The ICO’s Age Appropriate Design Code: DPIAs and Governance

Written by John Falzone, VP Privacy Certified
March 10, 2019

This post discusses Standards 15 and 16 of the draft Age Appropriate Design: A Code of Practice for Online Services published by the UK’s Information Commissioner’s Office’s (ICO).

Standard 15 of the Code would require a data protection impact assessment (DPIA) for each online service likely to be accessed by children.  The DPIA—a template for which is attached to the Code at Annex C—would be required before the online service was to launch and would be used to influence the design of the online service.  In addition, a DPIA would be required prior to any significant changes to an existing online service.

The Code states that providers should “seek and document the views of children and parents, and take them into account in the design of the online service.”  Providers would be expected “to do some form of consultation in most cases.” In addition, the ICO suggests seeking independent advice from experts in children’s rights and developmental needs.

Standard 16 would require providers to maintain policies and procedures to demonstrate compliance with the Code, including training for all staff involved in the design and development of online services likely to be accessed by children.