When working with partners or commissioning services from organisations outwith the European Economic Area, the University must ensure that the protections for any personal information transferred or shared during that process are ‘adequate’ (i.e. meet the same standard as those applicable within Europe). The FAQs below provide information on how the University ensures adequacy.
The Data Protection Act 1998 is the UK implementation of the European Union’s Data Protection Directive (95/46/EC). Other countries in the European Economic Area (EEA) also have national implementations of that Directive. Accordingly, the presumption is that there is parity in the rights, freedoms and protections for data subjects in all EEA member states. In practice, this means that institutions in Europe can collaborate in ways that require the transfer of personal data between nations (although, this is something that should be made clear to data subjects in fair processing statements/privacy notices and done under agreement). When collaborating with partners outwith the EEA in projects involving the transfer of personal data, the University must ensure that its partners meet the European standards for data protection before transmitting or sharing any information. This is a requirement of the Data Protection Act, detailed in the 8th data protection principle:
'Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data'
Yes, but this must be done under specific and controlled circumstances. In general you must not transfer personal information unless it is done so under agreement (please contact the Director of Legal or the Records Manager & Information Compliance Officer for guidance). Transfer outwith the EEA will normally only take place if one of the following provisions are in place. Any exceptions to this process should be documented.
Model Contract Clauses
The Director of Legal has standard agreements that can be used when undertaking any work that involves the transfer of personal data. The specific type of agreement will depend on the nature of the transfer or sharing and the location of the party to whom information is being transferred.
For transfers outwith the EEA, all template agreements include the relevant European Union Model Contract Clauses. These clauses were developed by the EU to facilitate working with non-EEA partners or service providers and, provided that they are used without modification, they have been accepted by the regulator (the Information Commissioner) as demonstrating adequacy per the 8th data protection principle (see 2. above).
Binding Corporate Rules
Where an organisation from outwith the EEA wishes to demonstrate compliance with European standards of data protection, it can sign up to binding corporate rules with the Information Commissioner’s Office. Where an organisation has binding corporate rules in place, the University can, further to appropriate scrutiny, accept them as demonstrating adequacy per the 8th data protection principle.
Safe Harbour is a scheme that has been the basis for transfer of personal data to the USA for some years. Organisations based in that country made a voluntary self-certification committing them to the same standard of data protection applicable in Europe and would offer that as a demonstration of adequacy per the 8th data protection principle. However, the European Court of Justice ruling in the Schrems v Facebook case (C 362/14) effectively invalidated Safe Harbour by suggesting that the scheme did not, in fact, meet the level of adequacy required. As of October 2015 Safe Harbour is not to be used as the basis for the transfer or sharing of information from the University to organisations outwith the EEA. Please see 3. above for acceptable mechanisms for the transfer of personal information outwith the EEA.
Information security is the responsibility of all University staff and is particularly important when working with or transferring personal data. Key security measures include:
- Using proper agreements and auditing the claims of partners in respect of information security.
- Involving UoD IT in the mechanisms for transfer to ensure that they are appropriate and secure.
- Never transferring personal information on the basis of local solutions – consistency is essential so the involvement of Professional Services is crucial.
Fiona O'Donnell - Director of Legal, x85073
Alan Bell - Records Manager & Information Compliance Officer, x84441
Richard Parsons - CIO, x84082
Paul Saunders - CTO, x84110
Graham McKay - IT Security, x84078