> A model contract is available at
>
> http://www.iccwbo.org/home/statements_rules/rules/1998/model_clauses.asp
>
Susan Healy
PRO
> ----------
> From: Andrew Charlesworth[SMTP:[log in to unmask]]
> Reply To: [log in to unmask]
> Sent: 12 June 2000 16:38
> To: [log in to unmask]
> Subject: CoP - Transfers of personal data to non-EEA countries
>
> Request for comments:
>
> *Key*
> <T> = title
> <ST> = Subtitle
> <R> = Recommendation
>
> <T> Transfers of data to non-EEA countries
>
> The Data Protection Act 1998 contains specific provisions with
> regard to the transfer of personal data to countries outside the EEA
> (the EU Member States, plus Norway, Iceland and Liechtenstein).
> The eighth data protection principle states "'Personal data shall not
> be transferred to a country or territory outside the European
> Economic Area unless that country or territory ensures an
> adequate level of protection for the rights and freedoms of data
> subjects in relation to the processing of personal data." This is
> qualified by a number of conditions set out in Schedule 4 DPA
> 1998, for example, personal data may be transferred to a country
> without an adequate level of protection where the data subject has
> given his consent to the transfer.
>
> There will be two elements involved when determining the adequacy
> of protection of data privacy in a non-EEA country to which
> personal data are to be transferred.
>
> - the substantive rules that apply to protection of the data;
>
> - the methods of enforcement by which compliance with those
> substantive rules is attained.
>
> The first of the elements can be achieved by ensuring that the
> substantive rules that apply to the transferee have the same effect
> as those contained in the Act. There are a number of ways that
> this could be achieved: national legislation in the jurisdiction to
> which the data are transferred; codes of conduct at an industry or
> sectoral level; or specific contractual provisions between the UK-
> based transferor and the transferee; or elements of all three.
> However, the second element poses a thornier problem, it is
> difficult to see, for instance, how data subjects might be provided
> with similar private legal rights of action against non-EEA data
> transferees to those that they have available against EEA-based
> transferees under the Act.
> The ODPC has produced a preliminary guidance note entitled "The
> Eighth Data Protection Principle and Transborder Dataflows" which
> provides a detailed legal analysis and suggests a "good practice
> approach" to assessing adequacy, including consideration of the
> issue of contractual solutions.
>
> <R> HE and FE institutions should:
> - have particular regard to the recommendations in the ODPC
> preliminary guidance note "The Eighth Data Protection Principle
> and Transborder Dataflows" when determining
>
> -- whether or not a country has adequate protections for personal
> data in relation to the proposed transfer;
>
> -- the proper procedure to adopt for transfer of personal data to non-
> EEA countries.
>
> - consider whether or not and, if so, the extent to which, a
> decision to treat the third country as adequate in relation to the
> proposed transfer will prejudice the fundamental rights and
> freedoms of the data subject(s), and in particular their right to
> privacy with respect to the processing of personal data"
>
> - be able to justify any decision they make about adequacy should
> it prove necessary for the ODPC to enquire as to the basis for any
> transfer to a third country
>
> - consider whether specific transfers of personal data to a non-
> EEA country may be necessary:
>
> -- for the performance of a contract between the data subject and
> the data controller, or
>
> -- for the taking of steps at the request of the data subject with a
> view to their entering into a contract with the data controller, or
>
> -- for the conclusion of a contract between the data controller and
> a person other than the data subject which was entered into at the
> request of the data subject, or is in the interests of the data
> subject, or for the performance of such a contract.
>
> Such transfers are exempted from the prohibition on transfer.
> Examples in the HE and FE sector would include: requests by HE
> and FE institutions to non-EEA governments, agencies, and
> organisations for information necessary to determine academic
> eligibility for attending a course of study in the UK; transfers of
> personal data to non-EEA governments, agencies, and
> organisations sponsoring students to attend a course of study in
> the UK, where such sponsorship is dependent upon attendance
> and/or performance criteria; transfers of personal information (e.g.
> examination marks), relating to, and required by, data subjects
> engaged in distance learning courses.
>
> - be able to justify any decision they make about exempted
> transfers should it prove necessary for the ODPC to enquire as to
> the basis for any transfer to a third country
>
> - in most other circumstances, obtain the specific and informed
> consent of the data subject before transferring personal data to a
> non-EEA country, that is
>
> -- the data subject should be made aware of the risks that the
> institution may have assessed as being involved in the transfer; and
>
> -- the data subject should have given clear consent to the transfer.
>
> The institution should be able to produce clear evidence of the data
> subject's consent in any particular case and be able to prove that
> the data subject was informed as required. Consent in writing is
> thus recommended. An example in the HE and FE sector would
> be the transfer of staff personal data to a non-EEA country to be
> used in the management of a distance learning course. Where a
> data subject requests a reference be written and sent to a non-
> EEA country, the request itself will indicate their consent to the
> personal data transfer.
>
> <R>HE and FE institutions should not:
>
> - in the absence of a sponsorship arrangement, disclose personal
> data requested by non-EEA governments, agencies, and
> organisations for the purposes of assessing the names, numbers
> and whereabouts of foreign nationals studying overseas, without
> the specific and informed consent of the data subjects concerned.
>
> - disclose personal data requested by non-EEA governments for
> the purposes of determining liability to attend National Service,
> without the specific and informed consent of the data subjects
> concerned.
>
>
>
> Andrew Charlesworth
> Senior Lecturer in IT law
> Director, Information Law and Technology Unit
> University of Hull Law School
> Hull, UK, HU6 7RX
> Voice: 01482 466387 Fax: 01482 466388
> E-mail: [log in to unmask]
>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|