About this guidance

This guidance discusses codes of conduct in detail. Read it if you have questions not answered in our brief guidance on codes of conduct or if you need a deeper understanding. This guidance is useful for organisations considering writing, monitoring or signing up to a code of conduct.

If you haven’t yet read the brief guidance on codes of conduct, you should read that first. It sets out the key points you need to know.

Legislative requirements

To help you to understand the law and good practice as clearly as possible, this guidance says what organisations must, should, and could do to comply.

Must refers to:

• legislative requirements within our remit; or
• established case law (for the laws that we regulate) that is binding.

Good practice

• Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. We expect you to do this unless there is a good reason not to. If you choose to take a different approach, you need to be able to demonstrate that this approach also complies with the law.
• Could refers to an option or example that you may consider to help you to comply effectively. There are likely to be various other ways for you to comply. 

This approach only applies where indicated in our guidance. We will update other guidance in due course.

Contents

How do we develop a code of conduct?

• What should a code of conduct cover?
• Who can create a data protection code of conduct?
• How is code members’ compliance monitored?
• Are cross-sector or combined codes possible?
• Could there be more than one ICO-approved code of conduct in a sector?
• How can we apply to the ICO to have our code of conduct approved?
• How will the ICO assess our proposal and code of conduct?
• How will people know our code of conduct is approved?
• How will people know who is a code member?
• How do we ensure our code of conduct remains relevant?
• How should a code owner report to the ICO?
• What is the difference between ICO-approved data protection codes of conduct and ICO statutory codes of practice?
• Can we convert our existing industry code into a UK GDPR, PECR, DPA part 3 code of conduct?
• Are we a public authority under data protection legislation and PECR?
• Are we a competent authority under DPA part 3 for law enforcement processing?
• How do codes of conduct work as an international transfer tool?

How are codes of conduct monitored?

• Monitoring mechanisms
• What are the monitoring body accreditation requirements?
• How can we meet the accreditation requirements?
• When can a monitoring body be accredited?
• Can you revoke monitoring body accreditation?
• Could a monitoring body be fined?
• How do we apply to become an accredited monitoring body?
• Can an additional monitoring body be added to a code of conduct?

How do we become a code member?

• What are the practical implications for our organisation?
• Will the ICO consider our code membership as a mitigating factor in the event of an investigation?
• How can we sign up?
• How will people know we’re a code member?

ICO register of data protection codes of conduct

• How to use the register