XClose

Data Protection

Menu

Data Protection Updates

UCL’s response to the ICO’s consultation on draft guidance for the research provisions within the UK GDPR and the DPA 2018

UCL responded on 21 April 2022 to the ICO’s consultation on draft guidance for the research provisions within the UK GDPR and the DPA 2018. Data protection law contains a number of provisions for processing personal data for research purposes. The aim of the guidance is to highlight where in the legislation the various provisions that relate to research can be found, how they fit together and their practical effect. It also provides guidance on the definition of key terms, which will help organisations understand when they can rely on the research provisions.

UCL believes this is well drafted guidance which will be of practical use to researchers. We welcome the ICO’s draft guidance on the research provisions within the UK GDPR and the DPA 2018. The guidance is clear and easily accessible, so will be a very useful tool for our researchers who process personal data.

UCL response to ICO research consultation

European Union (EU) Commission’s announcement on the approval of the United Kingdom’s (UK) adequacy

On 28 June the EU Commission announced that a General Data Protection Regulation adequacy decision for the UK has been approved.

The decision means that the EU has determined the UK to have adequate data protection laws to allow personal data to safely flow from the EU (and European Economic Area (EEA)) to the UK.The adequacy decision is for four years but may be revoked or revised without the need to engage with the UK.The decisions mean personal data can continue to flow freely from the EU to the UK without the need for businesses to put additional arrangements in place. such as Standard Contractual Clauses as long as UK and EEA businesses are observing their respective data protection frameworks.

Further information (external links):

European Commission: Commission adopts adequacy decisions for the UK

UK Government: EU adopts ‘adequacy’ decisions allowing data to continue flowing freely to the UK

Information Commissioner’s Office (ICO): ICO statement in response to the EU Commission’s announcement on the approval of the UK’s adequacy

The EU - U.S. Privacy Shield is no longer valid

The European Court of Justice has invalidated the EU - U.S. Privacy Shield: Schrems II case, that allowed the transfer of personal data between the two regions, stating that personal data protection and its judicial protection in the U.S. is not in keeping with requirements of EU law.

This will affect any future contracts determining whether data can be transferred to a U.S. based company. UCL has produced a short guidance note based on the initial impact of this decision.  If you have any queries surrounding this issue after reading our guidelines, please contact the data protection office before doing so on: data-protection@ucl.ac.uk.