The Data Protection Act, whose enforcement comes under the ICO, has 8 core principles. The 8th principle, the one which most effects those in the electronic discovery industry, relates to the “transfer of data”.
The eighth principle states that:
“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
The ICO has produced a paper in relation to the difficult subject of international data transfers.
The legislation in the UK and EU states that
“The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if …the third country in question ensures an adequate level of protection.”
Somewhat inconveniently, the DPA does not define “transfer”, but it is excepted that “transfer” does not include transit. for example if a hard drive containing personal data has to go from the UK to Italy, but the courier, has to go via Russia (e.g for logistical reasons), then the data would not be, for the purposes of the act, considered to have been “transfered” to Russia, and therefore there would not be a breach.
Several third party countries have already shown that they have “adequate” data protection measures in place, these are:
- Isle of Man
The US has an arrangment with the government to export specific data in relation to airline passengers. An upto date list of countires which are accepted as “adequate” is available from the EU.
However if data is to be transfered to third part countries if the data controller puts in place the correct procedures during the transfer to ensure there is adequate data security.
“Where the data protection regime in the third country has not been subject to a Commission finding of adequacy, it is for exporting controllers to assess adequacy in a way which is consistent with the Directive and the Act. In carrying out this assessment of adequacy, the Commissioner would expect exporting controllers to be able to demonstrate how they have addressed the various criteria set out in this guidance.”
Like the term “transfer” the term “adequate” security is not defined within the act, but there are criteria in relation to assesing the security needed.
- the nature of the personal data
- the purpose(s) of the proposed transfer
- the period during which the data are intended to be processed
- any security measures taken in respect of the data in the third country
- the country of origin of the personal data; and
- the country of final destination of the personal data.