Transferring data outside the European Economic Area (EEA)
What does ‘transferring data’ mean?
The transferring data is not always as straight forward as sending data sets to a collaborator via email, hard copy, usb sticks. It also involves transient or unintentional transfers of data. This is where data is transferred to another recipient who is not the intended recipient.
- A researcher may use a web-based file storage application to store and share this data with collaborators who log in to view the files.
- A researcher may use an online survey website to collect responses from participants for their research.
On the face of it, if the researcher and participants are based in the UK then it would seem that the data remains within the UK. However, this is not the case if the website/application is based outside of the UK. This is because when the data is transferred (either to the collaborator or when the participant hits submit) it first goes to the website/application and then to the researcher/collaborator and therefore through the country in which the website/application is based.
As such all UCL staff and students should check the terms and conditions of any web application or site that is being used to either transfer or store personal data to ascertain which country the website/applications is based in. Researchers should also ensure you are familiar with the UCL guidance on data protection including the guidance relating specifically to research. There is further guidance on the use of cloud computing and data transfers that should also be reviewed and will support you in ensuring that the appropriate protections are in place for the data.
Transferring data outside the European Economic Area
Due to an EU directive there are common standards of protection for personal data throughout the European Economic Area. This means that data transferred to another EEA country will have the same protections available to data being kept within the UK.
Data protection legislation prohibits transferring personal data outside of the EEA unless certain set conditions are met. For example, that the European Commission has deemed the country provides an adequate level of protection for the data (adequacy decision), or that appropriate safeguards are in place as per the legislation. This is because countries outside of the EEA are not deemed to have the same levels of protection as within the EEA, and these restrictions and conditions are to ensure that appropriate protections are in place for that data.
All staff and students who intend to transfer data outside of the EEA must comply with these conditions and read and follow the UCL Guidance on Transferring Personal Data outside the European Economic Area guidance document.
UCL Data Protection Contact
Lee Shailer - Data Protection & Freedom of Information Officer