Transferring data outside the UK
What does ‘transferring data’ mean?
The transferring data is not always as straight forward as sending data sets to a collaborator via email, hard copy, usb sticks. It also involves transient or unintentional transfers of data. This is where data is transferred to another recipient who is not the intended recipient.
- A researcher may use a web-based file storage application to store and share this data with collaborators who log in to view the files.
- A researcher may use an online survey website to collect responses from participants for their research.
On the face of it, if the researcher and participants are based in the UK then it would seem that the data remains within the UK. However, this is not the case if the website/application is based outside of the UK. This is because when the data is transferred (either to the collaborator or when the participant hits submit) it first goes to the website/application and then to the researcher/collaborator and therefore through the country in which the website/application is based.
As such all UCL staff and students are strongly advised to check the terms and conditions of any web application or site that is being used to either transfer or store personal data to ascertain which country the website/applications is based in.
Researchers should also ensure they are familiar with the UCL guidance on data protection including the guidance relating specifically to research.
- Transferring data within the European Economic Area
Due to an EU directive there are common standards of protection for personal data throughout the European Economic Area. This means that data transferred to another EEA country will have the same protections available to data being kept within the UK.
- Transferring data outside the European Economic Area (excluding the US)
Principle 8 of the Data Protection Act 1998 states that personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
The European Commission website provides a list of countries that provide adequate levels of protection, therefore allowing the transfer of person data.
- Transferring data to the United States
In order to transfer personal data to the United States, the US recipient must have signed up to the Privacy Shield Framework.
What is the Privacy Shield?
The EU-US Privacy Shield replaces the invalidated Safe Harbour agreement; providing additional obligations to protect personal data, as well as establishing monitoring and reporting obligations.
Further information can be found on the European Commission Factsheet.
New agreements to transfer data to the United States
Now that the Privacy Shield in in force, any new agreements to transfer data should only be agreed if the US recipient (this includes universities) has signed up to the Privacy Shield Framework.
Researchers planning on transferring data to the US to a recipient that has not signed up to the Privacy Shield Framework should contact the UCL Data Protection Officer regarding one of the following alternative arrangements:
- An assessment of adequacy by UCL; taking into account amongst other things, the nature of the personal data, the safeguards in place and any privacy legislation that exists in the destination country.
- Putting in place model contract clauses, these utilise specific contractual obligations created by the EC which must be adhered to.
- Seeking the explicit consent of the data subjects.
Existing transfers under Safe Harbour
Existing agreements that have to date relied on Safe Harbour may continue if the US recipient signs up to the Privacy Shield Framework. Researchers who are currently working with US recipients under the invalid Safe Harbour agreement are advised to contact the UCL Data Protection Officer on how to proceed as any transfer continuing on the basis of Safe Harbour will likely be considered unlawful.
UCL Data Protection
Alex Daybank, UCL Data Protection Officer