Question to the Department for Science, Innovation & Technology:

To ask the Secretary of State for Science, Innovation and Technology, what steps her Department is taking to ensure that companies implementing (a) age-verification and (b) safety requirements use (i) secure and (ii) adequately regulated third-party vendors for data processing.

The Online Safety Act requires providers to give particular regard to the protection of users’ privacy rights when complying with their new safety duties, including when using age assurance measures. The Information Commissioner’s Office (ICO) has a range of criminal and civil enforcement tools at its disposal, including prosecution and substantial monetary penalties for serious breaches of data protection legislation.

Third party vendors must have appropriate technical and security measures in place to protect personal data. Where Ofcom has concerns that providers have not complied with their obligations under data protection law, it may refer the matter to the ICO.