Written evidence submitted by the Age Check Certification Services Limited

Julian Knight MP

Chair

DCMS Select Committee

House of Commons

London

SW1A 0AA

22nd June 2022

Dear Mr. Knight,

Connected tech: smart or sinister? Call for evidence.

Thank you for the opportunity to contribute evidence to your Committee’s inquiry.

Age Check Certification Services Ltd operates the Internet of Toys Certification Scheme for connected toys – these are everything from dolls, cuddly toys, games and robots that see, hear and speak and share this data online with various platforms, often allowing for interaction with other users. This certification scheme was created with the support of grant funding from DCMS. It is now available and awaiting the enactment of laws requiring conformity with the standards on which it was built. The scheme is hosted online here: https://iotoys.org.uk/

Graphical user interface, application

Description automatically generated

We are a company based in Stockport and are funded as a social enterprise, including, since 2019, by the Northern Powerhouse Investment Fund, to grow a worldwide certification team, levelling up the UK economy by bringing High-Tech jobs and growth to the North of England.

We test that identity and age check systems work.

As an independent, UKAS accredited conformity assessment body, our role is to put the various types of age assurance systems and processes through standards-based assessment and provide certificates of conformity to those standards.

When we established the Age Check Certification Scheme in 2018, as a fully accredited certification scheme, through ISO 17065:2012 – the international standard for conformity assessment. Importantly, we also immediately recognised the importance of data privacy and security and the critical importance that our certification covered data protection. We were delighted to become the first ever scheme to have our criteria approved by the ICO in accordance with their tasks and powers under Articles 57(1)(n) and 58(3)(f) pursuant to Article 42(5) of the UK General Data Protection Regulation. Not only were we the first in the UK to achieve this, we’re also the first across the equivalent powers contained in EU GDPR.

When DCMS sought proposals to create certification schemes for connected devices, we saw the need for an integrated approach, combining the new European standard for those devices with the UK’s own child data protection regime, and were awarded a modest grant to create the Internet of Toys Certification Scheme.

It was a little ahead of its time. It quickly became clear that suppliers would not voluntarily incur the expense of certification until it was legally required – but the scheme stands ready for that day.

What has been or will be the most important impacts of increasingly prevalent smart and connected technology in our lives, including in the home, in the workplace and in our towns and cities, and are they necessarily better than current systems?

From a risk perspective, smart and connected technology will dramatically increase the scale of personal data created, shared, stored and exploited. When toys are involved, this inevitably going to include children’s data, for which specific legislative and regulatory protections have been created. The scope for harm to children from the advent of these devices placed in their hands is enormous. For example, they can allow children to communicate with strangers, by text, voice or video. They can enable surveillance. They can be hijacked to instruct children to do certain things, perhaps with the request coming from what the child sees as a cuddly friend. In fact, the more you consider the potential for harm, the more horrified any parent would become.

How can we incentivise or encourage design that is safe, secure, environmentally- and user-friendly and human rights compliant?

We developed the Internet of Toys Assurance Scheme for connected toys likely to be used by children aged under 18, and, critically, the associated online services that facilitate them.

It is operated as a Conformity Assessment Scheme accredited by the United Kingdom Accreditation Service (UKAS).

A picture containing diagram

Description automatically generated Uniquely, the Scheme combines the requirements of the latest European standard, ETSI EN 303 645 and the UK Code of Practice for the Internet of Things with the Age Appropriate Design Code (“AADC”) and GDPR Certification.

Integrating assurance against both codes ensures that connected devices likely to be used by children are secure, with particular emphasis on protecting the data rights of children and reducing the associated risk of online harms. Once the latest legislation is in force, this will be reflected in the scheme rules.

If necessary, the Scheme will further evolve to incorporate the demands of the forthcoming UK Online Harms Bill. In the development of our assurance scheme, we aligned the Scheme with broader UK conformity assessment of toys. This was to ensure a ‘one-stop shop’ assurance scheme for compliance with relevant legislation for connected toys, and potentially allow for use of “UKCA”, the successor to the CE mark in 2023, indicating that a device is comprehensively compliant.

We also created a self-certification option for lower risk connected toys, to ensure that price was not a prohibitive factor.

What are the key short- and long-term risks and threats, and how can we ensure the devices, systems and networks of individuals, businesses and organisations are digitally-literate and cyber secure?

Give the scale of the task, only a co-regulation approach, advocated by the UK government’s Better Regulation Taskforce, can be effective.

This encourages the private sector to develop standards, and then to undertake audits and achieve certification against those standards which is, in turn, recognised by the regulator and the courts as effective due diligence by the manufacturers and distributors involved, mitigating penalties in case of transgressions.

This approach allows a regulator to focus limited resources on companies that do not engage with that process, and are therefore less likely to be compliant and are higher risk.

How will current geopolitical concerns influence domestic consumers, e.g. regarding standards of imported goods or in how we can deal with cyber threats?

We worked closely with toy manufacturers and their representatives as we developed the certification scheme, and they were clear that they wished to avoid a need to certify their toys twice – once for the EU and again for the UK. We designed the scheme to address both needs.

They also voiced concerns that any new regulations would be followed by reputable suppliers, but ignored by those who sell through online markets and import directly to the consumer. Our scheme could be made a requirement by such online markets for any of their retailers that sell connected toys, with automated checks possible against the registry of certified suppliers.

I trust that this forms useful evidence for your inquiry. We have substantial additional materials, knowledge and insight into this issue, which we would be very happy to share with the Committee.

Please do get in touch if you require any further information or clarification of the contents of our response.

Yours sincerely,

Tony Allen

Chief Executive

Age Check Certification Scheme Limited t/a

Internet of Toys Certification Scheme