Privacy Assessment Process »

Privacy Assessment Process

What are Privacy Assessments?

Section I of the SEC sets out the obligations of the Data and Communications Company (DCC) and each User of the DCC Services on data protection, access to consumption data and Other User Privacy Audits. Please note this requirement is only for Users acting in the role of ‘Other User’.

The Privacy Assessment cycle begins with a Full Privacy Assessment which is a requirement of the User Entry Process.

Privacy Assessments are performed by the User Independent Privacy Auditor (IPA) appointed by the SEC Panel.

The materials to help SEC Parties understand the assessment process can be found in the documents section of this page and are explained below.

Party Assurance Status

Following the completion of a Full Privacy Assessment, the SEC Panel assign the Party one of four assurance statuses:

  • ‘Approved’
  • ‘Approved, subject to the Party’
  • ‘Provisionally approved’ and
  • ‘Deferred’

In order to complete the User Entry Process, the Party’s assurance status must be set to “Approved” or “Approved Subject to;”. Further information is available in the Privacy Controls Framework which can be found here.

The SEC Panel has arranged the development of a Privacy Controls Framework (PCF). The Framework includes:

  • Arrangements designed to ensure that Privacy Assessments provide reasonable assurance that Other Users are complying with their SEC obligations under Sections I1.2 to I1.5; and
  • The Principles and criteria to be applied in the carrying out of any Privacy Assessment, including principles designed to ensure that Privacy Assessments take place on a consistent basis across all Other Users; and
  • The Provisions for determining the timing, frequency and selection of Other Users for the purposes of Random Sample Privacy Assessments.

For more information please see the Privacy Controls webpage.

Please complete the Privacy Assessment Online Booking Form available here. A member of the SECAS team will contact you to discuss your request. Please note that requested assessment dates are required to be at least twelve weeks after the date your request is submitted. Security and Privacy Assessments can be performed by the User Competent Independent Organisation (CIO) and IPA in parallel.

The rate card can be found in the documents section of this page, following member login.

If you wish to reschedule or cancel your assessment, you are required to do so at least four weeks prior to the assessment commencement date. After this point a cancellation fee of 25% of the total cost is chargeable. Please note that the IPA are entitled to recover any costs they have incurred relating to an assessment, regardless of the notice provided. Please submit your amendment or cancellation request to