Trigger: AI may access or process data involving children or minors.

Minors and Child-Sensitive AI Passport

AI near minors' data
needs the strongest safeguards.

Stricter evidence boundaries, raw-export visibility, and mandatory human-review conditions for AI tools used around children and youth.

Children's data boundaryHuman oversight requiredNo child-safety certification claimedSafeguarding lead workflow
Atlas Tutor AI (Under-13)Human Review Required
Parental consentGDPR Art. 8 — confirmed
Under-13 data scopeSEND data excluded
Human teacher gateActive — no auto-grade
Raw exportraw_export: off
PrivacyHuman OversightFairness

Context Visa — Conditions

Parental consent required for under-13
Safeguarding staff review before welfare action
No automated assessment output

Sensitive context

Why minors' data is the highest-sensitivity AI context.

Children and young people cannot meaningfully consent to AI processing in the way adults can. Data categories involving minors — from educational progress to welfare flags to biometric data — carry additional legal obligations, heightened ethical scrutiny, and real developmental harm potential when AI behaves poorly.

Data categories in scope

Student learning progress and assessment data
Wellbeing and welfare flags
SEND / special educational needs data
Under-13 personal data (GDPR Art. 8)
Family and carer information

People affected

Children under 13Adolescent studentsYoung people in welfare servicesStudents with special educational needsChildren in care

Risk scenarios

What typically goes wrong.

Specific failure modes seen in this sensitive context — without structured evidence.

An AI tutor is deployed for under-13 children without parental consent evidence.

GDPR Art. 8 requires parental consent for under-13 processing. No evidence exists. DPO cannot confirm legal basis. System runs without structured approval.

A student welfare flag AI has no human review before action is taken.

AI welfare flags acted on without trained staff verification. Safeguarding failures possible. No evidence of human oversight gate in Passport.

An EdTech vendor claims 'GDPR compliant and child-safe' — no structured evidence provided.

No Passport. No data category mapping. No age-appropriate design evidence. Procurement approves on vendor claim alone.

An AI writing tool for students stores conversation history with no retention policy.

Student creative writing retained indefinitely. No DPIA. No data minimisation evidence. No subject access provision.

A school deploys a classroom AI assistant without a DPIA for the processing of SEND data.

SEND data is Art. 9 special category data. No DPIA = potential GDPR infringement. ICO investigation risk.

Scope

What needs a Passport.

AI tutors and personalised learning assistants
Student welfare and safeguarding AI tools
Classroom AI assistants and chatbots
Assessment and adaptive testing AI
RAG systems over safeguarding or SEND documents
Student support and mental health AI apps
Family and parent-facing AI communication tools

Stakeholder workflow

From trigger to access decision.

1

Trigger

AI system in scope

2

Evidence Request

Passport initiated

3

Review

DPO · CISO · Specialist

4

Decision

Access condition set

5

Monitor

Tide sweeps · Renewal

Safeguarding Lead

An AI tool is being deployed that may process student welfare or SEND data.

Require Passport with human oversight gate documented. Review before any welfare AI accesses student data.

DPO

Under-13 children's data will be processed by an AI vendor.

Confirm GDPR Art. 8 legal basis, parental consent mechanism, and DPIA status. Block clearance until confirmed.

Education Lead / Head Teacher

An AI classroom assistant is being trialled without formal review.

Require Passport before staff or students use the tool. Involve DPO and safeguarding lead.

Access decisions

Context Visa conditions.

The access decisions that apply in this sensitive context — and the evidence conditions that produce them.

Human Review Required
  • Any output affecting a child requires verified human review
  • Welfare flags reviewed by trained safeguarding staff before action
  • Parental consent evidence required for under-13 processing
Review Needed
  • DPIA incomplete or not accepted
  • Age-appropriate design evidence missing
  • Parental consent mechanism unclear
  • Safeguarding lead has not reviewed
Cleared with Limits
  • Anonymised or pseudonymised data only
  • No under-13 personal data without parental consent
  • Human oversight gate active
  • Annual review by safeguarding lead
Blocked
  • Under-13 personal data processed without consent evidence
  • No data boundary — raw child data leaving perimeter
  • No human review gate for welfare or disciplinary outputs

Measurement

Evidence families we can structure.

The measurable evidence categories relevant to this context and the evidence signals they produce.

Privacy & Children's Data Obligations

GDPR Art. 8 consent status, age verification evidence, data categories, and legal basis for processing children's data.

Data Minimisation

Evidence that only necessary data is processed — no retention beyond purpose, no superfluous data categories.

Human Oversight

Configuration evidence showing human staff review is required before AI outputs affect children's welfare, education, or opportunities.

Document & RAG Boundary

Evidence that safeguarding, SEND, or private student documents are not exposed beyond authorised retrieval scope.

Vendor Claims Verification

Structured evidence against vendor compliance claims — age-appropriate design, COPPA status, training-data policy, and subprocessors.

Fairness (where outcomes exist)

Where AI influences student outcomes (grades, recommendations), evidence of subgroup performance and demographic parity.

PrivacyFairnessRAG GroundingHuman Oversight

Honest scope

What remains not assessable.

AffectLog does not overclaim. These items require external expertise, regulatory process, or long-term study.

Child safety certification or pedagogical safety

Child safety certifications are issued by specialist organisations following dedicated review processes — not AI evidence platforms.

Instead: Engage specialist child safety review bodies such as CEOP, national safeguarding authorities, or recognised age-appropriate design auditors.

Whether an AI tool is developmentally appropriate

Developmental appropriateness requires child development expertise and pedagogical evaluation — outside AffectLog scope.

Instead: Commission a pedagogical evaluation with child development specialists before deployment in learning contexts.

Long-term developmental impact of AI use on children

Developmental impact over time requires longitudinal study with appropriate ethical oversight.

Instead: Reference emerging research literature and engage educational psychologists for context-specific guidance.

Example

Sample Passport for this context.

AI Evidence PassportCleared with Limits

Atlas Tutor AI (Under-13 Mode)

Personalised learning assistant · Primary Education

Evidence68%
Expiry31 Jul 2026
Raw data exportoff
ALP-2026-MIN-A7Q1

Access conditions

Under-13 use requires parental consent — DPO confirmed
No raw student data leaves school perimeter
No AI output affects assessment without teacher review
DPIA completed and accepted by DPO
SEND data excluded from AI processing scope
Annual safeguarding review required before renewal

What we will not overclaim

AffectLog does not claim child-safety certification or guarantee child-appropriate outcomes. We show data boundaries, human oversight requirements, consent evidence status, and what evidence is missing — so decision-makers have a clear picture rather than a vendor claim.

Common questions

Questions this context raises.

Our EdTech vendor has COPPA and GDPR certification.

Certifications indicate policy commitments. AffectLog shows the technical evidence: which children's data is processed, whether raw data leaves your perimeter, what the parental consent mechanism actually is, and which subprocessors see the data.

We have been using this AI learning tool for a year without issues.

The absence of a visible incident is not the same as evidence of safe operation. A Passport makes the evidence explicit — or makes the gaps visible before they become incidents.

Get started

Protect every child's data
before the AI system goes live.

Map which AI tools in your school or youth service access or process children's data, identify which evidence is missing, and establish human oversight conditions before any system reaches minors.

AffectLog provides technical and operational evidence. Not child-safety certification, regulatory approval, or legal advice.