How do we develop a code of conduct?

In detail

• What should a code of conduct cover?
• Who can create a data protection code of conduct?
• How is code members’ compliance monitored?
• Are cross-sector or combined codes possible?
• Could there be more than one ICO-approved code of conduct in a sector?
• How can we apply to the ICO to have our code of conduct approved?
• How will the ICO assess our proposal and code of conduct?
• How will people know our code of conduct is approved?
• How will people know who is a code member?
• How do we ensure our code of conduct remains relevant?
• How should a code owner report to the ICO?
• What is the difference between ICO-approved data protection codes of conduct and ICO statutory codes of practice?
• Can we convert our existing industry code into a UK GDPR, PECR, DPA part 3 code of conduct?
• Are we a public authority under data protection legislation and PECR?
• Are we a competent authority under DPA part 3 for law enforcement processing?
• How do codes of conduct work as an international transfer tool?

What should a code of conduct cover?

Codes of conduct should reflect the specific data protection needs of your sector or profession, including micro, small and medium enterprises. They could cover topics such as: 

• fair and transparent processing;
• fair and lawful processing;
• data subjects’ rights;
• legitimate interests:
• pseudonymisation; and 
• other data protection processing issues.

Code owners should ensure that codes of conduct explain the following:

• How the code owner can represent controllers or processors covered by the code (for UK GDPR and PECR codes).
• Why the code owner qualifies as an expert public body and is therefore able to produce a code (for DPA part 3 codes). 
• What the code’s purpose is, what the benefits to members are, and how it adds value by effectively applying data protection law.
• Which processing activities the code covers, the categories of controllers or processors that it applies to, and the data protection issues that it intends to address.
• How code members’ compliance with the code is monitored.
• Where a monitoring body is required, who the agreed monitoring body is, including: 
  • what its legal status is; 
  • how it meets our monitoring body accreditation requirements (where required); and 
  • what happens if we revoke accreditation.
• The nature and outcome of stakeholder consultation.
• Confirmation that it complies with and doesn’t contradict data protection or other relevant national laws.

Code owners are also expected to ensure the code sets out details about how their proposed monitoring body (where required):

• is independent of the code owner;
• can act free from sanctions or external influence to ensure that no conflict of interest arises;
• has the required knowledge and expertise;
• has established procedures and sufficient resources for the monitoring of compliance with the code;
• has an open and transparent complaints handling process;
• will communicate infringements to us that may lead to suspensions or exclusions of code members;
• will review the code to ensure that it remains relevant and up to date; and
• has appropriate legal status.

Who can create a data protection code of conduct?

A ‘code owner’ is responsible for developing and submitting a code of conduct to us for approval. 

For UK GDPR and PECR codes, the code owner must be a representative body. This can include:

• an association or consortium of bodies representing categories of controllers or processors;
• a sectoral organisation;
• a trade or professional body;
• an academic organisation; or
• an interest group.

The code owner should demonstrate to us that they: 

• can represent the organisations the code applies to; and
• have the necessary knowledge and experience of the sector, profession or processing activities to be included in the code.

The code owner is also expected to have, or have access to, the relevant level of data protection knowledge and expertise to enable them to develop the code.

Under part 3 of the Data Protection Act 2018 (DPA part 3), the code owner must be an ‘expert public body’ that we believe has the required knowledge and experience to produce a code of conduct. They must also perform functions of a public nature. 

Expert public bodies can develop a code for use by competent authorities which, as part of their functions, process personal information for law enforcement purposes.

How is code members’ compliance monitored? 

Code owners for UK GDPR and PECR codes of conduct must ensure they include effective ways to monitor compliance with the code’s requirements. For DPA part 3 codes, we expect monitoring to take place through existing internal audit and compliance mechanisms.

For codes covering private or non-public authorities, code owners must also specify a monitoring body. 

The monitoring body’s purpose is to ensure code member compliance with the code. Monitoring bodies must undergo a separate approval process to demonstrate they meet our accreditation requirements. We can revoke accreditation if a monitoring body fails to meet its obligations.

Code owners are expected to ensure the code sets out the monitoring body’s details and how it meets our accreditation requirements.

Please see our guidance on monitoring bodies for further information.

Are cross-sector or combined codes possible?

Code owners could develop cross-sector codes where they can demonstrate that the organisations involved share a common processing activity and similar processing needs. For example, this might apply to a profession or occupation working across multiple economic sectors, such as human resources or IT professionals. Development of this type of code is likely to be complex.

In these circumstances, we expect the relevant professional bodies – which oversee the knowledge, skills, support, conduct and practice of the respective profession or occupation – to take part in developing the code.

A code applying to more than one sector can have more than one monitoring body. In this case, code owners are required to ensure that the code clearly: 

• states which monitoring body is responsible for which group of members; and
• outlines how each monitoring body meets the accreditation requirements.

Under PECR, a single code document may contain both PECR and UK GDPR code requirements. 

Could there be more than one ICO-approved code of conduct in a sector?

Code owners must demonstrate the need for a code. There could be multiple codes in a sector or profession as long as they:

• satisfy our approval requirements;
• cover different personal information processing areas and scope; 
• are clear about the organisations they apply to; and
• provide added value by tailoring relevant data protection requirements to the sector or profession to:
  • offer clear, practical solutions, and 
  • provide industry improvements for the data protection areas covered.

We do not expect two codes to cover the same topic in the same sector or area of processing. In such cases, we will check that they are suitably representative and consider whether there should just be one code.

Code owners should ensure the draft code contains information about the extent of consultations carried out with stakeholders and the people the code is relevant to. They should include, where relevant, information about how the code complements other approved codes.

How can we apply to the ICO to have our code of conduct approved?

There are two stages to the code application process – the proposal stage and the code development stage. 

At the proposal stage, we expect you to outline:

• what your proposed code of conduct is about;
• who it will apply to;
• how it will add value; and
• how it will benefit code members and people affected by the code.

If we accept your proposal, the code development stage follows. This involves:

• developing the draft code of conduct;
• setting out the data protection requirements for code members to follow;
• setting out mechanisms for monitoring compliance; and 
• submitting this to us for assessment.

Developing a code of conduct is a complex process that requires significant time and resources. We will provide guidance and support at each stage.

We welcome early discussions with organisations to ensure they develop codes in line with the relevant guidelines and requirements.

If you’re thinking of developing a code of conduct, please contact us for an initial discussion at [email protected].

How will the ICO assess our proposal and code of conduct?

We assess your code proposal against the following requirements:

• It includes details of the code owner(s) and any partnerships or consortia.
• Code owner(s) and monitoring body(ies) meet the eligibility requirements set out in this guidance. Monitoring bodies are not required for codes developed by public authorities under UK GDPR or PECR, or expert public bodies (DPA part 3 codes).
• None of the parties involved in the code of conduct is subject to any relevant ICO investigation or regulatory action.
• It includes a concise explanatory statement that:
  • explains the key issues in the sector that the code aims to address;
  • identifies the relevant data protection legislation;
  • sets out the processing activity(ies) within scope;
  • specifies the types of information involved; and 
  • outlines the risks associated with that processing.
• There is evidence that the code owner and monitoring body (where required) have (or have access to) the necessary knowledge and experience of the subject matter and relevant data protection law.
• It details the processing operations that it intends to address, such as those listed in UK GDPR article 40(2), PECR regulation 32A(3) or DPA section 71A(4).
• UK GDPR and PECR codes describe the proposed mechanisms for monitoring compliance with the code. This includes structures and procedures for the investigation and management of code infringements and details of corrective measures. DPA part 3 codes explain how internal audit and compliance mechanisms will monitor compliance with the code.
• Codes relating to private sector or non-public sector organisations identify a monitoring body that has:
  • agreed to perform the role; and 
  • confirmed it’s aware of its obligations 
• as set out in our monitoring body guidance and the monitoring body accreditation requirements. 
• It details any initial consultation that has taken place with potential code members, stakeholders, people affected by the code or other relevant bodies. It outlines plans for and the nature of future consultations.
• It confirms that the code of conduct complies with and doesn’t contradict data protection law or any relevant national legislation.

If we accept your proposal, we will then ask you to develop and submit your draft code of conduct. We will assess this to ensure it:

• is well structured and written in a logical, clear and understandable manner, in line with the general layout requirements; and
• meets the code content requirements by including the following:
  • The code owner’s details and a clear explanation of how and why they are qualified to represent the sector or members, speak on their behalf or qualify as an expert body. 
  • An explanatory statement detailing: 
    • the code’s purpose; 
    • who it’s for; 
    • the key data protection issues facing the sector or area of processing and how the code addresses them; 
    • the benefits to code members and people; and 
    • how it adds value. 
  • A clear explanation of the scope, including:
    • which processing activities it applies to; 
    • which key elements of data protection law it covers; and 
    • who the code applies to (eg processors or controllers).
  • Practical data protection rules for code members to follow.
  • The monitoring mechanisms that will manage compliance with the code, as required for UK GDPR and PECR codes. DPA part 3 codes need to explain how internal audit and compliance mechanisms will monitor compliance with the code.
  • Details on the monitoring body (for UK GDPR and PECR codes in the private/non-public sector only).
  • Details on the consultation that has taken place with wider stakeholders. 
  • Confirmation that the code complies with relevant national legislation or case law.

We will review your code and provide feedback. Once you have made any required changes, the code will undergo a full code review by a Code Assessment Group. This comprises ICO staff with relevant sectoral or technical expertise. 

This formal review will decide if the code:

• demonstrates a need for the code within that sector, profession or processing activity;
• addresses the specific needs of the sector or profession while demonstrating a practical understanding of the relevant data protection legislation;
• provides specific industry improvements for the data protection areas covered;
• provides suitable and effective safeguards against the risks of data processing; and
• provides relevant mechanisms to ensure appropriate monitoring of code compliance.

How will people know our code of conduct is approved?

When we approve the code, we will publish it in the codes of conduct register.

This includes the name of the code owner and the code, with a link to the code showing the version number and date of approval. It also includes the name and contact details of the monitoring body, where required.

How will people know who is a code member?

You should keep an easily accessible and publicly available list of your code members. You should keep this list up to date and make any amendments immediately.

How do we ensure our code of conduct remains relevant?

You are required to periodically review the code of conduct to ensure that it remains relevant and up to date. If you need to make any amendments or extensions to the code, let us know in writing via [email protected].

Any amendments or extensions to the code or changes or additions to a monitoring body require our approval.

How should a code owner report to the ICO?

For UK GDPR and PECR codes, code owners or the accredited monitoring body should provide us with an annual report which includes:

• a list of current code members;
• any new members who have joined in the last 12 months;
• information concerning code member breaches of code requirements;
• details of any members suspended or excluded in the last 12 months; and
• outcomes of the code review.

For DPA part 3 codes, the code owner could provide us with an annual report, including a list of current code members.

What is the difference between ICO-approved data protection codes of conduct and ICO statutory codes of practice?

Associations, expert public bodies or other relevant bodies write ICO-approved data protection codes of conduct on behalf of a sector or profession. They focus on key data protection challenges faced by the organisations covered, setting out practical requirements for code members to follow. Relevant mechanisms to monitor code member compliance are set out within the code.

We write ICO statutory codes of practice to address key strategic areas, as set out in the DPA. They are approved by the Secretary of State and laid before Parliament. Codes of practice provide practical guidance to organisations about how to comply with data protection and other legislation on a particular topic. 

Following an ICO statutory code helps organisations comply with their legal and accountability obligations under data protection and other legislation. Compliance with a statutory code is not monitored in the same way as a code of conduct. However, we must take the relevant statutory codes into account when considering whether you have complied with your data protection obligations (eg when we are dealing with a complaint against you). 

Can we convert our existing industry code into a UK GDPR, PECR, DPA part 3 code of conduct?

If you want us to approve an existing industry or sector code as a code of conduct, you should review and evaluate it against: 

• the relevant data protection legislation; and 
• the code requirements set out above. 

You must submit this to us for approval in line with our standard application and approval process above.

You must ensure your code addresses particular data protection areas and issues that your sector or profession faces and doesn’t simply restate data protection law.

Are we a public authority under data protection legislation and PECR?

Section 7 of the DPA defines a public authority for the purposes of the UK GDPR. PECR regulation 32A(9) adopts the section 7 definition as the meaning of public body.

Section 7 says that the following (and only the following) are ‘public authorities’ and ‘public bodies’:

• a public authority as defined by the Freedom of Information Act 2000;
• a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002; and
• an authority or body specified or described by the Secretary of State in regulations.

The above authorities or bodies are only public authorities for UK GDPR purposes when they are:

• performing a task carried out in the public interest; or 
• exercising an official authority vested in them.

However, section 7(3) of the DPA says that the following are not public authorities for the purposes of the UK GDPR:

• a parish council in England;
• a community council in Wales;
• a community council in Scotland;
• a parish meeting constituted under section 13 of the Local Government Act 1972;
• a community meeting constituted under section 27 of the Local Government Act 1972; and 
• a charter trustee constituted:
  • under section 246 of that Act;
  • under part 1 of the Local Government and Public Involvement in Health Act 2007; or
  • by the Charter Trustees Regulations 1996.

While these are not public authorities for UK GDPR purposes, this doesn’t affect their status as a public authority under any other legislation.

Are we a competent authority under DPA part 3 for law enforcement processing?

Part 3 only applies to competent authorities (and their processors) when processing personal information for criminal law enforcement purposes. 

A competent authority is:

• a person specified in schedule 7 of the DPA; or
• any other person if and to the extent that they have statutory functions for any of the law enforcement purposes (section 30(1)(b) of the DPA).

The law enforcement purposes are defined in section 31 of the DPA as:

• the prevention, investigation, detection or prosecution of criminal offences; and
• the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

You need to check whether schedule 7 of the DPA lists you as a competent authority. The list includes most government departments, police chief constables, the Commissioners of HMRC, the Parole Boards and HM Land Registry.

If schedule 7 doesn’t list you, you may still be a competent authority if you’re exercising statutory functions for any of the law enforcement purposes. For example, this may apply to: 

• local authorities who prosecute trading standards offences; or 
• the Environment Agency when prosecuting environmental offences.

How do codes of conduct work as an international transfer tool?

The use of codes of conduct as an international transfer tool is a new mechanism, and we’re committed to supporting their development. If you want to discuss establishing a code of conduct in your sector or profession for the transfer of personal information to a third country or international organisation, please contact us at [email protected].