Compliance & Trust

ID Pool is built around the core principles of UK GDPR: data minimisation, purpose limitation, storage limitation, accuracy, integrity and confidentiality. Every feature of the platform is designed to collect only what is necessary and retain it only for as long as it serves a legitimate purpose.

Key design decisions aligned with UK GDPR include:

• Consent management — consent is recorded with timestamp, IP address, and user agent. Users can withdraw consent at any time.
• Audit logging — every significant platform action is audit logged with user, timestamp, and detail.
• Data minimisation — verifiers receive YES/NO assertions only, never raw documents, dates of birth, or personal data beyond what is strictly shared.
• Purpose limitation — share links are created for specific purposes and expire automatically.
• Subject rights workflows — users can access, correct, and request deletion of their data.
• Data Protection Impact Assessments (DPIA) — a DPIA module tracks high-risk processing activities.

The Youth & Guardian module within ID Pool is designed with child-safe defaults from the ground up, in alignment with the 15 standards of the ICO's Age Appropriate Design Code (Children's Code).

Design decisions for the youth module include:

• Guardian-controlled consent — no child profile can be created without guardian initiation and explicit parental responsibility confirmation.
• Age-appropriate explanations — the youth dashboard uses plain language, friendly tone, and no legal or technical jargon.
• Privacy by default — the most restrictive settings apply by default. Guardians must actively approve any sharing.
• Data minimisation for children — age bands (under 13, 13–15, 16–17) are used instead of exact dates of birth.
• Restricted disclosure — schools and organisations receive only YES/NO assertions about a young person's age or eligibility. No documents, no raw data, no identity ever disclosed.
• No profiling, no advertising — children's data is never used for profiling or commercial purposes.

The Online Safety Act 2023 introduces duties on platforms likely to be accessed by children, including requirements around age assurance and child safety online.

ID Pool is positioned to support safer digital environments by enabling privacy-preserving age assertions and consent records that platforms can use without receiving or retaining children's personal data or identity documents. Key capabilities relevant to the Online Safety Act include:

• Age assurance without document exposure — a YES/NO assertion ("user is over 18") can be shared with a platform without revealing date of birth or identity documents.
• Consent records — guardian consent for a young person's access to a service can be recorded and presented as a verifiable assertion.
• Online safety credentials — youth digital safety credentials provide a child-appropriate way to carry verified status between services.

The UK Digital Verification Services (DVS) Trust Framework sets standards for digital identity service providers, covering identity proofing, attribute verification, holder services, and orchestration. ID Pool is designed with alignment to this framework as a long-term strategic goal.

Current design choices that support future trust framework readiness:

• Attribute sharing with consent — attributes are only shared when the subject has created a specific share link with defined purpose and expiry.
• Auditability — comprehensive audit logs support the accountability requirements of the trust framework.
• Data minimisation — YES/NO assertions align with the principle that only necessary attributes should be disclosed.
• Provider integration layer — Stripe Identity (active), Yoti and Onfido (planned) enable multi-provider identity proofing at different levels of confidence.
• DPIA tracking — Data Protection Impact Assessments are managed within the platform for high-risk processing activities.