ScHARR Information Governance


Policy Section 7: International Data Transfers

Version 17/03/31

Background

This policy applies to all ScHARR staff, with particular importance for those who work with risk-bearing data.

In accordance with Principle 8 of the Data Protection Act and the European Parliament and Council Directive 95/46/EC, any risk- bearing data may not be transferred to locations outside the European Economic Area (EEA) unless the receiving organisation is in a position to guarantee the security rights of the data subjects to a satisfactory standard.

Policy

In addition to the considerations listed in Section 6:
Prior to any data transfer outside the EEA the Section IG Lead must be consulted.

  • Depending on the complexity of the case it may be necessary to seek more detailed advice from the University’s Research and Innovation Services or from the Information Commissioner’s Office.
  • If the recipient country is not on the list of approved destinations it may be necessary to draft specific contractual guarantees with respect to confidentiality. This should be dealt with on a case by case basis.
  • Data that has been anonymised, or subjected to strong pseudonymisation, may usually be transferred to locations outside the EEA without restriction as neither the DPA principle nor the EU directive apply.
  • Data transfers to any location are permitted when the data subject or subjects have given unambiguous, free and informed consent for the transfer to take place.

  Further Information

Information Commissioner’s Office
https://ico.org.uk/for-organisations/guide-to-data-protection/
https://ico.org.uk/media/for-organisations/documents /1529/assessing_adequacy_international_data_transfers.pdf
European Union Commission website pages dealing with international data transfers http://ec.europa.eu/justice/data-protection/data-collection/data-transfer/index_en.htm

Section 8: Data processing by third parties