Request for comments: *Key* <T> = title <ST> = Subtitle <R> = Recommendation <T> Transfers of data to non-EEA countries The Data Protection Act 1998 contains specific provisions with regard to the transfer of personal data to countries outside the EEA (the EU Member States, plus Norway, Iceland and Liechtenstein). The eighth data protection principle states “'Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.” This is qualified by a number of conditions set out in Schedule 4 DPA 1998, for example, personal data may be transferred to a country without an adequate level of protection where the data subject has given his consent to the transfer. There will be two elements involved when determining the adequacy of protection of data privacy in a non-EEA country to which personal data are to be transferred. - the substantive rules that apply to protection of the data; - the methods of enforcement by which compliance with those substantive rules is attained. The first of the elements can be achieved by ensuring that the substantive rules that apply to the transferee have the same effect as those contained in the Act. There are a number of ways that this could be achieved: national legislation in the jurisdiction to which the data are transferred; codes of conduct at an industry or sectoral level; or specific contractual provisions between the UK- based transferor and the transferee; or elements of all three. However, the second element poses a thornier problem, it is difficult to see, for instance, how data subjects might be provided with similar private legal rights of action against non-EEA data transferees to those that they have available against EEA-based transferees under the Act. The ODPC has produced a preliminary guidance note entitled “The Eighth Data Protection Principle and Transborder Dataflows” which provides a detailed legal analysis and suggests a “good practice approach” to assessing adequacy, including consideration of the issue of contractual solutions. <R> HE and FE institutions should: - have particular regard to the recommendations in the ODPC preliminary guidance note “The Eighth Data Protection Principle and Transborder Dataflows” when determining -- whether or not a country has adequate protections for personal data in relation to the proposed transfer; -- the proper procedure to adopt for transfer of personal data to non- EEA countries. - consider whether or not and, if so, the extent to which, a decision to treat the third country as adequate in relation to the proposed transfer will prejudice the fundamental rights and freedoms of the data subject(s), and in particular their right to privacy with respect to the processing of personal data” - be able to justify any decision they make about adequacy should it prove necessary for the ODPC to enquire as to the basis for any transfer to a third country - consider whether specific transfers of personal data to a non- EEA country may be necessary: -- for the performance of a contract between the data subject and the data controller, or -- for the taking of steps at the request of the data subject with a view to their entering into a contract with the data controller, or -- for the conclusion of a contract between the data controller and a person other than the data subject which was entered into at the request of the data subject, or is in the interests of the data subject, or for the performance of such a contract. Such transfers are exempted from the prohibition on transfer. Examples in the HE and FE sector would include: requests by HE and FE institutions to non-EEA governments, agencies, and organisations for information necessary to determine academic eligibility for attending a course of study in the UK; transfers of personal data to non-EEA governments, agencies, and organisations sponsoring students to attend a course of study in the UK, where such sponsorship is dependent upon attendance and/or performance criteria; transfers of personal information (e.g. examination marks), relating to, and required by, data subjects engaged in distance learning courses. - be able to justify any decision they make about exempted transfers should it prove necessary for the ODPC to enquire as to the basis for any transfer to a third country - in most other circumstances, obtain the specific and informed consent of the data subject before transferring personal data to a non-EEA country, that is -- the data subject should be made aware of the risks that the institution may have assessed as being involved in the transfer; and -- the data subject should have given clear consent to the transfer. The institution should be able to produce clear evidence of the data subject’s consent in any particular case and be able to prove that the data subject was informed as required. Consent in writing is thus recommended. An example in the HE and FE sector would be the transfer of staff personal data to a non-EEA country to be used in the management of a distance learning course. Where a data subject requests a reference be written and sent to a non- EEA country, the request itself will indicate their consent to the personal data transfer. <R>HE and FE institutions should not: - in the absence of a sponsorship arrangement, disclose personal data requested by non-EEA governments, agencies, and organisations for the purposes of assessing the names, numbers and whereabouts of foreign nationals studying overseas, without the specific and informed consent of the data subjects concerned. - disclose personal data requested by non-EEA governments for the purposes of determining liability to attend National Service, without the specific and informed consent of the data subjects concerned. Andrew Charlesworth Senior Lecturer in IT law Director, Information Law and Technology Unit University of Hull Law School Hull, UK, HU6 7RX Voice: 01482 466387 Fax: 01482 466388 E-mail: [log in to unmask] %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%