Section I of the SEC sets out the obligations of the Data and Communications Company (DCC) and each User of the DCC Services on data protection, access to consumption data and Other User Privacy Audits.
Part of the requirements include all Users acting in the User Role of Other User undergoing a cycle of Privacy Assessments. Users not acting in the role of Other User are not required to go through this process.
The Privacy Assessment cycle begins with a Full Privacy Assessment which is required as part of the User Entry Process (set out in Section H1). Further information on the types of assessment and the cycle can be found below under Privacy Assessment Cycle.
Privacy Assessments are performed by an Independent Privacy Auditor, which is appointed by the SEC Panel. The organisation is also appointed to undertake the role of User Independent Security Assurance Service Provider and collectively are known as the User Competent Independent Organisation (CIO).
There are a number of materials which should aid SEC Parties understanding of the assessment process. These can be found in the documents section of this page and are explained below.
Party Assurance Status
Following the completion of a Full Privacy Assessment the SEC Panel shall assign that Party an assurance status. As per SEC Section I2.30 the Panel shall assign one of four assurance statuses. Further description of these assurance statuses is available in the Privacy Controls Framework. In order to complete the User Entry Process the Party’s assurance status must be set to “Approved”.
Privacy Assessment Processes
SECAS have compiled process flows of both the pre-assessment (initial engagement through to the User CIO commencing the assessment) and post-assessment (from the User CIO producing their assessment report through to the SEC Panel setting a Parties assurance status). These are compiled for the benefit of SEC Parties and are available for download on the right hand side of this page.
Privacy Controls Framework - Please click here to be directed to the PCF webpage.
As directed by I2.13 of the Code, the SEC Panel has arranged the development of, and now maintains, a Privacy Controls Framework. The Framework includes:
- Arrangements designed to ensure that Privacy Assessments provide reasonable assurance that Other Users are complying with (or, for the purposes of Section H1.10(d) (User Entry Process Requirements), are capable of complying with) their obligations under Sections I1.2 to I1.5; and
- The Principles and criteria to be applied in the carrying out of any Privacy Assessment, including principles designed to ensure that Privacy Assessments take place on a consistent basis across all Other Users; and
- The Provisions for determining the timing, frequency and selection of Other Users for the purposes of Random Sample Privacy Assessments.
Booking and Charges
Those seeking to book a Privacy Assessment should complete the Booking Form and submit it to SECAS@Gemserv.com. A member of the SECAS team will be in contact following your submission to discuss your request. We require requested assessment dates to be at least twelve weeks after the date the request is submitted. Please note that Security and Privacy Assessments can be performed by the User CIO in parallel.
The rate card can be found in the documents section on this page following member login.
Booking amendments and cancellations
SEC Parties wishing to reschedule or cancel their assessment are required to do at least four weeks in advance of their assessment date. After this point a cancellation fee of 25% of the total cost is chargeable. Please note that User CIOs are entitled to recover any costs they have incurred relating to an assessment, regardless of the notice provided. Cancellation requests should be submitted to SECAS@Gemserv.com