How are codes of conduct monitored?

At a glance

Code owners for UK GDPR and PECR codes of conduct must ensure they contain suitable ways to effectively monitor compliance with the code. 

Code owners for codes of conduct covering the private sector or any non-public bodies must also ensure they specify a monitoring body to fulfil the code monitoring requirements.

Monitoring bodies must be accredited by us under a separate application process.

For DPA part 3 Codes, the compliance monitoring and reporting function is carried out through existing internal information governance and compliance processes.

The following guidance explains in more detail:

• how to monitor codes of conduct;
• what a monitoring body is; and
• how an organisation can become accredited as a monitoring body.

In detail

• Monitoring mechanisms
• What are the monitoring body accreditation requirements? 
• How can we meet the accreditation requirements?
• When can a monitoring body be accredited?
• Can you revoke monitoring body accreditation?
• Could a monitoring body be fined?
• How do we apply to become an accredited monitoring body? 
• Can an additional monitoring body be added to a code of conduct?

Monitoring mechanisms

Code owners must ensure that their codes of conduct have a suitable mechanism to monitor compliance with the code requirements. The type of monitoring mechanism varies depending on the legislation the code applies to and whether it relates to public or non-public sectors. 

For UK GDPR and PECR codes of conduct covering private or non-public authorities, the code owner must identify a monitoring body to fulfil the monitoring requirements. In some cases, it could be appropriate to have more than one monitoring body.

For UK GDPR and PECR codes covering the public sector, code owners should ensure the code set out:

• the type of monitoring mechanism(s) and how they will work in practice (eg self-assessment, audit); 
• the structures and resources for monitoring compliance; and 
• the procedures for investigating and managing infringements.

If a UK GDPR or PECR code applies to the public sector, a monitoring body is not required, but code owners could still choose to have one. 

If your code of conduct relates to part 3 of the DPA, you don’t need to set out detailed monitoring mechanisms or have a monitoring body. Instead, you should ensure the code makes it clear that the compliance monitoring and reporting function is via your existing internal information governance and compliance process. You should also explain how this will operate in practice.

Two types of monitoring bodies can oversee a code of conduct:

• Internal – a distinct part of the code owner’s organisation that can operate independently. For example, an internal audit or compliance department.
• External – an organisation or body outside of the code owner’s organisation. This could include audit firms, consultancy firms, or other bodies, including those with appropriate oversight or responsibilities in the public or law enforcement sectors.

All monitoring bodies, whether internal or external, must fully meet our accreditation requirements.

What are the monitoring body accreditation requirements?

To become a monitoring body, you will need to meet our accreditation requirements by demonstrating that you: 

• are appropriately independent from code owners, considering specifically:
  • your legal and decision-making procedures; and
  • your financial, organisational and accountability arrangements;
• can act free from sanctions or external influence to ensure that no conflict of interest arises;
• have the required knowledge and expertise;
• have established procedures, structures and resources for the monitoring of compliance with the code;
• have an open and transparent complaints handling and appeals process to receive, evaluate, track, record and resolve complaints and appeals;
• will communicate to us any code member infringements that may lead to suspensions or exclusions, and any substantial changes to your own status;
• will review the code to ensure that it remains relevant and up to date; and
• have appropriate legal status.

How can we meet the accreditation requirements?

You will be required to provide evidence to show how you meet each of the accreditation requirements. Below, we set out examples of how you may be able to do this.

Independence and impartiality

Monitoring bodies are structured and managed in a way that safeguards their independence and impartiality and allows them to act free from external influence. 

Therefore, you must demonstrate that you’re sufficiently independent from the code owner and code members. For example, you could do this by having separate reporting and management structures, or formal rules and procedures for staff appointments. 

How this works in practice varies depending on the code topic, the sector and the organisations involved. There is no universal approach to demonstrating independence. 

When you’re using an internal monitoring body, it is important to consider risks to impartiality arising from this arrangement and demonstrate how these risks will be effectively managed and reviewed on an ongoing basis.

Examples of good practice that could help demonstrate impartiality for an internal monitoring body include:

• evidence of the ability to act free from inappropriate influence;
• separate decision-making arrangements;
• separate staff and governance reporting lines;
• separate funding arrangements or budget management; and
• technical measures, such as information barriers.

Conflict of interest

You must demonstrate that your tasks and duties don’t result in a conflict of interest. This means you can deliver your monitoring activities in an impartial manner. This process includes identifying:

• the potential risks to impartiality through a risk assessment process (identifying ownership, governance, management, personnel, shared resources); and
• the means by which these risks will be prevented or mitigated. 

Expertise

You must have expertise about the code’s subject matter. This means having in-depth knowledge and experience of the specific data processing activities outlined in the code, the relevant sector and the required data protection expertise. This could include, but is not limited to, evidence to support: 

• your status as an association or representative body; 
• your personnel training or qualifications; and
• any additional requirements outlined in the code of conduct.

Established monitoring procedures

As a monitoring body, your procedures and structures must enable you to:

• assess the eligibility of organisations to apply for code membership and comply with code requirements; and
• undertake periodic compliance monitoring and demonstrate that you can manage code member infringements.

You will also need to verify that applicants are not under investigation by the ICO or subject to regulatory action that might prevent issuing code membership.

Transparent complaints handling

You must have a transparent process for handling complaints about code member infringements of the code. This should include procedures to receive, evaluate, track, record and resolve complaints and appeals made about a code member or potential code member.

You should also have a clear and transparent process to handle complaints about your own organisation and your appeals handling process. 

You should maintain a record of all complaints and the actions taken, which we can request access to at any time.

The monitoring body should deal with all complaints in the first instance. Any initial complaints submitted directly to the ICO will be: 

• returned to the complainant for onwards referral to the monitoring body; or 
• referred directly to the monitoring body for action (where appropriate). 

Communicating with the ICO

You must immediately notify us of any suspensions or exclusions of code members. You should provide a summary of the infringement and reasons for the action taken, in line with the suspension and exclusion process.

You should only suspend or exclude code members in serious circumstances, and only after giving them the opportunity to take suitable corrective measures. 

You should also make us aware of any procedure for lifting the suspension or exclusion of a code member.

You should have a process in place to immediately notify us of any substantial changes to your ability to function independently and effectively as a monitoring body. This includes where there are any:

• conflicts of interest; or 
• changes that significantly reduce your expertise. 

Substantial changes could include any:

• changes to legal, financial, commercial, ownership or organisational status and key personnel;
• significant reduction in available resources;
• changes to your status as a UK legal entity; or
• changes to your ability to meet any of the accreditation requirements.

If substantial changes occur, we will review your monitoring body accreditation.

Code review mechanisms

The code owner should periodically review the code of conduct to ensure that its content: 

• remains relevant and up to date; and 
• continues to meet relevant data protection legal requirements. 

If asked to do so by the code owner, the monitoring body should contribute to this review. You will therefore have documented plans and procedures in place, which include providing the code owner and the ICO with an annual report on the operation and relevance of the code. 

Where necessary, you should also apply any code updates once they have been approved by us, as instructed by the code owner.

Legal status

Your legal status ensures that you have the appropriate standing to be fully accountable in your role as a monitoring body. It also ensures that you have sufficient financial and other resources to fulfil your monitoring responsibilities.

A monitoring body must be a legal entity established in the UK, such as a UK limited company or a defined part of a legal entity. You must therefore demonstrate that you have a meaningful place of business in the UK. For example, this may include you:

• have a branch office where you carry out your activities; and 
• are registered with UK Companies House.

For more information on accreditation, please see our accreditation requirements.

When can a monitoring body be accredited?

Monitoring body accreditation normally takes place as soon as possible after code approval. This is to ensure monitoring arrangements reflect the approved and finalised monitoring requirements set out in the code.

When a code is approved, we will publish it on the ICO register of codes of conduct. However, it cannot formally operate until we have accredited a monitoring body, where one is required. 

Can you revoke monitoring body accreditation?

We must revoke the accreditation of a monitoring body if it no longer meets the requirements (as set out in article 41(5) of the UK GDPR and regulation 32(B)(6) of PECR). Revoking a monitoring body’s accreditation results in its suspension or permanent withdrawal from the code. This may adversely affect the compliance, reputation or business interests of code members and result in a reduction in public trust.

Where possible, before taking such a step, we will provide the opportunity for the monitoring body to rectify the issues in question within an agreed timescale.

We will only revoke accreditation in serious circumstances – for example, if:

• you seriously contravene key requirements relating to your:
  • independence;
  • expertise;
  • conflicts of interest; or
  • monitoring of code member compliance;
• there are unacceptable volumes or serious complaints about your organisation from code members or others; 
• you don’t act on complaints received about code members; or
• you carry out activities that bring your organisation’s role as a monitoring body into disrepute.

If a monitoring body has its accreditation revoked, the code should outline clear provisions for the application and accreditation of a replacement body.

Could a monitoring body be fined?

A monitoring body can’t have a fine imposed for a code member’s infringements.
However, a monitoring body could receive a fine for:

• breaches of data protection law or PECR (as appropriate) while carrying out its own activities (as a data controller or processor); or 
• not fulfilling its obligations as a monitoring body, in line with relevant UK GDPR and PECR legislation.

How do we apply to become an accredited monitoring body?

Where a monitoring body is required, the code owner chooses who will fulfil that role. 
If the code owner nominates you to undertake the monitoring body role, you will need to apply to us, demonstrating how you meet our accreditation requirements. 

If the code owner chooses to have an internal monitoring body, they also need to apply for accreditation. 

You can apply in English or Welsh. 

Once received, we will review the application to ensure you’ve provided all relevant information and request further information if necessary. The time it takes to complete the accreditation process varies.

Applying to become a monitoring body is a separate process from the code of conduct approval process. This means that a code of conduct may be approved and published before a monitoring body receives final ICO accreditation.

Can an additional monitoring body be added to a code of conduct? 

We do not normally expect a code to have more than one monitoring body. However, if the code owner identifies the need for an additional monitoring body after we have approved the code, the additional body will need to make a separate application for accreditation. The additional monitoring body must demonstrate that they meet the accreditation requirements outlined above.