Other Users are required to gain SEC Panel pre-approval for any adjustments they wish to make to the processes used to demonstrate compliance with I1.2 – I1.5.
Other Users wishing to make changes to these processes will be required to:
- Submit a SEC Privacy Change Notification form to SECAS which is available to download below; and
- Also submit supporting material on processes and procedures that will be affected by the change, including an adequate description of the processes to which the change relates, the purpose of the change, and the nature of its relationship to the User’s obligations under SEC Section I.
The Privacy Change Notification form will be reviewed by the IPA and the SECAS Privacy Experts to establish whether the proposed change constitutes a material or non-material change to the approved systems and processes. SECAS will provide the Other User with the outcome of the review within 10 working days of receipt.
Should the User IPA and Privacy Experts determine the proposed changes constitute a non-material change to the approved systems and processes, the Other User will receive confirmation of whether this has been approved or rejected within 10 working days.
Should the User IPA and Privacy Experts determine the proposed change constitutes a material change to the approved systems and processes, the Other User would then require an ad-hoc Privacy Change Assessment to process this request.
SECAS will provide a proposed commencement date, the likely timeline and the scope of the ad-hoc Privacy Assessment. This will be a defined scope based on the change request rather than a Full Privacy Assessment (FPA) covering the whole of SEC Section I.
SECAS will make all best endeavours to schedule in a Privacy Change Assessment within the subsequent four weeks. However, the availability to schedule in a Privacy Change Assessment is subject to change and dependant on the schedule of annual User Security and Privacy Assessments. Therefore, in rare cases, a maximum period of 12 weeks may be required to schedule a Privacy Change Assessment. Other Users should bear this in mind when submitting a SEC Privacy Change Request and their required timeline for introducing this change.
SEC Panel will be notified of all SEC Privacy Change Notifications received, their status and the outcomes. Material change requests will also require Panel approval as per the existing FPA process.
Further details can be found in the Privacy Controls Framework Section 8.