Law: Data Protection Act – 8th Principle

The Data Protection Act, whose enforcement comes under the ICO, has 8 core principles. The 8th principle, the one which most effects those in the electronic discovery industry, relates to the “transfer of data”.

The eighth principle states that:

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

The ICO has produced a paper in relation to the difficult subject of international data transfers.

The legislation in the UK and EU states that

The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if …the third country in question ensures an adequate level of protection.”

Somewhat inconveniently, the DPA does not define “transfer”, but it is excepted that “transfer” does not include transit. for example if a hard drive containing personal data has to go from the UK to Italy, but the courier, has to go via Russia (e.g for logistical reasons), then the data would not be, for the purposes of the act, considered to have been “transfered” to Russia, and therefore there would not be a breach.


Several third party countries have already shown that they have “adequate” data protection measures in place, these are:

  • Argentina
  • Canada
  • Guernsey
  • Isle of Man
  • Switzerland
  • Jersey

The US has an arrangment with the government to export specific data in relation to airline passengers. An upto date list of countires which are accepted as “adequate” is available from the EU.

However if data is to be transfered to third part countries if the data controller puts in place the correct procedures during the transfer to ensure there is adequate data security.

Where the data protection regime in the third country has not been subject to a Commission finding of adequacy, it is for exporting controllers to assess adequacy in a way which is consistent with the Directive and the Act. In carrying out this assessment of adequacy, the Commissioner would expect exporting controllers to be able to demonstrate how they have addressed the various criteria set out in this guidance.”

Like the term “transfer” the term  “adequate” security is not defined within the act, but there are criteria in relation to assesing the security needed.

  • the nature of the personal data
  • the purpose(s) of the proposed transfer
  • the period during which the data are intended to be processed
  • any security measures taken in respect of the data in the third country
  • the country of origin of the personal data; and
  • the country of final destination of the personal data.

2 Responses to “Law: Data Protection Act – 8th Principle”

  1. Electronic Discovery: Reviewing UK data from outside the EU « Data - Where is it? Says:

    […] Data Protection Act has 8 core principles, it is the eighth principle which is most relevant in this case.   This principle states that ““Personal data shall […]

  2. UK Law: Madoff Data « Data - Where is it? Says:

    […] the UK the data protection act prevents data from being sent out of the EU (under the 8th principle), unless there are adequate safe guards. There are exceptions, as there are with all laws, one of […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: