Step 2: Describe the processing
Describe the nature of the processing: how will you collect, use, store and delete data? What are the sources of the data? Will you be sharing data with anyone? You might find it useful to refer to a flow diagram or other way of describing data flows. What types of processing identified as likely high risk are involved? Does your service involve any profiling, automated decision-making, or geolocation elements? What are your plans (if any) for age-assurance? What are your plans (if any) for parental controls?
How we collect data and sources of data
Helpful hint: You may find it helpful to consult your privacy notice or Record of Processing Activities (ROPA) which may contain some of the information required for this section. You might also find it helpful to see the ICO’s guidance on ROPAs.
For completeness, we have summarised below all (ie children and adults’) personal data collection and usage. However, the personal data we process relating to children specifically is generally:
- photographs and videos taken by child users;
- game playing telemetry (see below for more information);
- IP address for the tablet;
- child’s date of birth;
- browsing history and tablet identifiers; and
- a Google account, which parents need to create if Google Play is used. This involves creating a user name, and providing first and last name, birthday (for age verification), gender, and phone number.
Guidance: Data minimisation helps you protect your users by collecting only the minimum amount of personal data you need to provide your services. See Standard 8 of the Code – Data minimisation for help in how to meet this standard and give children choices over which elements of their data they wish to activate.
We collect personal data in the following ways:
- Direct interactions with users. For example, when:
- purchases are made of apps or content through our website or online app store;
- parents register and create profiles for their children;
- parents create a parental control dashboard;
- customers contact us with a question or issue;
- parents sign up for marketing emails;
- we carry out market research with customers.
- Users interacting with our apps and tablet. For example, when:
- age ranges are selected and content accessed and games played;
- through platform analytics tools;
- through game-play data.
- From third parties, ie from our third party analytics service provider (see details below).
How we use data
- For sales of apps, content etc through our proprietary app store, and to provide our services including sending service emails.
- For financial administration and invoicing.
- To provide customer accounts to enable the use of our services.
- To manage our relationship with customers (eg responding to questions, complaints, asking users to take a survey).
- To monitor children’s use of the tablet and apps and to produce reports for parents to give parents visibility over their children’s use.
- To send e-newsletters to customers (parents only) who have opted in to receive.
- To administer and protect our business and website and platform (eg system maintenance and support, fixing problems, hosting of data).
- To deliver website and platform content.
- To carry out data analytics to improve our website and platform, products, customer experience on our website and platform.
- To carry out market research.
- To verify user identify and provide a secure platform.
- To comply with regulatory or legal obligations.
Our main use of personal data is to process and fulfil orders made on the website or app store, provide the apps, and deal with customer enquiries. In addition, we carry out limited marketing activity by an e-newsletter which parents (not children) may sign up for. All our e-newsletters have an unsubscribe link and we action all opt-outs. We do not carry out any behavioural or targeted advertising.
We also carry out platform analytics and technical monitoring of children’s use of the tablet. We collect and analyse user-generated game playing relating to game development and research. The data we collect includes user interactions with games, location within the game and physical movements, in game purchases, and player interaction with other users. We use this data to provide the appropriate game level and challenges for children of different ages and to develop new features and services. Where we collect analytics data through cookies or similar technologies, this is subject to obtaining the prior consent of parents by a pop-up when they carry out the initial product set-up.
We process children’s game playing and tablet use telemetry data for use with the parental dashboard that monitors children’s tablet use. The data used to inform the parental dashboards and controls is processed on the device, and not shared with the company.
Cwcis
Helpful hint: You might find it helpful to consult your cookies policy or the cookies section of your privacy policy to assist you in completing information about cookies. See our guidance on cookies. Attach a copy of your cookies policy with the DPIA.
Our website and apps use cookies if enabled through the parental control settings.
We have put in place a cookie consent tool which explains the cookies used and requests consent to these. We also have a cookie policy which explains in more detail the types of cookies used and the purposes for which they are used. The consent tool is available at the point of website entry and when configuring the tablet and downloading apps. It collects consent from adult, not child, users.
We use essential cookies, which are not subject to the consent requirement, for the following purposes. These are first party cookies set within individual apps and the cookies’ access is restricted by the corresponding app only.
The website uses basic cookies or similar technologies for:
- account authentication;
- tracking user input for functions of the service (eg shopping cart);
- security and fraud prevention;
- load balancing;
- preference cookies for the cookie consent tool; and
- analytics (as described above).
We use third party cookies, subject to consent being given, for the following purposes:
- distinguishing between humans and bots;
- identifying tablet and app used to access YouTube Kids and Google App Store. This includes IP address, unique application numbers, unique identifiers for language and other settings;
- registering unique IDs to track returning tablets;
- tracking what YouTube Kids videos have been watched to inform content recommendations; and
- storing video player preferences for YouTube Kids videos.
We do not use the geolocation data gathered by third-party cookies. However, for some products, we select some YouTube Kids videos and embed the links into apps available on the toy. Activation of YouTube Kids requires parental consent and parents may add more YouTube Kids videos through the parental control features. Children are not able to independently upload YouTube videos.
When a user clicks on an external link (eg You Tube Kids), a pop-up warns that they are leaving our service. It states: “Your personal data will be processed by the third-party site according to their own privacy policies.” A link to the appropriate social media privacy notice is included in the pop-up.
Parents are able to use the controls to enable cookies for all websites accessed on the browser (this is available on an all-websites basis only, not on a per-website basis). Parents must enter a passcode to access the mode which enables them to manage cookies.
For information: Article 26 of the UK GDPR states: “Where two or more controllers jointly determine the purposes and mean of processing, they shall be joint controllers. They shall in a transparent manner determine their responsibilities for compliance with the obligations under this Regulation.”
This sample DPIA does not go into detail on the measures The Toy Company should take to determine the purpose and means of processing for any joint controllers. For example, social media sites, data analytics providers. If you are using third party services that are likely to process personal data, you should talk with them about whether the processing relationship is joint controllership or a controller–processor relationship.
In this sample DPIA, for apps that are pre-installed on the tablet, joint controllership would likely depend on whether the user has a choice around using that app or not. With Google Play and YouTube Kids and the bundled services, the processing is defined partly by the manufacturer choosing that model for the core functioning of the tablet. They have also enabled the processing of personal data by Google.
It is recommended that ISS consult with their Data Protection Officer and any joint controllers for details of how to explain joint controller processing in their DPIA.
Storage and deletion
We are based in the UK and customer data is stored in the UK. The website which supports the tablet makes use of Amazon Web Services and is hosted in the USA (see International Transfers section below on how EU SCCs are used). We have a retention schedule which specifies storage periods for the various processing activities and data categories listed in this DPIA. These reflect relevant legal requirements and limitation periods applicable to contractual claims. Once retention periods have expired, we securely delete data and keep a log of deletions.
Helpful hint: See our guidance on storage limitation and data retention. Attach a copy of your records management policies with the DPIA.
Data sharing
Guidance: Data sharing usually means disclosing personal data to third parties outside your organisation, or to different parts of the same organisation. This DPIA outlines how children’s and parents’ data may be shared within the Toy Company and with external third parties. Standard 9 of the code – Data sharing advises:
“Do not disclose children’s data unless you can demonstrate a compelling reason to do so, taking account of the best interests of the child.”
When parents set up an account, they are informed about how data is shared within the wider company group through the privacy notice.
We use a third party payment services provider to provide the payment function for parents on the website and our app store. This payment services provider acts as a separate data controller and we do not store payment card data. We make clear in our privacy policy that the payment service provider operates subject to its own privacy policy and we tell users to refer to this for details of its processing. We provide a link to the provider’s privacy notice.
Helpful hint: You should attach details of the due diligence you carry out when appointing your payment service provider with the DPIA. See our guidance on processor due diligence checks.
We use a hosting provider to host our website. The provider acts as our processor and we have entered into Article 28(3) terms with them.
We use a fraud prevention service which provides us with risk scores to help us avoid fraudulent transactions. This service is provided by a third party which acts as an independent controller. To make use of this service, we transfer certain personal data to the provider (ie names, phone number, billing and delivery addresses, email address, IP address of parents). This processing is explained in our privacy policy with a link to the provider’s own policy.
We use a third party analytics provider on our website and platform. This is so that we can check the quality and effectiveness of our service and ensure it meets the needs of the user. Our analytics provider collects data related to the user’s tablet or browser, a portion of IP address, and on-site activities to measure and report statistics about user interactions on our website and platform. It uses cookies to measure user interactions with our website and platform, and IP addresses to provide and protect the security of the service. The provider processes this information on our behalf and uses it to prepare reports for us about how our visitors engage with our website. These reports don't identify the users - they are aggregated information about all our users.
We may share users data with regulatory or law enforcement agencies to meet our legal or regulatory obligations.
Our analytics provider doesn't use any of this information for their own purposes - they act as our processor and only operate on our instruction. This processing is carried out in the EU.
Our cookies policy provides more information about our use of cookies for analytics purposes. Users can opt-in using our cookie control (see cookies section below), and can change their mind at any time.
For information: Some data analytics providers may function as processors and fall within scope of Article 28(3) of the UK GDPR. However, some analytics providers will be joint controllers as a result of the way in which personal data is processed. Where this is the case, the service provider should enter Article 26 terms with them as joint controllers. It is for the service provider to determine the nature of the relationship between it and analytics provider.
Helpful hint: Indicate in your DPIA which third parties are also independent controllers. Insert a link to their privacy notices signposting readers to relevant further information.
We use a third-party call centre to provide our customer helpline (for UK and Rep of Ireland users, the call centre is based in the UK). We also use a direct marketing agency and email services agency (both UK based) that send out emails on our behalf and manage our CRM. All three act as processors and we have entered into Article 28(3) terms with them.
We also share data with our auditors and other professional advisors that act as independent controllers.
Profiling
We collect and analyse user-generated game playing relating to game development and research.
Data we collect includes user interactions with games, location within the game and physical movements, in-game purchases, and player interaction with other users. We use this data to adjust the overall difficulty of the game to provide the appropriate game level and challenges for children of different ages, and to develop new features and services.
Guidance: Profiling is defined under Article 4 UK GDPR as: “any form of automated processing of personal data consisting of the use of personal data to evaluate certain aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour location or movements”
The Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 state:
“Broadly speaking, profiling means gathering information about an individual (or group of individuals) and evaluating their characteristics or behaviour patterns in order to place them into a certain category or group, in particular to analyse and/or make predictions about, for example, their:
- ability to perform a task;
- interests; or
- likely behaviour.”
See Standard 12 of the code – Profiling for guidance on what you should do if you include profiling of children as part of your service:
“Switch options which use profiling ‘off’ by default (unless you can demonstrate a compelling reason for profiling to be on by default, taking account of the best interests of the child). Only allow profiling if you have appropriate measures in place to protect the child from any harmful effects (in particular, being fed content that is detrimental to their health or wellbeing).”
Guidance: For the purposes of the Children’s Code, Standard 11 refers to how you make it clear to the child if parental controls are in place and if they are being tracked or monitored:
“If you provide parental controls, give the child age appropriate information about this. If your online service allows a parent or carer to monitor their child’s online activity or track their location, provide an obvious sign to the child when they are being monitored.”
We recognise that profiling is taking place when game-play data is collected from a child and an automated decision is made about which level should be served to the child based upon this game-play analysis. Where this type of profiling occurs, the profiling relates to the child’s ability to perform a task. In this case and when the game does not relate to improving the educational development of the child, profiling is switched off-by-default. Parents receive a message during account setup explaining the use of profiling for game-play analysis and are given the option to turn profiling on for this use only.
Where the purpose is to increase the knowledge of the child, the game requires this profiling in order to both place the child at the right level and to ensure the child continues in their educational journey. This type of profiling is core to the purposes of the educational game, so profiling is not turned off by default in these circumstances.
We do not profile users for marketing purposes.
Parental controls
The tablet features a number of parental controls. There is a parent’s dashboard that allows parents to set controls on their children’s use of the system and monitor use. The dashboard allows parents to:
- monitor which games, videos, music and books children are downloading;
- manage app settings, add or remove apps, and set restrictions on children’s access to the play store;
- set time usage limits;
- control content and access to the web browser; and
- manage tablet settings.
Key use statistics are collected with weekly and monthly reports available to show parents how the tablet is being used, and the time spent on the tablet against the different apps.
When parents create their parental control dashboard, they are required to tick a box showing that they have read a message concerning children’s rights to privacy under the UNCRC, UK GDPR and DPA. A downloadable resource is also available to help parents explain the service to their child and discuss privacy with them.
The system allows children to actively see when parental controls are in place. Age-appropriate messages are delivered to the child through a pop-up window to let the child know when parental time control limits have been activated or limits reached. A pop-up is shown which reads "Parent time controls are active," or “Sorry, you can't play just now. You have reached your parental time control limit.” Further messages are displayed when parental controls are used to restrict access to apps, with a pop up showing “Sorry, you can’t play just now. Parent app controls are active.” Similar reminder messages are shown when the tablet is switched on if controls are active, along with a link to more detailed information. All pop-up messages are displayed in writing and using audio messages.
Where the initial product set up identifies that the child is aged 10 plus, a short film is launched as a pop-up when they first engage the service. A text download is also available for the child to use independently. These explain the service and discuss privacy rights.
Non-essential cookies are disabled on the tablet. Parents are able to use the controls to enable cookies for all websites accessed on the browser (this is available on an all-websites basis only, not on a per-website basis). Parents must enter a passcode to access the mode which enables them to manage cookies.
Privacy settings are set at high-by-default, within the apps themselves, for curated content available on the tablet, and on the browser which children may use to access websites. If a parent makes any changes to the settings, the settings revert to high-by-default at the next use unless the parents confirm that they want the settings to remain at lower privacy settings. An age-appropriate explanation of the parental control features is provided when the child first uses the system, or when they turn 10.This encourages discussion with parents about a child’s right to be informed and contributes to decisions on their online privacy
Guidance: Privacy settings are a practical way for you to offer children a choice over how their personal data is used and protected. For advice on how to set privacy settings as high-by-default, see Standard 7 of the code – Default settings.
Age assurance
All apps available on our website and app store and all content on our website are designed for children aged 12 and under. As the toy is designed for children’s use only, all users receive basic protections in how their personal data is used by default.
The system follows the principles outlined in the ICO’s Age appropriate design code:
- Provide high privacy settings for child users by default.
- Geolocation and profiling should be off-by-default.
- Don’t serve children content deemed detrimental to their health and wellbeing.
Parents are required to set up and configure the tablet as explained in the section above, including inputting the age of the children using the tablet. Parents are also required to provide their own name and email address. Children are unable to change the age information or privacy settings once set by their parents. Children are only able to access app download content appropriate for their age.
Information collected during the set up for age assurance is not used for targeting advertising at children. We may, however, use age information to ensure that content in our e-newsletters for parents are appropriate for their children’s age. This includes contextual advertising for other toys we may offer. E-newsletters are not sent to children, and are only sent to parents if they have given their consent.
Parents confirm the age of their children at account set-up and provide a child username and password. As the content available to children is appropriate for their age, we are confident in the age assurance measures we use and do not seek additional age information.
Security measures
Helpful hint: You might find it helpful to consult your information or data security policy to assist you in providing information about security measures. You can see more information in our guidance on security
We use the following security measures on our website and apps:
- We undertake an analysis of the risks presented by our processing, and use this to assess the appropriate level of security we need to put in place.
- We keep our software up-to-date.
- We require users who create an account to use a strong password with numbers, capital letters and other characters, and which must be at least 10 characters long.
- We use encryption or pseudonymisation or both where it is appropriate to do so.
- We use SSL protection on our login pages.
- We use a Captcha function on our “contact us” page.
- We use a market-leading, reputable web hosting company.
- We ensure that any data processor we use also implements appropriate technical and organisational measures.
- We have a policy of regularly deleting any files, databases, or applications from our website that are no longer in use.
- We regularly back up all data.
- We run regular web security scans to check for website and server vulnerabilities.
- We use a fraud prevention service for purchases made on our website and app store.
- We conduct regular testing and reviews of our measures to ensure they remain effective, and act on the results if they highlight areas for improvement.
Describe the scope of the processing: what is the nature of the data, and does it include special category or criminal offence data? How much data will you be collecting and using? How often? How long will you keep it? How many individuals are affected? What geographical area does it cover?
Data processed
- Identity data: names, username and password, title, year of birth (for children), age, gender (not mandatory), country of residence.
- Contact data: billing address, email address, phone number.
- Financial data: payment card details (processed by a third party payment services provider and not stored by us or our website and app store).
- Transaction data: details of apps purchased, amounts, dates etc.
- Technical data: IP address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, user agent string, browser type, monitor size, surfing behaviour, location, browser language, name and URL of the requested file, the website through which access is granted (referrer URL).
- Usage data: information about how users use our website, products and services.
- Marketing and communications data: record of users’ preferences in receiving marketing from us, delivery dates and notion of connected tablet, feedback, questions, complaints and survey responses.
Special categories of personal data
We do not process any special category personal data.
Volume of personal data
We currently have around one million children using this service globally.
Retention of data
We have a retention schedule which specifies storage periods for categories of data which reflect relevant legal requirements and limitation periods applicable to contractual claims. Once retention periods have expired, we securely delete data and log deletions.
Geographical area
The data subjects whose data we process are located in the UK and worldwide.
Describe the context of the processing: what is the nature of your service? Are you designing it for children? If not, are children under 18 likely to access it anyway? What is the likely age range of your users? How much control will they have? Would they understand and expect you to use their data in this way? Does your service use any nudge techniques? Are there prior concerns over similar services or particular security flaws? Is your service novel in any way? What is the current state of technology in this area? Are there any current issues of public concern that you should factor in, particularly over online risks to children? Are there any relevant industry standards, codes of practice or public guidance in this area? What responsibilities do you have under the applicable equality legislation for England, Scotland, Wales and Northern Ireland? Is there any relevant guidance or research on the development needs, wellbeing or capacity of children in the relevant age range? Are you signed up to any approved code of conduct or certification scheme (once any have been approved)?
Nature of service and users
Our service is a connected tablet aimed at children between the ages of four and 12. This is a new version of an established tablet with updated app features. The tablet is an educational product which enables children to take and store photos and videos, browse the internet, listen to music and watch shows. The tablet uses the Google Android OS 10 operating system.
In conjunction with the tablet, we offer a secure app store to which tablet users can connect and download age-appropriate apps, games, e-books and other products.
User or parental control
The apps and content that children can access is controlled by their parents and simple age-appropriate information is provided to the child users to let them know about this. Pop-ups are shown if time controls are active, as well as if access to certain apps is restricted. All pop-up messages are displayed in writing and using audio messages.
See the ‘Parental controls’ section for more information.
Users’ expectations
Our main uses of personal data are to process and fulfil orders made on the website and app store, provide the apps, and deal with customer enquiries. In addition, we carry out limited marketing activity by e-newsletter which parents (not children) may sign up for. E-newsletters share contextual advertisements about new or popular products with parents. All e-newsletters have an unsubscribe link and all opt-outs are actioned and respected. We have a policy of never contacting the children themselves.
We also carry out platform analytics and technical monitoring of children’s use of the tablet. We use this data to provide the appropriate game levels and challenges for children of different ages and to develop new features and services. Where we collect analytics data through cookies or similar technologies, this is subject to obtaining the prior consent of parents through a pop-up when they carry out the initial product set-up.
We consider that the above processing will be in line with users’ expectations. We have clearly explained it in our privacy policy which is available at all relevant touchpoints (on our website, on our app store and when purchasing or downloading apps and other content). We provide privacy information to children in both age-appropriate text and video formats.
Our service is not novel and is in line with the current state of technology within the relevant market place. The only code of practice we are aware of which is applicable to our product is the ICO’s Age-appropriate design code. We have taken this into account in the design of our product and processes which involve the use of personal data.
Describe the purposes of the processing: what do you want to achieve with your service? What is the intended effect on individuals? What are the benefits of the processing – for you, and more broadly? What are the specific intended benefits for children?
Guidance: The Information Commissioner is required to take into account the UK’s obligations under the UNCRC in drafting this code. All the standards of the code relate to the best interest standard. See Standard 1 - Best interest of the child, which states:
“The best interests of the child should be a primary consideration when you design and develop online services likely to be accessed by a child.”
In order to implement this standard you need to consider the needs of child users and work out how you can best support those needs in the design of your online service, when you process their personal data.
Aim of our service
Our aim is to offer a connected tablet for children between the ages of four and 12, which is educational. The tablet enables customers to provide their children with a safe and age-appropriate way to use technology and explore the internet. The specific purposes for which we process personal data are set out in step 2 under the heading ‘How we use data’.
Intended effect on individuals
The intended effect on individuals is to enable parents to provide their children with, and to enable children to enjoy, an age-appropriate tablet. The features and controls make the tablet safe for children to use, rather than having to use a tablet designed for adults. We aim to create trust in our brand to increase our market share and drive sales of apps and content through our website and app store.
Benefits of the processing
The benefits of the processing are (for us) that it enables us to run our business, market our products and increase our sales. The processing benefits customers in that it enables children to access online content in a safe and controlled way, and to enjoy educational apps and content specifically designed for their age group. Adults can also benefit from e-newsletters (subject to consent) which inform them about our products and services that they may be interested in.