Request for comments:
*Key*
<T> = title
<ST> = Subtitle
<R> = Recommendation
<T> Transfers of data to non-EEA countries
The Data Protection Act 1998 contains specific provisions with
regard to the transfer of personal data to countries outside the EEA
(the EU Member States, plus Norway, Iceland and Liechtenstein).
The eighth data protection principle states “'Personal data shall not
be transferred to a country or territory outside the European
Economic Area unless that country or territory ensures an
adequate level of protection for the rights and freedoms of data
subjects in relation to the processing of personal data.” This is
qualified by a number of conditions set out in Schedule 4 DPA
1998, for example, personal data may be transferred to a country
without an adequate level of protection where the data subject has
given his consent to the transfer.
There will be two elements involved when determining the adequacy
of protection of data privacy in a non-EEA country to which
personal data are to be transferred.
- the substantive rules that apply to protection of the data;
- the methods of enforcement by which compliance with those
substantive rules is attained.
The first of the elements can be achieved by ensuring that the
substantive rules that apply to the transferee have the same effect
as those contained in the Act. There are a number of ways that
this could be achieved: national legislation in the jurisdiction to
which the data are transferred; codes of conduct at an industry or
sectoral level; or specific contractual provisions between the UK-
based transferor and the transferee; or elements of all three.
However, the second element poses a thornier problem, it is
difficult to see, for instance, how data subjects might be provided
with similar private legal rights of action against non-EEA data
transferees to those that they have available against EEA-based
transferees under the Act.
The ODPC has produced a preliminary guidance note entitled “The
Eighth Data Protection Principle and Transborder Dataflows” which
provides a detailed legal analysis and suggests a “good practice
approach” to assessing adequacy, including consideration of the
issue of contractual solutions.
<R> HE and FE institutions should:
- have particular regard to the recommendations in the ODPC
preliminary guidance note “The Eighth Data Protection Principle
and Transborder Dataflows” when determining
-- whether or not a country has adequate protections for personal
data in relation to the proposed transfer;
-- the proper procedure to adopt for transfer of personal data to non-
EEA countries.
- consider whether or not and, if so, the extent to which, a
decision to treat the third country as adequate in relation to the
proposed transfer will prejudice the fundamental rights and
freedoms of the data subject(s), and in particular their right to
privacy with respect to the processing of personal data”
- be able to justify any decision they make about adequacy should
it prove necessary for the ODPC to enquire as to the basis for any
transfer to a third country
- consider whether specific transfers of personal data to a non-
EEA country may be necessary:
-- for the performance of a contract between the data subject and
the data controller, or
-- for the taking of steps at the request of the data subject with a
view to their entering into a contract with the data controller, or
-- for the conclusion of a contract between the data controller and
a person other than the data subject which was entered into at the
request of the data subject, or is in the interests of the data
subject, or for the performance of such a contract.
Such transfers are exempted from the prohibition on transfer.
Examples in the HE and FE sector would include: requests by HE
and FE institutions to non-EEA governments, agencies, and
organisations for information necessary to determine academic
eligibility for attending a course of study in the UK; transfers of
personal data to non-EEA governments, agencies, and
organisations sponsoring students to attend a course of study in
the UK, where such sponsorship is dependent upon attendance
and/or performance criteria; transfers of personal information (e.g.
examination marks), relating to, and required by, data subjects
engaged in distance learning courses.
- be able to justify any decision they make about exempted
transfers should it prove necessary for the ODPC to enquire as to
the basis for any transfer to a third country
- in most other circumstances, obtain the specific and informed
consent of the data subject before transferring personal data to a
non-EEA country, that is
-- the data subject should be made aware of the risks that the
institution may have assessed as being involved in the transfer; and
-- the data subject should have given clear consent to the transfer.
The institution should be able to produce clear evidence of the data
subject’s consent in any particular case and be able to prove that
the data subject was informed as required. Consent in writing is
thus recommended. An example in the HE and FE sector would
be the transfer of staff personal data to a non-EEA country to be
used in the management of a distance learning course. Where a
data subject requests a reference be written and sent to a non-
EEA country, the request itself will indicate their consent to the
personal data transfer.
<R>HE and FE institutions should not:
- in the absence of a sponsorship arrangement, disclose personal
data requested by non-EEA governments, agencies, and
organisations for the purposes of assessing the names, numbers
and whereabouts of foreign nationals studying overseas, without
the specific and informed consent of the data subjects concerned.
- disclose personal data requested by non-EEA governments for
the purposes of determining liability to attend National Service,
without the specific and informed consent of the data subjects
concerned.
Andrew Charlesworth
Senior Lecturer in IT law
Director, Information Law and Technology Unit
University of Hull Law School
Hull, UK, HU6 7RX
Voice: 01482 466387 Fax: 01482 466388
E-mail: [log in to unmask]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
