If data is processed and hosted in the UK, can it be reviewed from outside of the UK? How does the ICO view this? Does the Data Protection Act allow for review of data from outside of the EU?
Review platforms, such as Attenex, Relativity, RingTail, or IConect, allow for reviewers to plough through very large amounts of documents usually via a web browser. The reviewers can be anywhere in the world, as long as they have access to the internet. E.g. a Manchester case, with the data hosted in London, can be reviewed by a law firm in Bristol. This example, of 3 UK cities, does not pose any legal problems. However what if the review is to be conducted outside of the UK? E.g if the data to be reviewed is from the UK, is processed and hosted in the UK, but reviewed by a New York law firm, what does the law state about this?
The UK legislation says both a lot and very little about the subject.
The Data Protection Act has 8 core principles, it is the eighth principle which is most relevant in this case. This principle states that ““Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
This means that data cannot be transferred out of the EEA, without permission of the custodian/person whose data it is, a safe harbor agreement, consent of the EU, or other acceptable EU security measure.
What does this mean for a reviewers? Is the data “transferred” out of the EEA durign a review? The term transfer is not described in legislation. Tools like Relativity, can prevent the physical of native documents, and only allow a “review” of the text or image (TIFF/PDF), this would imply that data was not transferred from the UK to the reviewers country (in this example the US), as it has not left anywhere. Also the act does not count transit as transfer.
However the ICO takes a different view. The ICO’s opinon on 2nd March 2008, and previously implied by the ICO, is that reviewing data from the the US (or any third party country) would effectively come under the eighth principle, as it is a transfer of data under the meaning of the act.
This taken alone would imply that reviewing data from a third party country, outside of the EEA would be an offence, which the ICO could prosecute for. With the ICO gradually gaining more powers to protect data and privacy in the UK, and pushing for more powers, the threat of a fine to law firms and data processesors has to be taken seriously.
However the ICO has stated that this problem can be resolved by a contract with the third party reviewing the data. For example if Company A was hosting data from Company B and Law Firm C, based in the US, wanted to review the data a contract between Company B and Law Firm C, guaranteeing the protection of the data, and suitable IT security by Company B and Law Firm C, should resolve the problem, and prevent any breach of the eighth principle.
Legal advice from an independent law firm and the ICO should be obtained in relation to transferring data outside of the UK. This article is provided for information purposes only and should not be construed as legal advice.