The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

This code came into force on 2 September 2020, with a 12 month transition period. Organisations should conform by 2 September 2021.

This template is an example of how you can record your DPIA process and outcome for an online service likely to be accessed by children. It is adapted from our general DPIA template, and follows the process set out in our DPIA guidance and the age appropriate design code. It should be read alongside the code and DPIA guidance, and the Criteria for an acceptable DPIA set out in European guidelines.

You should start to fill out the template early in the design of your online service, or early in your development process if you are making a significant change to an existing online service likely to be accessed by children. The final outcomes should be integrated back into the design of your service.

Name of controller  
Subject/title of DPIA   
Name of controller contact /DPO
(delete as appropriate)
 

 

Explain broadly the nature of your online service, and the current stage of design or development. You may find it helpful to refer or link to other documents. Summarise when and how you identified the need for a DPIA.
 









Describe the nature of the processing: how will you collect, use, store and delete data? What are the sources of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved? Does your service involve any profiling, automated decision-making, or geolocation elements? What are your plans (if any) for age-assurance? What are your plans (if any) for parental controls? 
 









Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?
 









Describe the context of the processing: what is the nature of your service? Are you designing it for children? If not, are children under 18 likely to access it anyway? What is the likely age range of your users? How much control will they have? Would they understand and expect you to use their data in this way? Does your service use any nudge techniques? Are there prior concerns over similar services or particular security flaws? Is your service novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in, particularly over online risks to children? Are there any relevant industry standards, codes of practice or public guidance in this area? What responsibilities do you have under the applicable equality legislation for England, Scotland, Wales and Northern Ireland. Is there any relevant guidance or research on the development needs, wellbeing or capacity of children in the relevant age range? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?
 









Describe the purposes of the processing: what do you want to achieve with your service? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly? What are the specific intended benefits for children?
 









 
Consider how to consult with relevant stakeholders: describe when and how you will seek individuals’ views - and specifically how you will seek the views of children and parents – or justify why it’s not possible to do so. Who else do you need to involve within your organisation? Do you need to ask your processors to assist? Do you plan to consult experts in children’s rights and developmental needs? If not, why not? Do you plan to consult any other experts?
 









Describe compliance and proportionality measures, in particular: what is your lawful basis for processing? Does the processing actually achieve your purpose? Is there another way to achieve the same outcome? How will you prevent function creep? How will you ensure data quality and data minimisation? If you use AI, how will you avoid bias and explain its use? What information will you give individuals? How will you help to support their rights? What measures do you take to ensure processors comply? How do you safeguard any international transfers?
 









Describe how you comply with the age-appropriate design code: what specific measures have you taken to meet each of the standards in the code?

1. Best interests of the child:

2. Data protection Impact Assessments:

3. Ageappropriate application:

4. Transparency:

5. Detrimental use of data:

6. Policies and community standards:

7. Default settings:

8. Data Minimisation:

9. Data sharing:

10. Geolocation:

11. Parental controls:

12. Profiling:

13. Nudge techniques:

14: Connected toys and devices:

15: Online tools:

Describe source of risk and nature of potential impact on individuals. Include as a minimum an assessment of particular risks to children as listed in the DPIA standard in the age appropriate design code. You may need to consider separately for different age groups.  Likelihood of harm   Severity of harm Overall risk
  Remote, possible or probable 





Minimal, significant or severe Low, medium or high
Describe source of risk and nature of potential impact on individuals. Include as a minimum an assessment of particular risks to children as listed in the DPIA standard in the age appropriate design code. You may need to consider separately for different age groups. Likelihood of harm   Severity of harm Overall risk
   




   
Identify additional measures you could take to reduce or eliminate risks identified as medium or high risk in step 5
Risk    

Options to reduce or eliminate risk Effect on risk Residual risk Measure approved
    Eliminated reduced accepted

Low

medium

high

































Yes/no
Item  Name/position/date Notes
Measures approved by: 
 
  Integrate actions back into project plan, with date and responsibility for completion
Residual risks approved by:   If accepting any residual high risk, consult the ICO before going ahead
DPO advice provided:    DPO should advise on compliance, step 6 measures and whether processing can proceed 

Summary of DPO advice: 

 

 

DPO advice accepted or overruled by:   If overruled, you must explain your reasons

Comments:   

 

 

Consultation responses reviewed by:   If your decision departs from individuals’ views, you must explain your reasons

Comments:

 

 

   

This DPIA will kept under review by:   The DPO should also review ongoing compliance with DPIA