Electronic Discovery: Reviewing UK data from outside the EU

If data is processed and hosted in the UK, can it be reviewed from outside of the UK? How does the ICO view this? Does the Data Protection Act allow for review of data from outside of the EU?

Review platforms, such as Attenex, Relativity, RingTail, or IConect, allow for reviewers to plough through very large amounts of documents usually via a web browser. The reviewers can be anywhere in the world, as long as they have access to the internet.  E.g. a Manchester case, with the data hosted in London, can be reviewed by a law firm in Bristol. This example, of 3 UK cities, does not pose any legal problems. However what if the review is to be conducted outside of the UK? E.g if the data to be reviewed is from the UK, is processed and hosted in the UK, but reviewed by a  New York law firm, what does the law state about this?

The UK legislation says both a lot and very little about the subject.

The Data Protection Act has 8 core principles, it is the eighth principle which is most relevant in this case.   This principle states that ““Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

This means that data cannot be transferred out of the EEA, without permission of the custodian/person whose data it is, a safe harbor agreement, consent of the EU, or other acceptable EU security measure.

What does this mean for a reviewers? Is the data “transferred” out of the EEA durign a review? The term transfer is not described in legislation. Tools like Relativity, can prevent the physical of native documents, and only allow a “review” of the text or image (TIFF/PDF), this would imply that data was not transferred from the UK to the reviewers country (in this example the US), as it has not left anywhere. Also the act does not count transit as transfer.

However the ICO takes a different view. The ICO’s opinon on 2nd March 2008, and previously implied by the ICO, is that reviewing data from the the US (or any third party country) would effectively come under the eighth principle, as it is a transfer of data under the meaning of the act.

This taken alone would imply that reviewing data from a third party country, outside of the EEA would be an offence, which the ICO could prosecute for. With the ICO gradually gaining  more powers to protect data and privacy  in the UK, and pushing for more powers, the threat of a fine to law firms and data processesors has to be taken seriously.

However the ICO has stated that this problem can be resolved by a contract with the third party reviewing the data. For example if Company A was hosting data from Company B and Law Firm C, based in the US, wanted to review the data a contract between Company B and Law Firm C, guaranteeing the protection of the data, and suitable IT security by Company B and Law Firm C, should resolve the problem, and prevent any breach of the eighth principle.

Legal advice from an independent law firm and the ICO should be obtained in relation to transferring data outside of the UK. This article is provided for information purposes only and should not be construed as legal advice.

Law: Data Protection Act – 8th Principle

The Data Protection Act, whose enforcement comes under the ICO, has 8 core principles. The 8th principle, the one which most effects those in the electronic discovery industry, relates to the “transfer of data”.

The eighth principle states that:

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

The ICO has produced a paper in relation to the difficult subject of international data transfers.

The legislation in the UK and EU states that

The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if …the third country in question ensures an adequate level of protection.”

Somewhat inconveniently, the DPA does not define “transfer”, but it is excepted that “transfer” does not include transit. for example if a hard drive containing personal data has to go from the UK to Italy, but the courier, has to go via Russia (e.g for logistical reasons), then the data would not be, for the purposes of the act, considered to have been “transfered” to Russia, and therefore there would not be a breach.


Several third party countries have already shown that they have “adequate” data protection measures in place, these are:

  • Argentina
  • Canada
  • Guernsey
  • Isle of Man
  • Switzerland
  • Jersey

The US has an arrangment with the government to export specific data in relation to airline passengers. An upto date list of countires which are accepted as “adequate” is available from the EU.

However if data is to be transfered to third part countries if the data controller puts in place the correct procedures during the transfer to ensure there is adequate data security.

Where the data protection regime in the third country has not been subject to a Commission finding of adequacy, it is for exporting controllers to assess adequacy in a way which is consistent with the Directive and the Act. In carrying out this assessment of adequacy, the Commissioner would expect exporting controllers to be able to demonstrate how they have addressed the various criteria set out in this guidance.”

Like the term “transfer” the term  “adequate” security is not defined within the act, but there are criteria in relation to assesing the security needed.

  • the nature of the personal data
  • the purpose(s) of the proposed transfer
  • the period during which the data are intended to be processed
  • any security measures taken in respect of the data in the third country
  • the country of origin of the personal data; and
  • the country of final destination of the personal data.

Where is your data? Redacted and Locked away

The Government who pioneered “open government” and the Freedom of Information Act, are certainly not living up to spirit of the law they created. In 1996 Tony Blair stated, in a speech about open government, that “The only way to begin to restore people’s trust [in Government] is therefore to be completely open“.

However despite this laudable goal, and numerous other assertions of “open government, a request to access the cabinet record minutes in relation to the Iraq war has been refused by the Labour Government.

This is particulary interesting as both the Information Tribunal and the ICO have stated that the minutes should be released.

The Information Commissioner, Richard Thomas has publicly stated that:

My Decision to order disclosure of the Cabinet minutes was made under the Freedom of Information Act on public interest grounds. It was upheld by the Information Tribunal. It was made clear by the Tribunal and by me that this was an exceptional case.

The government has chosen not to appeal the Tribunal’s decision to the High Court, but instead has exercised its right of veto under the FOI Act. However, it is vital that this is also an exceptional response. Anything other than exceptional use of the veto would threaten to undermine much of the progress made towards greater openness and transparency in government since the FOI Act came into force.

I shall be studying the text of the Secretary of State’s Certificate and Statement of Reasons which I received today. Using the power available to me under section 49(2) of the Freedom of Information Act, I will shortly lay a report before Parliament to record the circumstances leading to this outcome. This will be in line with previous commitments I have made and the interest shown by past Select Committees in the potential use of the veto.

This case of the government of refusing to release data, follows quickly on from the “torture case“, where the UK government has evidence of torture, which is redacted, but will not allow the redacted text to be seen, despite the trial judge stating its in the public interest.

Data Misuse: Police Chief Constable Arrested

In January 2009 the ex-Assistant Chief Constable of West Yorkshire police, Andy Brown was arrested for breach of the data protection act.

In an odd story involving ex-police officers, serving police officers, and a missing dog, it appears that Andy Brown gained access to the PNC  (police national computer) to check the registered owner of a vehicle, in an attempt to locate a friends dog.

This latest case of data misuse does not appear to be  particularly sinister, just a case of of an “ex-job” guy helping out a friend, rather than going throught the police channels, which would have resulted in the same information being obtained. What is it does remind us of is how easy it is for people to get information out of PNC. In fact if there had not been a complaint in this case, nobody would have known.

How often does this happen, and nobody gets caught?

Data Loss Sanctions: NHS

The NHS has been sanctioned by the ICO, after being found guilty of breach of the data protection laws, in relation to loss of a laptop in April 2008

5,000 patients records were lost on a laptop which was not encrypted. This is the first ICO sanction against the NHS this year, but with so many cases of data loss last year by the NHS, there are probably many more to come.

No doubt many other government departments will be facing criticism by the ICO this year.


Get every new post delivered to your Inbox.

Join 29 other followers