Guidance

LEDS Child Rights Impact Assessment (CRIA)

Published 17 July 2025

June 2025

1. Introduction

1.1. A Child Rights Impact Assessment (CRIA) is a process that helps people understand how a proposed law, policy or decision might affect children’s human rights. A CRIA can be used as a tool for looking at decisions, practice, policy or legislation to identify and measure their effect on children and young people. It is considered good practice in examining impacts to be predicted, monitored and, if necessary, avoided or mitigated. This assessment requirement has its origins in the United Nations Convention on the Rights of the Child (UNCRC). The UNCRC is a legally binding international agreement setting out the civil, political, economic, social, health and cultural rights of every child, regardless of their race, religion or abilities. One hundred and ninety-six countries have signed up to the UNCRC, including the United Kingdom (UK).

1.2. Like other countries that sign up to the UNCRC, the UK is bound by international law to ensure it is implemented. The UN Committee on the Rights of the Child monitors the implementation activities of stages. The UK is required to submit periodic reports on the national situation of children’s rights to the Committee for examination, including information on the measures adopted to protect the rights of children. The UK Government has therefore made a public commitment to give due consideration to the UNCRC when making new policy or legislation. The UNCRC (Incorporation) (Scotland) Act 2024 made Scotland the first part of the UK to incorporate the UNCRC into domestic law. The Department for Education (DfE) developed a CRIA template for use within government departments, to consider the impacts on children’s rights when developing new policy or legislation, and this has been adapted for this assessment

1.3. The Law Enforcement Data Service (LEDS) is a new law enforcement data system, which is currently under development. The LEDS Programme, which oversees that development, has determined that undertaking a CRIA for LEDS will help identify which children’s rights could be impacted by the policy decision to build a new data system for policing and assist in ensuring the protection of children’s rights within LEDS as the resulting entity. The LEDS Programme has been in place for several years but as the system comes closer to implementation, the implications for children’s rights have been brought into consideration. LEDS is a national service, processing data for law enforcement purposes, which is mostly collated from local policing data systems and other law enforcement sources across the UK and Crown dependencies. Children’s data will be included amongst LEDS data, as discussed further in section 6.

1.4. The LEDS CRIA has sought to identify any changes in the planning and development of LEDS that might mitigate the negative impacts on children’s rights and maximise the positive impacts for children and young people. This CRIA has been initiated part way through the development process, but the desired outcome is that the impact assessment process be absorbed into the design and development structures as an organic design process. This is subject to any proposals for LEDS enhancement post March 2026 (see para 4.2.2 below)

2. Legal, Policy and Practice Context of the CRIA

2.1. The UNCRC Articles

Articles 2,3,6,12 are general principles applicable to all considerations of children’s rights.

Article 2 - The Convention applies to all children without discrimination. No child should be treated unfairly on any basis. This also complies with the Equality Act 2010 and section 75 of the Northern Ireland Act 1998.

Article 3 - All organisations concerned with children should make decisions in their best interests.

Article 6 - Children have the right to life. Governments should ensure that children survive and develop healthily.

Article 12 - Children have the right to say what they think should happen when adults are making decisions that affect them, and to have their opinions taken into account.

Other articles that are considered relevant for the purposes of this assessment are:

Article 1 - Defines “child” for the purposes of the Convention as every human being below the age of 18. This definition has been adopted for the purposes of this assessment.

Article 4 - Governments must do all they can to make sure every child can enjoy their rights by creating systems and passing laws that promote and protect children’s rights.

Article 16 - Provides for the right of every child to be protected by the law against arbitrary or unlawful interference with his or her privacy, family, home or correspondence as well as against unlawful attacks on his honour and reputation.

Article 17 - Provides the right of access to information. Children have the right to get information from the Internet, radio, television, newspapers, books and other sources. Governments should encourage the media to share information from lots of different sources, in languages that all children can understand.

Article 22 – Ensures that children who have come into a country as refugees have the same rights as children born in that country, including over the collection and application of their data.

Article 40 – Ensures that children who are accused of breaking the law should receive legal help, and this may include protecting their personal data rights.

A summary of other policy and strategic drivers relevant to the development of LEDS and the protection of children’s rights is contained in Appendix 1. There will be planned legislative changes accompanying the development of LEDS, which will be covered in future versions of this assessment.

3. Process

3.1. A three-stage process was applied to the CRIA following the DfE guidance:

• Stage 1: Screening

• Stage 2: Assessing the impact

• Stage 3: Summary and monitoring

Stage 1: Screening. This address specific questions in establishing the scope of the CRIA for LEDS:

• What is the legislative or policy development under consideration?

• What is the aim, or purpose of the structure in development?

• How is it being developed?

• Who is responsible for that development?

Stage 2: Assessing Impact. This address key questions in establishing to what extent children’s rights are impacted, the positive and negative implications, the mitigations and the relevance to stakeholders.

• Who will it affect?

• Which groups of children and young people?

• What data within the system might be relevant?

• What information collected and applied through LEDS will include data concerning children and young people up to the age of 18?

• Who has been consulted within the programme?

• What is the evidence?

• What are the mitigations planned?

• What are the initial findings that need to be tested externally, including the views and experiences of children and young people?

• How will the programme ascertain stakeholders view of the development?

Stage 3: Summary and Monitoring. Drawing conclusions based on the consultation process and identifying how this will influence further development.

• What is the result of the consultation process?

• What are the risks and mitigations identified in the assessment?

• What is the conclusion on the impact assessment?

• How will this be fed back and to whom, and how will this influence further development?

• How will the programme be monitored and reviewed to ensure it maintains a commitment to respect, protect and fulfils children’s rights?

4. Screening and establishing scope of CRIA

4.1. The development under consideration.

4.1.1. Law enforcement agencies in the United Kingdom currently make use of a wide variety of information systems at a local level. They collect and process data in connection with their law enforcement and policing purposes. Some of this information is then shared with national systems. One such national system is the Police National Computer (PNC).

4.1.2. LEDS is the replacement for PNC. The PNC holds personal data relating to individuals who have come to the attention of the police through events, including arrests, charges, summons and court disposals (including convictions). It also contains associated information such as warnings and whether a person is wanted or missing, as well as information about drivers, vehicles, and lost and stolen property.

4.1.3. Most of the data in PNC and LEDS is collected by policing, but some comes from other parties such as His Majesty’s Courts and Tribunals Service (HMCTS) and the Driver and Vehicle Licensing Agency (DVLA) and other organisations. The PNC acts as a central database for policing to store and share data with other forces and agencies.

4.2. The aim or purpose of LEDS development

4.2.1. It is a priority for the Home Office and Policing to reduce crime. The Home Office current Outcome Delivery Plans for reducing crime relies upon LEDS to provide a new joined-up information system to prevent crime and better safeguard the public. LEDS is a modern cloud- based data service that will enable the retirement of the PNC (currently foreseen as March 2026). The PNC has evolved significantly but is limited by the 1970s software on which it runs. The new service will enhance functionality, improve usability and deliver a range of benefits, including a reduction in running costs in comparison with the PNC. LEDS will provide police forces and other law enforcement agencies with an on-demand, easier to use and joined-up information service at their point of need.

4.2.2. LEDS has been in delivery since 2021 to enable a gradual migration away from PNC for Police Forces and other law enforcement organisations. PNC data is constituted from direct data entry and from data uploaded from local policing and law enforcement systems. This data will be carried into LEDS and there will be a period where user organisations will have access to both systems, and updates in the PNC will be replicated onto LEDS, and LEDS updates will be reflected in the PNC. Once the PNC is decommissioned LEDS will be the sole national database for this information. The scope of current programme delivery has allowed for the delivery of additional value where this is possible within the scope of the business case and transition timeline.

4.2.3. At the time of writing, funding for future enhancements to LEDS has not yet been confirmed and will have to be considered in the light of the wider financial challenges in government. Funding for further delivery of LEDS will also need to be balanced against public expectations to deliver legal compliance, provide public protection and manage evolving threats.

4.2.4. LEDS is primarily used for processing data for Law Enforcement Purpose. These are defined in Part 3 of the Data Protection Act 2018 (DPA 2018) as:

“the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”.

Law enforcement purposes can include the work of specific agencies which conduct, for example, animal cruelty investigation and prosecution, environmental health investigation and prosecution, and immigration enforcement.

4.2.5. Other processing in LEDS is undertaken for General Purposes under the UK GDPR and Part 2 of the DPA 2018. This includes, but is not limited to:

• Security vetting

• Safeguarding children and vulnerable persons

• Missing persons

4.3. How is LEDS being developed?

4.3.2. LEDS is being delivered incrementally in a product/service-based format. This will offer both the existing service from PNC and add new products or services, such as Missing Person. This approach enables access to data and functionality to be controlled depending on which products or services are relevant to the organisation or user from that organisation, through a system of individual entitlement allocations. The PNC is also accessed by, or provides data to, over 150 other organisations outside of policing, with a range of restrictions on what they can access. This will be replicated with LEDS. LEDS delivery before March 2026 is laying the foundations for future transformation so products have been designed to be evolutionary enabling value to be added incrementally after the programme has finished, subject to future funding. LEDS has four core user services which are:

Person Service: This is likely to be the most used service within LEDS and will enable users to search the national person records and update them with the latest person identity information and wanted reports. With the right permissions, new records of individuals can also be created. A user’s first port of call will be enquiry, to establish whether a person’s record exists on LEDS. The services associated with the Person Service are:

• Person Check

• Full Person Search

• Wanted Person

• Missing and Found Person

• Offence Processing and Criminal Justice

Property Service: This is a national register for the stolen and found property.

Drivers Service: This service connects users of LEDS to the Driver and Vehicle Licensing Agency (DVLA) registered Driver Licensing information. This enables Road Policing officers and other investigators of road traffic matters to establish a person’s current driving licence status, entitlement to drive and other restrictions.

Vehicles Service: This service provides users with access to DVLA data on vehicles, including vehicle description, registered keeper, tax, and any information recorded about the vehicle. In addition, LEDS will provide access to Driver and Vehicle Standards Agency (DVSA) data regarding vehicles’ MOT status and Motor Insurers’ Bureau (MIB) data on vehicles’ insurance status.

Drivers’ and Vehicles’ data is accessed in LEDS by means of application programming interfaces (APIs) with the DVLA, DVSA and MIB. APIs are a way for two or more computer programmes or components to communicate with each other. This means that the data will not be transferred or stored into LEDS, but LEDS will allow the user to view that data within the source organisation’s own domain.

4.3.3. A specific Audit Service captures stores and provides access to an end-to-end record of the activities of users who are processing data in LEDS products/services for Policing and Law Enforcement Purposes. This provides a safeguard that allows auditors to identify misuse, whether malicious or otherwise. This can also highlight other variances such as issues around data quality or the need for more training.

These core services are supported by further LEDS services which ensure quality, compliance, and governance of the data.

4.4. Who is responsible for the development?

4.4.1. The National Police Chiefs’ Council (NPCC) brings UK police leaders together to set direction in policing. The police service, through an NPCC lead, the nominated Information Asset Owner (IAO) is driving the development of the system.

4.4.2. The Home Office is responsible for technical development and maintaining the LEDS service on behalf of policing. The National Law Enforcement Data Programme (NLEDP) was established in 2016 to replace the PNC with LEDS. The development programme is now known as the LEDS Programme and sits within the Home Office Police and Public Protection Technology (PPPT) portfolio as a collaborative initiative between NPCC and the Home Office.

4.4.3. The main users in the UK are the 43 geographical police forces in England & Wales, Police Scotland, the Police Service of Northern Ireland and other policing and non-police organisations. Policing and few law enforcement organisations have come together collectively to become Joint Controllers for the purpose of managing LEDS. The Joint Controllers, determine the use of LEDS data and are responsible for legal compliance. They have set out their mutual responsibilities through a Joint Controller Agreement ^{[footnote 1]}. This does not remove their individual responsibilities for data management within their organisations. The Joint Controllers have contacted the Home Office as a processor service provider of LEDS. There are a small number of other authorised organisations who will be able to create and make updates to LEDS. This makes those organisations controllers for the processing that they initiate.

5. Scope of the impact

5.1. Who are the children and young people affected?

5.1.1. The specific categories of children who may be affected by LEDS processing are:

• Children who are at risk of or come into conflict with the law as offenders or suspected offenders

• Children who are victims of crime

• Children who are deemed to be in danger of harm, including abuse, neglect, or exploitation

• Children who are reported as missing

• Children who are subject to court orders

• Children who are subject to legal proceedings linked to adult prosecution.

• Children with a driving licence

• Children recorded as the registered keeper of a vehicle

• Children who are licenced to hold firearms.

6. Initial Impact Analysis

6.1. Children’s data will be stored on LEDS

6.1.1. The proportion of children’s data captured on the PNC under the ages of 18 (as compared to adults) is low and even fewer records for children below the age of criminal responsibility. The Person Service is the part of the system that mostly handles information about people, including children. Sometimes it stores details about children even if they have not done anything wrong or are not suspected of a crime. In some instances, children’s data will be captured in Drivers and Vehicles Service. The Property Service stores data in relation to goods of high value and therefore is likely to hold much less children’s data. Currently, in PNC, it is not possible to clearly identify the age and category of the child, and this is proposed to be addressed within LEDS.

6.1.2. Children who are at risk of, or are in, conflict with the law: Data in LEDS will be migrated from the older systems, the PNC and from HMCTS. LEDS records may include children who are or were suspected of an offence as well as those convicted of offences. LEDS will also be used to create and maintain records of those ‘wanted’ by law enforcement. Records held on the PNC show whether a person has ever been convicted of a recordable offence or a non-recordable offence associated with a recordable offence. A PNC record also contains information about non-conviction outcomes including ‘Not Guilty’ adjudications, ‘acquittals,’ ‘discontinuances’ and ‘No Further Action’ (NFA) disposals. LEDS will capture the details of such persons directly or via the PNC whilst that remains a master data source; this may include the details of children under the age of 18. There are different geographic considerations:

6.1.2.1. In England, Wales, and Northern Ireland, the Minimum Age of Criminal Responsibility (MACR) for the children is set at ten years which means that under that age they are considered too young to be held responsible for a crime. Therefore, their names will not be added to the police system (LEDS) as offenders. But once a child turns ten, they can be arrested and taken to court if they are suspected of a crime, and their details might be recorded in the system. Children between ten and 17 years old can be arrested and taken to court if they are suspected of committing a crime, but a child under the age of ten cannot be arrested or charged with a crime and will not be entered as such in LEDS.

6.1.2.2. In Scotland, the MACR is 12 years old. A child below 12 years cannot be arrested or charged with a crime. Data processed in Scotland will not include data relating to children under the age of 12 years old in relation to their criminality. Scotland sends data to PNC (and eventually LEDS) from their Criminal History System. Generally, that does not hold details of those children under 17 who are dealt with by the Children’s Hearings System. It will contain details of children who have committed serious offences.

6.1.2.3. At the time of writing there is a proposal for the MACR in Northern Ireland to be raised from the current age of ten years to 14 years, to comply with the UN Committee on the Rights of the Child recommendation that the MACR for Member States should be at least 12 years of age and preferably 14 years or higher. (2007: General Comment No. 10)

6.1.2.4. Children who may have been prosecuted in jurisdictions outside the United Kingdom may have convictions for offences which differ from UK law. Guernsey, Jersey and the Isle of Man, as Crown Dependencies are not part of the UK and have their own legal systems and criminal laws. While these systems are influenced by UK law, they are distinct and can define offences differently.

6.1.3. Children who are victims of crime: LEDS will not routinely record details of victims other than their names as, for example, the owner of missing property, although more details of crime recording are captured on local systems. The information is intended to help deal with operational assistance and action. In more serious cases, such as those relating to child sexual exploitation, slavery or trafficking, reports on suspected victims will be held on LEDS as a means of safeguarding (see below).

6.1.4. Children who are deemed to be in danger of harm, including abuse, neglect, or exploitation: There are some instances where details are captured of children who have not committed a crime or are not even suspected of doing so, for example, capturing data in relation to children who may be in imminent danger of a forced marriage or abduction. This is through the Operational Information Report (OIR) process. It is possible that the details of children under 18 years old are captured because they have been identified as vulnerable individuals due to coercion and intimidation by gangs, for example, in relation to county-line offences, which often involve children and vulnerable adults. OIRs are subject to a three-year review process where they will then be removed from the record unless there is a current risk. Additionally, in more urgent situations, the Child Rescue Alert Activation Protocol is a partnership between the police service, the media and the public to publicise the disappearance of abducted children to help locate and bring them to safety. Part of the protocol includes the use of LEDS Broadcasts to inform other forces and e.g. ports when a Child Rescue Alert is being considered.

6.1.5. Children who are reported as missing: In the LEDS Person Service, the Missing Person Product/Service will be likely to hold proportionately more data on younger people, as they are more likely to be reported missing, particularly where children are missing from residential or foster care hospital or youth custody. This data already exists in PNC, albeit in a small proportion, but the Missing Person capability is being designed to widen collaboration between agencies who are seeking to safeguard those who are missing.

6.1.6. Children who are subject to court orders. Children’s details will be recorded on orders made against adults in respect of those children. There are examples where a child has been the victim, such as where there is suspected Female Genital Mutilation Protection Order or Forced Marriage Protection Order officers can create an entry in LEDS for a child who is or linked to perpetrators or suspected perpetrators. Court orders are generally removed from the record when they expire. If this is longer than three years, it will be subject to a review at that period. Additional reports may be generated in respect of children who have been made wards of court and who are removed from the court’s jurisdiction. If they are located, a separate Located Report should trigger the record to be removed between eight and 38 days after its creation.

6.1.7. Children who are subject to legal proceedings linked to adult prosecution. Children might be identified as vulnerable in relation to an adult recorded for committing an offence. If a parent, guardian, or other caretaker is subject to criminal proceedings, they may have dependents who will be put at risk or who will require support, and whose details will be recorded.

6.1.8. Children with a driving licence: There will be access to data in respect of those aged under 18 in the LEDS Drivers Service and potentially in the Vehicles Service. In the UK, a person can apply for a provisional driving licence from 15 years and nine months old and can start learning to drive when they are 17 years old. A person can drive a moped on public roads when they are 16 years old and cars on public roads when they are 17 years old (and in some circumstances earlier, for example if they are in receipt of Personal Independence Payment). Driver records are generally held until notification of the death of the driver or if the driver turns 70 and they have not applied for their licence within next four years.

Secondary legislation limits the purposes for which automatically provided DVLA Drivers data can be used for the Road Traffic matters. The Home Office has been working with the DVLA to include new powers in the Crime and Policing Bill, which is passing through Parliament during 2025, and new regulations. Policing will be able to use data provided by a record check on LEDS for wider law enforcement purposes as this will widen the scope for the DVLA to share driver data for other policing and law enforcement purposes, subject to certain safeguards concerning access and application. The DVLA currently operates a Police Support Team which receives requests from both policing and other bodies for access to DVLA data for specific applications, which are judged to be in public interests.

6.1.9. Children recorded as the registered keeper of a vehicle: Anyone of any age can own and/or be the registered keeper of a car with the DVLA. There is no legal lowest age to be registered as a keeper, and some young people who have their first car at 16 or 17 years register it in their own name. Vehicle information is retained for the lifetime of the vehicle. The DVLA retains the history of the vehicle from the time of first registration until it is destroyed.

6.1.10. Children recorded as the licensee for a firearm. As there is no minimum age in the UK for a person to apply for a shotgun certificate, there may be children’s data held on the National Firearms Licensing Management System (NFLMS), which is accessed via a LEDS interface.

6.2. Children’s data rights

6.2.1. The processing in LEDS will be under the DPA 2018 and UK GDPR, both of which confer some data rights for individuals, which would include both adults and children. Children are less likely to be aware of or understand their rights under data protection legislation.

6.2.2. Any processing must have a clear basis in law, and some of those rights may not be applicable under the law enforcement purpose, which is the primary basis for collecting and processing data in LEDS. The processing must be documented, in clear and accessible language, to inform people of their rights. Published Privacy Notices are the means used to clearly identify the purpose/s of processing personal data within systems such as LEDS. They are mostly published by individual controllers on their organisational websites. Children and young people may not be able to easily source these.

6.2.3. Individuals can exercise Subject Access Rights to discover if any, data is held by policing on them. There is not any age requirements attached to the right of subject access, but the Information Commissioners Office (ICO) suggests that 12 years is considered as the age where young people can exercise their own legal rights. The level of awareness of data protection rights amongst those under the age of 18 is suspected to be relatively low. If a subject access request relating to data being processed about a child comes from an individual other than that child, controllers are exempt from providing this data if doing so would not serve the best interests of the child or if the child is over 12 and does not wish for this to be disclosed.

6.2.4. Exemptions apply to children’s personal data in the same way as they apply to adults’ personal data under the UK GDPR and the DPA 2018. The DPA 2018 allows the processing of personal data, including children’s data, for law enforcement purposes, in ways that the UK GDPR would otherwise not allow.

6.3. Retention of children’s data

6.3.1. Under existing national guidance, PNC records are required to be retained until a person is deemed to have reached 100 years of age. The IAO has commissioned an ongoing review in respect of data retention and disposal of these records in LEDS. This review will consider the views of the judiciary, other stakeholders, and recent legislation regarding the retention of data required for ongoing inquiries, which may relate to data concerning children. The recommendation at the time of writing is to extend the retention period to 120 years to reflect people living longer. Local policing data in England and Wales is subject to a risk-based review process, but this does not apply to PNC and LEDS. There is a different data review retention and disposal protocol operating for criminal justice information collected in Scotland and Northern Ireland. Police Scotland and Police Service of Northern Ireland (PSNI) issue separate guidance for those jurisdictions.

6.3.2. Some of the indirect consequences of collection and retention of children’s data can affect them later in life, for example where people are refused potential opportunities in employment or are unable to relocate to other countries because of data held in national systems such as LEDS. Arguably, an adult committing an offence is more likely to be aware of those risks than a young person. Children may act with less consideration for the effects in later life of having information recorded concerning criminal activity. Research suggests the peak age of criminality is between 14-25, known as the ‘age-crime curve ^{[footnote 2]}. After the age of 25 there is a steep drop in criminal behaviour. This is because people take on new roles in the work force, relationships etc, and the prospect of imprisonment and its adverse impact on these areas become more realistic. Data recorded before the maturity can have persistent effects on life choices, such as employment. For example, children aged ten to 17 years old can be given a youth caution as a formal out of court disposal if they admit a criminal offence.

6.3.3. UK Legislation: The Rehabilitation of Offenders Act 1974 (England and Wales Rehabilitation of Offenders (NI) Order 1978 (Northern Ireland) and The Rehabilitation of Offenders Act 1974 (Exclusions and Exceptions) (Scotland) Order 2013 enable some criminal convictions to be ignored after a rehabilitation period. The rehabilitation period is automatically determined by the sentence. After this period, if there has been no further conviction the conviction is “spent” and, with certain exceptions, need not be disclosed by the ex- offender in any context such as when applying for a job, obtaining insurance, or in civil proceedings. A conviction for the purposes of the rehabilitation of offenders’ provision includes a conviction issued outside Great Britain (see s1(4) of the 1974 Act) and therefore foreign convictions are eligible to receive the protection of the legislation. These matters will be retained on PNC/LEDS and will be available to the Disclosure and Barring Service (DBS), Disclosure Scotland or AccessNI (in Northern Ireland) although there are restrictions on what information that might be disclosed to employers about an individual’s criminal record. The time periods after which a spent conviction will no longer be disclosed are 11 years after conviction, and for those under 18 it is five and a half years.

6.3.4. There is no disclosure of youth cautions, reprimands and warnings from central police records, i.e. those 1989, on PNC/LEDS, but in the case of the enhanced criminal record check, information relating to the youth caution, can be disclosed by a Chief Officer from locally held records. In deciding to disclose information held on a local record, Chief Officers follow Statutory Disclosure Guidance and must consider what is relevant to the prescribed or specific purpose for which the certificate is being sought. Information, such as the existence of a youth caution, reprimand or warning, must only be provided if the Chief Officer reasonably believes it to be relevant. Establishing a reasonable belief that information is relevant requires a higher standard than simply considering that it might be or could potentially be relevant. Any decision to disclose information must always be a carefully balanced decision weighing up relevant factors, including credibility, seriousness and recency. There is also a proportionality consideration in whether any interference with an applicant’s right to respect for their private and family life is justified. This aligns with data protection principles of fairness and proportionality. The threshold for disclosure of such information is extremely high, resulting in a disclosure rate of less than 0.2% of applications in England and Wales in 2019/20.

6.4. Classification of children’s data

6.4.1. There are also complexities in data recording categories. For example, it may be necessary to capture the race or ethnicity of a child in line with reference data. A child may not have experience in expressing their preferred identity, or may wish to determine their own categorisation, which may not be on offer. In the PNC as the current system, a person is unable to define themselves as ‘Black-British’ or ‘Asian-British’. Therefore, it is possible that children that identify as being in these groups will feel discriminated against as they are unable to capture their self-identified race in a way that they feel describes them best. In Northern Ireland there is an additional requirement in stop and search powers to capture or assess community background

6.4.2. A child’s sexual orientation may need to be recorded to meet and support their needs if police exercise their powers of arrest or detention. This may have implications if a child is vulnerable, meaning that police need to understand the potential risk of harm and appropriate safeguarding action taken. Children may not wish to disclose or may be reluctant or fearful to disclose this information. This may be relevant if a child has been threatened and is at risk of harm due to their perceived sexual orientation or gender identity. Children may wish to self-define their gender, sex, or sexual orientation.

6.4.3. There are positive impacts of the inclusion of children’s data in LEDS. Police can quickly share information with schools to let them know about children who have faced domestic abuse or other difficult experiences. The inclusion of a Missing Person product/service is viewed as a positive development for children who are missing, increasing the sharing of information between policing and agencies who support families where their loved ones are missing. This may be especially the case in situations where children may be trafficked, or where they may be exploited under what are known as ‘county lines,’ where drugs are transported from one area to another, often by children who are coerced into it by gangs. A report by the University of

Nottingham Rights Lab and ECPAT UK ^{[footnote 3]} identified the scale of child modern slavery in the UK estimating over 7,000 cases. The study reveals large gaps in data collection and recording. The Independent Inquiry into Child Sexual Abuse ^{[footnote 4]} has recommended that organisations (including policing) should retain information concerning allegations of child sexual abuse. This is to ensure that in later life survivors of abuse can cite where allegations were made but possibly had not resulted in formal investigation.

7. Consultation

7.1. Process

7.1.1. The invitation for consultation took several forms. The first element was a direct approach by letter with an invitation for direct engagement with DCC Malik, the NPCC Lead for LEDS. This was the approach made to the Children’s Commissioner of each of the devolved administrations. As an alternative they were also invited to the combined stakeholder event in August. 2024 The Children’s Commissioner for England was the only one of these four bodies to take up the invitation and a representative attended.

7.1.2. Consultation with the ICO took place through a virtual meeting with a brief presentation on the aims and intentions of the CRIA. The consultation draft was shared and there was some subsequent electronic feedback. That is discussed below.

7.1.3. Consultation with children’s charities, civil society organisations which advocate the protection of children’s rights, and stakeholders in Youth Justice took place in Summer 2024. This took the form of a hosted roundtable discussion within the Home Office. Fifteen organisations were invited, having been identified as having an interest in the rights and protections of children, including the four Children’s Commissioners. Those who agreed to attend were provided with an advance copy of the consultation draft CRIA. Six organisations responded positively. The remaining organisations were also sent the draft CRIA and provided with an opportunity to comment. Only one of the fifteen organisations provided feedback electronically, the Office of the Children’s Commissioner for England. That is referenced below. The full list of those who were invited and those who attended is contained in Appendix 3.

That discussion focused on:

• an exploration of the sort of personal data that is captured by policing and law enforcement;

• how that personal data might be captured and in what circumstances;

• how long the data of children under 18 could stay on the national system and in what circumstances; and

• their expectations around the protections of children’s data rights in balance with law enforcement and safeguarding responsibilities.

7.1.4. Consultation with children and young people, with the co- operation of a youth engagement specialist agency (UK Youth), took place between December 2024 and January 2025. This took the form of an online survey and a managed focus group with young people to explore their understanding of how policing and law enforcement holds data and the concerns they may have. The survey was managed and distributed by UK Youth through their Youth Management Group (YMG) which is a peer structure. The survey was open from 9th December when members of the LEDS team and the YMG attended an event with over 70 young people mostly drawn from schools across London. This event was a Hope Hack, an event designed to give young people aged 15-25 years old a voice in political decision-making, as they addressed an invited audience. The day-long event saw young people engaged in a series of workshops themed around reimagining a fairer society. This involved groups discussing key issues affecting them and their communities and producing potential solutions. The event concluded with young people presenting their ideas to an audience featuring decision-makers from a range of sectors including Sir Mark Rowley, the Metropolitan Police Commissioner. The YMG representatives engaged with attendees in the break and encouraged them to complete the survey. The survey was then circulated to UK Youth networks.

The survey sought to establish what young people might know about:

• the sort of personal data that is captured by policing and law enforcement

• how, and under what circumstances, that personal data might be captured

• how long they think that data of children under 18 could stay on the national system

• what they understand about their data rights granted in law; and

• whether they know how to find out about what data might be held and what they can do about it.

7.1.5. Following this the YMG convened a focus group/roundtable session which was attended by 11 young people aged between 14-25 who were members of the YMG plus additional representatives from the iWill movement. This is a social action collaboration which engages 700 young people and is supported by UK Youth. Seven members of the LEDS team attended.

7.1.6. The results of the survey and the discussion are presented in section 7.3.

7.2. Stakeholder views

7.2.1. Children’s Commissioners: A representative of the Children’s Commissioner for England took part in the roundtable and followed up with a suggestion on the presentation of the information within the draft. The observation was that identifying impacts on specific categories of children would be clearer and that was followed through in redrafting. The other three national commissioners were given copies of the draft report to review but did not provide responses.

7.2.2. The ICO: The ICO representatives were positive about the CRIA process and particularly the commitment to enable some of the distinctions in LEDS that would provide better safeguards to children’s rights. They did for further elaboration on the safeguards that have been put in place regarding disclosure of youth cautions. Further detail was provided in the subsequent redraft. Youth caution data is retained on LEDS, but the enhanced disclosure process operates through the local data record. We however could recognise that for many readers that is not a distinction that might not be noticeably clear. This final document will also be shared with the ICO.

7.2.3. Stakeholder event: The views of the stakeholders who attended have been summarised and are not specifically attributed. Overall, there was a positive reception to the process being undertaken and the stated intention of the programme to ensure that children’s data rights are addressed within the design and development of the data service. Specific recommendations were requested and are as follows:

• Stakeholders would like to see engagement at a community level, building trust between young people and the police handled with sensitivity. There was a request for more engagement with young people in shaping the communication of some of the issues under discussion. The advice was to engage community leaders, youth workers, and schools, in helping to understand the impacts of this and how it is going to impact children and young people and assisting them in understanding what rights they have along with the implications of exercising them. Getting young people themselves to be involved in shaping the narrative around this and identifying relevant social media channels may be more effective that simply publishing information on a government website that young people may not readily access.

• Stakeholders would like to see the roll-out of LEDS do something to mitigate problems that come with disclosure. The existing disclosure safeguards involve the discretion of human beings, and this was seen as where there may be inconsistencies or injustices. Automation in the process of deletion and disclosure was welcomed but with cautions as to how the principle of data minimisation would be applied for children.

• Stakeholders wanted to see more consideration of how data is processed through immigration procedures and particularly in instances of child trafficking. Incorrect recording of age at the point of first contact (often because of incorrect reporting by young people) can result in difficulties in further processing claims.

• Stakeholders wanted more child-friendly communications, with a suggestion about using systems like NSPCC’s Childline. That was identified as an information source that children recognise.

• Stakeholders were almost unanimous in putting forward a request for education about data held by law enforcement. Young people do not know what information is held or that their images may be held. It was recognised as a challenge, but the view was that there is a duty of care in that education piece and in making the information accessible. Working with teachers or youth workers to make them aware of the issues facing young people whose data may be held. The importance of working collaboratively was noted, and it was recognised that more needed to be done to increase trust in Police. It was suggested that a Privacy Notice aimed at young people be made available in accessible media.

7.3. Findings on young people’s views and experiences

7.3.1. Survey

7.3.1.1. Responses: The survey received 80 responses and aimed to assess young people’s awareness and understanding of police and law enforcement data practices. The questions within it focused on their knowledge of personal data collection, retention, access by other agencies and their rights under data protection law. The findings below provide valuable insights into the levels of awareness among different demographic groups, highlighting key gaps in knowledge and areas for potential improvement. The full report is attached in Appendix 4 which identifies the demographic breakdown in detail. Overall, there were more female than male respondents (74% to 24%) with 3% identifying as other. There was a fairly even representation across ethnicity. Seventy six percent were in full-time education. Thirty five percent (28) had been in contact with the police or law enforcement and 65% (52) had not. 25% of the female and 58% of the male respondents have been in contact with the police.

7.3.1.2. The survey found that:

• there was a widespread lack of understanding of the status of data collection by policing and law enforcement, with only 15% having any awareness

• even where respondents disclosed having had direct contact with police or law enforcement, most had limited awareness of data collection, retention and access rights

• 45% did recognise that data might be accessed by other agencies

• only 8% (6) had an idea of how long their data might be held but their responses indicated uncertainty

• only 10% (8) suggested that they understand what data rights they may have under data protection law, but this rose to 25% for those who had met the Police

• nearly 90% of the young people surveyed did not know where to find information about their data rights.

7.3.2. Roundtable event

7.3.2.1. Fourteen young people aged between 15 and 25 attended the event in London, together with staff from UK Youth and five members of the LEDS programme. These young people came from across the UK, including Belfast and Glasgow. The young people (including members of the YMG) had completed the survey and had been briefed by UK Youth online ahead of the event.

7.3.2.2. Observations from the Roundtable

• Law enforcement could consider providing more accessible and proactive information during encounters with young people, as the survey highlights that need for clearer communication. Only 25% of those in contact with police were aware of their data rights or knew what data might have been collected

• Services who share data need to be more joined up and transparent and respect young people’s rights

• The young people usually rely on social media sources like Google, and increasingly ChatGPT, to get advice/information in general, and acknowledge a risk that those searching online may encounter misleading or incorrect information

• Parents may feel that they need to inform children of their rights, particularly those from ethnic backgrounds where there is less trust in police integrity. However, they may themselves be unaware of data rights. It would be helpful to have a dedicated webpage that parents and other advisors could reference the right guidance

• Initiatives such as educational outreach, digital resources and clearer guidance on data rights could improve awareness

• Law enforcement should develop targeted resources to improve awareness of data retention policies and access rights

• Partnerships with educational institutions or youth organisations would help to increase awareness of data rights and policing practices.

7.3.2.3. As a by-product of this piece of work, iWill Ambassadors from Scotland committed to organising an information session for their peers to promote their rights and recommended sources for more information and guidance about this issue.

7.4. What the consultation told us

7.4.1. The young people consulted were relatively relaxed about the need to collect information for law enforcement purposes and the need for agencies to share that information to protect the public and to combat offending.

7.4.2. Between both the stakeholder and the young people’s consultation there was a strong thread calling for better communication and education. Researching with young people themselves revealed what other stakeholders had suspected, namely that the data subjects, the young people, are not generally aware of what data is collected when they have a contact with police, nor how to find out about that.

7.4.3. Both stakeholders and young people wanted information to be more available at the right point and in the right format. In Scotland, Activate Your Rights is information created for young people, by young people in partnership with Children in Scotland, Scottish Government and Young Scot as an accessible portal for young people, proving better understanding of their rights, including data rights. However, there are other ways to provide information. For example, in Manchester Blue Cards are issued to young people. This started as a peer initiative where young people created a video about stop and search, which is distributed through networks and then Blue Cards are issued, to further inform them of their rights in a way that helps if they are stopped. The young people’s consultation group wondered why data rights or data awareness was not taught as part of the curriculum in educational settings.

8. Final Impact Assessment

8.1. Summary

8.1.1. LEDS is a new law enforcement data system, which is currently under development and will replace an older system, PNC which has evolved incrementally. The LEDS Programme, which oversees that development, commissioned a CRIA for LEDS with the intention to help identify which children’s rights could be impacted by this development and to establish what might be required to ensure the protection of children’s rights within LEDS as the resulting entity. Overall, LEDS should have a positive impact on children’s rights. This balances the benefits of children’s data being held in in LEDS for law enforcement and public safety, to improve safeguarding practice and to enable location of those who are missing; with the risks in encroaching upon children’s data rights in doing so. There are known issues within the data set in the older technology. The new technology may address those issues for new data entry.

8.1.2. In section 2 we have identified several of the UNCRC articles which have been taken into consideration. In summary Articles 2,3,6,12 are general principles applicable to all considerations of children’s rights which have been reflected in the rationale for the CRIA itself and inform the recommended actions for the Home Office as the development partner for LEDS and the IAO, on behalf of the NPCC and the joint controllers of the data to take forward. Article 2 complements compliance with the Equality Act 2010 and section 75 of the Northern Ireland Act 1998.

8.1.3. Other articles have been relevant. Article 4 which requires governments to create systems that promote and protect children’s rights has provided a rationale for the Home Office as the development partner for LEDS to undertake a CRIA and take forward recommendations. The CRIA process has also paid attention to Article 12 by engaging young people in consultation as to what they think should happen to data gathered by law enforcement and allowing their opinions to be considered. Article 16 which provides for protection against arbitrary or unlawful interference with privacy has been directly relevant when considering a vast data set which includes the data of children. In making recommendations Article 17 has proved pertinent in encouraging the controllers to share information in modes that all children can understand.

8.1.4. This process and the intention behind the CRIA have been shared with external stakeholders who have an interest in children’s data and data rights. That has also been shared with a representative group of young people from across the UK. They have voiced support for the process being undertaken. Their recommendations, which have been incorporated into the overall impact assessment, have largely addressed the sharing of information about the data set and how data concerning children is retained and applied by law enforcement.

8.1.5. In the early phases of LEDS, data will replicate the data set held in PNC, so the technical aspect of this impact assessment has involved consultation with subject matter experts who are very familiar with that existing data set and how the data is handled in the PNC. This has indicated some known issues which would not be possible to rectify in the older system, which is heading for decommissioning in 2026, once LEDS is fully functioning. These indicate some risks and potential mitigations for LEDS as new architecture which designers and developers could address in a future build process. However, it might not be possible to amend the historical records migrated from PNC.

8.1.6. The next steps that will follow this assessment will be consideration of practical actions that can be taken forward by the programme leads and by the joint controllers. A key element of a CRIA is what happens to monitor and evaluate the delivery and ongoing impact of the development under consideration, namely LEDS. When details of the current Government Spending Review are known the recommendations set out in Section 9 and 10 below can be considered. The enduring governance structure for LEDS is still under discussion but will include accountability to the Home Office as the funding body, and the NPCC which set direction in policing. The CRIA will be published by the programme on a gov.uk collections page, together with the EIA and DPIA for LEDS. This enables the public to view and provides a degree of public scrutiny. This CRIA will also be shared with the ICO who have been consulted during the drafting process and are expected to note the risks and mitigations identified below and the recommendations which follow.

8.2. Risks and Mitigations

8.2.1. LEDS design risk.

8.2.1.1. Risk: The Code of Practice for PNC and LEDS requires that children should be entitled to specific protection regarding their personal data, and this is another reason a specific child rights assessment was initiated. The assessment reviews what is known about data from the current system. While LEDS is sharing data with PNC, and PNC is still the main data source, LEDS products and services are limited by PNC’s capabilities. PNC is an older system that has been updated over time, but some of its design features may not support distinctions that could better protect children’s rights. This creates a design risk for LEDS which could replicate some of the known, and unknown risks to children’s data rights.

8.2.1.2. Risk: The PNC as a data system has been in existence for a long time and its evolution has meant that some customs and practices and technical modifications have not encompassed full protection for children’s data due to technical constraints. From discussion with subject matter experts, some of these anomalies are recognised, such as the implication of linking non-offender personal details on entries related to court orders, which could very well include a child’s name being linked to an adult offender’s record. However, there may be others yet to be uncovered.

8.2.1.3. Mitigation: The Home Office and Policing are consciously ensuring that the design and use of LEDS are undertaken with equality in mind through application of a variety of policies, practices and procedures. For example, the Programme is undertaking a review of the terminology used within PNC to ensure it aligns to current data categorisation standards. As well as this assessment, there is an Equality Impact Assessment for LEDS and a Data Protection Impact Assessment (DPIA). One of the obligations arising from UK data protection legislation is the requirement to conduct a DPIA where the prospective processing of personal data is likely to result in a “high risk to the rights and freedoms of individuals.” this has identified privacy or information risks concerning the processing of personal data for individuals, which together with the risks identified in this assessment specifically in regard to children form risks which need to be addressed in the design of LEDS. LEDS design already includes features such as dropdown boxes which eliminate the use of free text which constrains the range of answers and reduces human error.

8.2.1.4. Mitigation: The LEDS programme is ensuring due diligence in determining any necessary mitigations to reduce design risks by conducting a consultation with the NPCC colleagues and understanding requirements of the technical assessment of the data. The teams developing the future LEDS architecture should be able to review how the data captured and retained within LEDS will have differing implications for children and young people’s rights. This detailed technical assessment would be one step towards building a picture of the detailed data values that might need to be addressed. The review of the impact on children’s data within LEDS will be a much more detailed and ongoing process beyond this CRIA and needs to be built into the product/service design and review. This is something which can be associated with the development of a LEDS Manual which is being put together to guide users. There is a programme of LEDS Training which is evolving, and this can encompass tradecraft.

8.2.2. Data Retention risk

8.2.2.1. Risk: Children’s data will be included in LEDS, and this will not always be for reasons of offending. If a young person has come into contact with law enforcement, it is often necessary to record that information. In other circumstances, children’s information may be recorded because of the link with adults. There are six fundamental privacy principles set out in Part 3 of the DPA 2018 The third data protection principle requires that personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed. The fifth principle requires that personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed. These are critical tests which should be applied to the collection of personal data in LEDS. LEDS needs to ensure it does not retain information beyond what is necessary, and it is not always clear from PNC as to the exact age of a subject. For non-criminal justice information, captured under UK GDPR and the DPA 2018 part 2, there is a risk as to whether it is appropriate for policing to continue to hold information about a person that could be at risk of harm. This is particularly relevant to the Missing Person data which LEDS will hold, and which may have proportionately more data relating to children.

8.2.2.2. Risk: LEDS data is subject to rehabilitation of offender’s provision and whilst ‘spent’ convictions are not shared with employers under established disclosure provision (DBS, Disclosure Scotland or AccessNI) they would be visible to non-police organisations for law enforcement purposes.

8.2.2.3. Mitigation: The future development of LEDS as a new system does present an opportunity to rectify those issues. Whilst LEDS runs in parallel to the old system, LEDS is being designed to store reports which are processed under UK GDPR and the DPA 2018 Part 3 separately. This means LEDS can set different rules for keeping this data once LEDS and the old system are separated. For example, it might be possible to design a technical solution which enables the application of rehabilitation provisions. Those developing the LEDS architecture need to fully understand where children’s data might be captured and stored and how to catalogue issues that might persist once LEDS is the master data source. This CRIA is one step towards building a picture of the detailed data values that might need to be addressed in future development.

8.2.2.4. Mitigation: As discussed above there is a current review in respect of data retention and disposal of records in LEDS. For criminal justice information, the retention period will have to be set according to the outcome of the current review. One key area under consideration for LEDS is deletion of records under the revised review process. That approach, accompanied by an automated process, would provide more confidence in compliance with the fifth data protection principle under Part 3 of the DPA 2018 (that is, data being retained for no longer than is necessary for the purpose for which it is processed).

8.2.3. LEDS implementation risk

8.2.3.1. Risk: The CRIA has been praised for being open and clear about the benefits and risks of holding children’s data in LEDS. It helps improve safeguarding practices and locate missing children but also has risks to children’s data rights. Like all big technology projects, further development of LEDS will need to be carefully managed, especially with budget constraints. This could make it harder to implement the recommended actions to protect children’s data rights.

8.2.3.2. Mitigation: Planning for LEDS next phase is still under consideration, subject to funding, so the publication of the CRIA can feed into future development proposals.

8.2.3.3. Risk: Recommendations from the wider stakeholders and young people concern activity which may not be currently include in programme planning.

8.2.3.4. Mitigation: The recommendations regarding information- sharing in a more child/youth friendly format may be more appropriately directed to the controllers of the data rather than aligned to systems development.,

9. Recommendations

9.1. For the LEDS Programme

9.1.1. The Child Rights Impact Assessment should be reviewed at a suitable period after LEDS has become the master data source to ensure that protections to children’s data rights have been encompassed in design and delivery. This requirement needs to be built into the planning for LEDS governance.

9.1.2. The LEDS Programme should consider a more detailed technical analytical assessment of the source data to ensure that it is fully understood exactly where children’s data is being collected, stored and applied and catalogue this for future development.

9.1.3. The planning for LEDS architecture for when LEDS will stand alone from the PNC in 2026, should integrate the consideration of children’s data and the compliance with legal and ethical aspects of children’s data, when reflecting what further adaptations can be made within any future funding envelope.

9.1.4. The planning for any future LEDS architecture should consider whether it is feasible to develop a technical solution which enables the application of the Rehabilitation of Offenders Act 1974, and complementary provision for Scotland and Northern Ireland. This would ensure legal compliance so that that spent convictions would not be apparent to those who should not see that data.

9.1.5. LEDS should enable the appropriate classification of data subjects. It must be possible to identify children in LEDS and understand their involvement in an event so that they can be correctly categorised.

9.2. For the NPCC and the Joint Controllers

9.1.6. The joint controllers (and the NPCC) who are formulating the LEDS retention, review and deletion process should include consideration of the specific concerns regarding children’s data that is held in LEDS.

9.1.7. The joint controllers (and the NPCC) should consider how information about data held by policing and law enforcement might be provided to young people in an accessible digestible format, via channels they would readily access. This is something that external stakeholders and young people consulted strongly recommended.

9.1.8. The joint controllers (and the NPCC) should consider how information about subject access rights should be provided in respect of the data held on LEDS. This is not currently provided in any format. Consideration should be given to making this available in an accessible digestible format for young people, via channels they would readily access. Currently young people would use social media and they themselves acknowledge a risk that they may encounter misleading or incorrect information by searching online.

10. Response to Recommendations - June 2025

Recommendations	Actions in place as at June 2025
9.1.1. The Child Rights Impact Assessment should be reviewed at a suitable period after LEDS has become the master data source to ensure that protections to children’s data rights have been encompassed in design and delivery. This requirement needs to be built into the planning for LEDS governance.	The Programme has incorporated consideration of the CRIA assessment into design of LEDS Person service. This will ensure due diligence in designing data management processes in LEDS. The CRIA will be published on gov.uk and reviewed at appropriate intervals.
9.1.2 The LEDS Programme should consider a more detailed technical analytical assessment of the source data to ensure that it is fully understood exactly where children’s data is being collected, stored and applied and catalogue this for future development.	LEDS Data Quality team is conducting analytical assessments to understand improvement requirements. This recommendation will form part of future LEDS.
9.1.3 The planning for LEDS architecture when LEDS will stand alone from the PNC in 2026, should integrate the consideration of children’s data and the compliance with legal and ethical aspects of children’s data rights, when reflecting what further adaptations can be made within any future funding envelope.	The technical build discussions have reflected on potential iterations for the development of future LEDS. The importance of handling children’s data in line with data protection laws have been acknowledged. There has been proactive engagement with the technical teams to ensure risks, mitigations and recommendations highlighted in the CRIA are considered during the ongoing design stage, but realisation will be funding dependent.
9.1.4. The planning for future LEDS architecture should consider whether it is feasible to develop a technical solution which enables the application of the Rehabilitation of Offenders Act 1974, and complementary provision for Scotland and Northern Ireland. This would ensure legal compliance so that that spent convictions would not be apparent to those who should not see that data.	This recommendation has been acknowledged but analysis and consideration of potential technical solutions will need to be reflected following the Spending Review analysis when the prioritisation of backlog items is considered.
9.1.5 LEDS should enable the appropriate classification of data subjects. It must be possible to identify children in LEDS and understand their involvement in an event so that they can be correctly categorised.	LEDS Person service team is working with the SME to ensure data categories are defined to meet regulatory requirements.
For the NPCC and the Joint Controllers
9.2.1 The joint controllers (and the NPCC) who are formulating the LEDS retention, review and deletion process should include consideration of the specific concerns regarding children’s data that is held in LEDS.	This has been incorporated in the Review, Retention and Disposal assessment, commissioned by the IAO. The proposed solution will be a formal review schedule based on clear periods of non-offending, which can be managed automatically.
9.2.2 The joint controllers (and the NPCC) should consider how information about data held by policing and law enforcement might be provided to young people in an accessible digestible format, via channels they would readily access. This is something that external stakeholders and young people consulted strongly recommended.	The NPCC and law enforcement agencies are actively promoting and seeking to improve ways to foster positive relationships with young people. Some forces collaborate directly with schools, youth offending teams, and Community Outreach Programme to explain data rights— either in person or through educational materials. These efforts help build trust and ensure that children understand how their data is handled. Young people suggested the need to engage intuitive ways to develop learning material to engage young people and highlighted the need to use of social media and use of other new channels is to raise awareness. This has been noted by the IAO.
9.2.3. The joint controllers (and the NPCC) should consider how information about subject access rights should be provided in respect of the data held on LEDS. This is not currently provided in any format. Consideration should be given to making this available in an accessible digestible format for young people, via channels they would readily access. Currently young people would use social media and they themselves acknowledge a risk that they may encounter misleading or incorrect information by searching online.	During the CRIA consultation meeting, the importance of engaging and working collaboratively with young people was highlighted. The Information Asset Owner (IAO) have formally noted this recommendation.

Appendix 1

Summary of other policy and strategic drivers relevant to the development of LEDS and the protection of children’s rights

Policy and Strategic Drivers	Description
Children’s rights and protective legislation	The UK, as a State Party, has ratified the UNCRC and the First and Second Optional Protocols. They are therefore binding on the UK as a matter of international law. Article 4 of the UNCRC requires States Parties to “undertake all appropriate legislative, administrative, and other measures for the implementation of the rights recognised in the present Convention”. The UNCRC (Incorporation) (Scotland) Act 2024 made Scotland the first part of the UK to incorporate the UNCRC into domestic law. Previously Part one of the Children and Young People (Scotland) Act 2014 required all Scottish ministers to: give better or further effect to the requirements of the UNCRC. The Rights of Children and Young Persons (Wales) Measure 2011 imposes a duty on Welsh ministers to have due regard to children’s rights as expressed in the UNCRC. There is no equivalent statutory requirement in England to carry out a Child Rights Impact Assessment (CRIA) when developing any new legislation or policy. There is some legislative guidance in defining what is a child. For the purposes of the present Convention, Article 1 defines a child as meaning every human being below the age of 18 years unless, under the law applicable to the child, majority is attained earlier. Two principal acts relating to the protection of children’s rights in England and Wales (the Children Act 1989, and the Children Act 2004) both define ‘child’ as a person under the age of 18, with some extension of the legislation, in certain cases, to those over the age of 18. The Childcare Act 2006 also defines ‘child’ as a person under the age of 18. In Northern Ireland, the Children (Northern Ireland) Order 1995 and in Scotland, Children and Young People (Scotland) Act 2014 both define a ‘child’ as a person under the age of 18. Section 46(1) of the Children Act 1989 provides for police protection for any child who is reasonably believed to be likely to suffer significant harm, and the police have a duty to inquire into that child’s case. In Northern Ireland, the power exists to remove a child in an emergency, where there is a belief that the child would otherwise be likely to suffer significant harm (Art 65 of the Children (NI) Order 1995)
The Data Protection Act 2018 (DPA 2018) & UK General Data Protection Regulation (UKGDPR)	LEDS is being developed within the requirements of data protection legislation, including adopting privacy by design as default. The programme also ensures compliance with the legislation through assurance mechanisms built into programme development.
Police information and records management Code of Practice	The statutory Code of Practice and guidance sets national principles for police information and records management in England and Wales.
PNC and LEDS Code of Practice & Guidance	The aim of this Code is to provide public confidence in the legitimacy and integrity of information that is available through PNC or LEDS and the lawful purposes for which this is applied. It introduced ten Principles all users must follow. It also provides a framework and operational context for relevant authorities, such as His Majesty’s Inspectorate of Constabulary and Fire & Rescue Services, to monitor how information within PNC and LEDS is created. The Code stipulates that children are entitled to specific protection regarding their personal data. Whilst the Code has legal application in England and Wales all joint controllers for LEDS have signed their agreement to comply.
Ethical Policing	The Code of Practice on Ethical Policing for applies to the police forces maintained for the police areas of England and Wales. This sets and defines the exemplary standards of behaviour for everyone who works in policing. It is a supportive, positive, everyday decision-making framework and is a constant reinforcement of the values and standards that policing is proud of. It is intended to encourage personal responsibility and the exercise of professional judgement; empowering everyone in policing to ensure they always do the right thing. Police Service of Northern Ireland has its Code of Ethics 2008. The PSNI Code of Ethics was first issued in February 2003. A review of the Code was initiated in 2006 and following extensive consultation with the public, interested organisations, various statutory bodies, police associations and, importantly, police officers themselves. This second edition Code of Ethics was published in February 2008 Code of Ethics for Policing in Scotland sets out the standards of those who contribute to policing in Scotland. This is not a discipline code. It is what we aspire to be. This code is a practical set of measures. It reflects the values of the Police Service of Scotland. This code sets out what the public can expect.
Equality Act 2010	The Equality Act 2010 protects people against discrimination, harassment, or victimisation in employment, and as users of private and public services based on 9 protected characteristics, one of which is age. All product/service teams will be completing an accessibility report as part of their assurance of the product and to show conformity with the Equality Act 2010 and section 75 of the Northern Ireland Act 1998. The Equality Impact Act 2010 does not apply in Northern Ireland. S75(1), and Schedule 9 of the Northern Ireland Act 1998 place a duty on public authorities to have due regard to the need to promote equality of opportunity between the 9 protected equality categories. In Scotland, the Equalities Act is enacted through The Equality Act 2010 (Specific Duties) (Scotland) Regulations 2012.
Equality Impact Assessment (EIA)	An over-arching EIA has been undertaken for LEDS. This demonstrates compliance with the Public Sector Equality Duty (PSED) which applies to all public bodies in England, Scotland and Wales. There is then some overlap between the programme EIA and CRIA as age will be considered within the EIA, under the PSED. The CRIA examines impact on children’s rights more widely. Mitigations identified by the EIA will be managed via the product teams. The current EIA is published on gov.uk. At the time of writing this is being updated.
The NPCC Diversity, Equality and Inclusion Strategy 2018-2025	The Diversity, Equality and Inclusion Co- ordination Committee own, develop and deliver this strategy on behalf of the NPCC. Forces use toolkits, developed in communities, organisations and partners. The NPCC will support each force in embedding the Strategy its organisation.
Government Digital Service (GDS) Standards guidelines and products	The Programme follows the Government Digital Service Standard to ensure that it creates and can operate a fit for purpose service. The Standard defines a set of 14 rules and principles to follow best practices when building a digital service for users. Each item on the standard represents steps towards creating a user-focused website or app that is secure and flexible enough to evolve over time.
Policing standard for the recording of protected characteristics	This document agreed by NPCC in May 2023 aims to provide policing with consistent values by which to record protected characteristics. The ambition is that the standard will be applied to both current record management and operational systems and future systems and will evolve as legislation, societal expectations and recording standards change.
LEDS Data Protection Impact Assessment (DPIA)	The Programme is developing an over- arching DPIA. It has worked with the Product Owners and wider teams to help identify and minimise the data protection risks at an overarching level. The processing, if not mitigated, could result in a substantial risk to individuals rights and freedoms. This includes some specified types of processing for specific groups such as children and other vulnerable individuals. The current DPIA is published on gov.uk. At the time of writing this is being updated.
LEDS Data Protection Impact Assessments for Services	Each LEDS Service (Person, Drivers, Vehicles, Property, etc.) has its own DPIA, and some (such as Missing Person and Data Quality) also have product/service-specific DPIAs that consider the risks associated with the processing in more detail. These are reviewed and update when required.
Police Race Action Plan	This is a Police action plan released by the College of Policing to address race disparities affecting Black people. It is attempting to increase community relations, changing a legacy of distrust in the police.
His Majesty’s Inspectorate of Constabulary and Fire and Rescue Services (HMICFRS).	HMICFRS carries out inspections of police forces. These can range from individual function areas through to critical national issues and themes across the police service. HMICFRS have taken an active role in advising on data management for PNC and LEDS.
Awareness E-Learning for PNC/LEDS Code of Practice	The programme has developed a comprehensive training programme to accompany the Code. All police users must undertake the training before they can access LEDS. There are 4 mandatory modules for users, which illustrate good practice in managing data and using data taken from PNC and LEDS and 3 specialist modules. This will include appropriate recording and use of data quality standards.

Appendix 2

Evidence base

Relevant information and evidence that has been gathered internally. This will be an ongoing process until this document is baselined.

• Product Managers and other LEDS design and delivery specialists: LEDS Product and Delivery Managers were consulted in collection and processing of data through PNC and LEDS.

• Subject specialists within policing: Experienced practitioners and managers who oversee the management of the PNC in police forces have detailed understanding of the data flows and were asked for their observations of where data processing might impact upon children. This included Scotland and Northern Ireland.

• Subject specialists within non-police organisations: Experienced practitioners who have detailed understanding of the data flows between different agencies.

• Data protection specialists working within the LEDS Programme: These were consulted as they have a perspective on how data processing might have specific implications for children’s rights.

Relevant information and evidence that has been gathered externally: Online sources of information such as:

• Implementation Handbook for the Convention on the Rights of the Child Fully Revised Third Edition, UNICEF 2007 accessed via the web November 2023

• Improving the wellbeing of children and young people in New Zealand – Guidance for carrying out a Child Impact Assessment- New Zealand Government July 2018 accessed via the web November 2023

• Standing Committee for Youth Justice - The International Treatment of Childhood Criminal Records, March 2016 accessed via the web November 2023

• The United Nations Convention on the Rights of the Child: How legislation underpins implementation in England. Further information for the Joint Committee on Human Rights - www.gov.uk March 2010 accessed via the web November 2023

• Child Rights Impact Assessment tool to realise children’s rights in the digital environment Digital Futures Foundation March 2021 -accessed via the web November 2023

• Data Protection Guidance - Processing Children’s Data. Home Office Data and Identity Directorate August 2023 accessed April 2024

• Children’s Rights Impact Assessment: the SCCYP Model -Scotland’s Commissioner for Children and Young People.

Appendix 3

List of stakeholders who attended Consultation event in August 2024

External Attendees:

• Susan Cooke - Head of Research and Evaluation NSPCC

• Oriana Delgado - Lead Data Collator, Statistics and Analysis, Youth Justice Board

• Marianne Lagrue - Policy Manager, Coram Children’s Legal Centre

• Leigh Middleton - Chief Executive Officer, National Youth Agency

• Sarah Taylor - Deputy Director of Research Children’s Commissioner’s Office

• Kayleigh Wainwright - Director of Youth Sector, Innovation UK Youth

Law Enforcement Data Service Programme

• Deputy Chief Constable Nav Malik National Police Chiefs’ Council Lead for PNC and LEDS

• Biju Premnath - LEDS Data & Common Services Product Owner

• Andy Gilks - Data Protection Adviser to DCC Malik

• Mark Jones - Data Protection Advisor to DCC Malik

• Karen Progl - PNC/LEDS Retention Policy Manager

• Mark Gilmartin - Senior Responsible Owner for LEDS and PND

• Emma Packenham - LEDS Programme Director

• Jared Quesne - Person Product Manager LEDS

• Komal Sood - Head of Policy & Compliance LEDS

• Breda Leyne - Policy & Compliance LEDS

• Koleena Stewart - Policy & Compliance LEDS

Appendix 4

Youth Consultation Survey Questions

Questions

1. Have you ever been in contact with the police or law enforcement?

Yes (if so, how?) No

2. Do you know what type of personal data might be collected about you, if you come into contact with the police and law enforcement?

Yes No

If Yes what data is collected?

3. Are you aware that policing data can be viewed by other agencies who have access to a police and law enforcement national system i.e. Borders and Immigration?

Yes No

4. Do you know how long your personal data might be held for on a police and law enforcement national system?

Yes No

If yes how long is your data held on a police or law enforcement system?

5. Do you understand what data rights you may have under data protection law?

Yes No

If yes, can you explain what these rights are?

6. Do you know where to get information and advice about your data rights in respect of policing and law enforcement data?

Yes No

If yes, please explain

NB the survey also asked questions on demographics – name, age, sex, ethnicity, disability, school, or employment

Appendix 5

Final report consultation with Young People March 2025.

1. The Joint Controllers are the chief officers of the forces of England and Wales, Police Service of Scotland, Police Service of Northern Ireland, British Transport Police, Civil Nuclear Constabulary, Ministry of Defence Police and the National Crime Agency. ↩

2. 2 See The Age-Crime Curve - Pinkerton accessed online 08/03/24. ↩

3. Prevention and identification of children and young adults experiencing, or at risk of, modern slavery in the UK Project report 2024 ↩

4. The Report of the Independent Inquiry into Child Sexual Abuse. Presented to Parliament pursuant to section 26 of the Inquiries Act 2005 Ordered by the House of Commons to be printed 20 October 2022 ↩