out clearly what happened, the date, what you want them to do (delete, correct, explain), and a reasonable deadline. Keep a copy.
What to expect
Organisations are required to respond to data subject rights requests, including erasure and access, within one calendar month. A holding response within that month is not enough — they must substantively reply.
Information Commissioner's Office — main helpline
When to use
When you have raised it with the organisation and are not satisfied, or you are unsure what your rights are
How to contact
Call the ICO helpline on 0303 123 1113 (Mon-Fri 9am-5pm) or use the online live chat at ico.org.uk. The 0303 number is charged at standard landline rates.
What to expect
The helpline can confirm your rights, suggest how to raise the issue, and advise whether your situation is one the ICO is likely to investigate.
ICO online complaint form
When to use
When you want to make a formal complaint about how an organisation has handled a child's data
How to contact
Use the 'Make a complaint' form at ico.org.uk/make-a-complaint. You can complain about a personal data concern, a data breach, or a service that has not responded to a rights request.
What to expect
The ICO will assess the complaint, may contact the organisation, and will tell you the outcome. Most complaints result in advice or recommendations rather than a fine, but persistent or serious failings can lead to enforcement action.
Subject Access Request (SAR)
When to use
When you want to see what data an organisation holds about your child
How to contact
Write to the organisation's DPO or data protection contact. A SAR can be informal — simply state you are making a SAR under the UK GDPR for the child's personal data, list what you want, and provide ID. There is no fee in most cases.
What to expect
The organisation must respond within one calendar month. They can extend by up to two further months for complex requests but must tell you and explain. If they refuse or redact heavily, you can complain to the ICO.
Report a serious data breach
When to use
When an organisation has lost, exposed, or wrongly disclosed children's personal data
How to contact
Organisations themselves must report serious breaches to the ICO within 72 hours. As an individual, you can also alert the ICO via the standard complaint route and ask what they intend to do to mitigate harm to the child.
What to expect
Serious breaches involving children's data — especially safeguarding records, special-category data, or large datasets — are a regulatory priority. The ICO can issue reprimands, enforcement notices, or fines.
Evidence checklist
Gather this information before or during your report. Do not delay reporting while collecting evidence — but preserve what you can.
- Dates of the original data event (sharing, breach, refusal)
- Copies of any correspondence with the organisation, including emails to the DPO
- A clear written statement of what you asked for and what they did or did not do
- The name of the organisation, its data controller status, and the DPO's contact details if known
- The child's date of birth — relevant to age-based protections under the Children's Code
- Notes on any harm or distress the data event has caused the child
What to say
You do not need to use a script, but this template may help if you are nervous about making the call. Adapt it to your circumstances.
"I am complaining about how [organisation] has handled my child's personal data. My child is [age]. On [date], the organisation [brief description — shared, lost, refused to delete, failed to respond to a SAR]. I wrote to their data protection officer on [date] and they [response or lack of response]. I am asking the ICO to consider whether this complies with the UK GDPR, the Data Protection Act 2018, and the Age-Appropriate Design Code. I have attached copies of the relevant correspondence."
What happens next
Most complaints are first reviewed by the ICO's casework team, who decide whether to engage with the organisation. They may write to the organisation seeking an explanation and ask it to take steps such as deleting data, retraining staff, or improving processes. In serious or repeated cases, the ICO can take formal enforcement action. The ICO will write to you with the outcome. Where you are unhappy with the outcome, you can ask for a case review, and ultimately apply for judicial review of the ICO's decision.
What not to do
- ✗Do not post the child's data or screenshots of the breach on social media — this can worsen the exposure
- ✗Do not pay an organisation for a copy of the child's data — SARs are usually free
- ✗Do not wait years to complain — the ICO expects complaints within a reasonable time of the event
- ✗Do not assume nothing can be done because the organisation is large — the ICO regulates everything from schools to global platforms
- ✗Do not ignore safeguarding implications — a data leak can be a safeguarding risk as well as a data matter
Frequently asked questions
What is the Age-Appropriate Design Code?
The Age-Appropriate Design Code, often called the Children's Code, is a statutory ICO code under section 123 of the Data Protection Act 2018. It sets 15 standards — including high privacy by default, data minimisation, transparency, no nudge techniques, and the best interests of the child — for online services likely to be accessed by children in the UK. Services must demonstrate conformance, and the ICO can take enforcement action where they do not.
Can my child make their own complaint?
Yes. Data rights belong to the individual, regardless of age, as long as they understand their rights. The ICO accepts complaints from children and adults. A parent or carer can support a child to make a complaint, or complain on their behalf where the child cannot do so themselves.
What if the situation feels urgent right now?
If a child is in immediate danger because of how their data has been shared, call 999. For non-emergency police matters, call 101. The NSPCC helpline (0808 800 5000) can advise on safeguarding implications. The ICO helpline (0303 123 1113) handles data protection questions. For a decision tree, see /tools/reporting-route-finder.
Sources and further information
- ICO — Make a Complaint — Information Commissioner's Office
- ICO — Age-Appropriate Design Code — Information Commissioner's Office
- ICO — Children's Information Hub — Information Commissioner's Office
- Data Protection Act 2018 — UK Parliament
This guidance is for informational purposes. It is not a substitute for emergency services or professional safeguarding support. If a child is in immediate danger, call 999 (UK) or 911 (US) now.
Was this page helpful?
Last reviewed: 2026-06-14. This page provides general educational information, not legal or professional safeguarding advice. UK helplines and legislation may change — verify current details with the relevant organisation.