Close
International data transfers require risk assessment to protect personal data. Where risks exist, safeguards such as Transfer Risk Assessments and Standard Contractual Clauses must be applied.
Introduction
In the lifecycle of data processing, you may need to send personal data to another country. This could be in the context of engaging a supplier for goods or services, academic exchange, research, collaborations etc. It is a legal requirement to ensure that before any personal data is transferred, consideration is given to the risk that the transfer may pose. Where risks are identified, appropriate safeguards will need to be put in place to protect the personal data being transferred.
Transfer safeguards and adequacy
At UCL, we routinely use standard contractual clauses (SCC’s) within our contracts to comply with the requirement to safeguard personal data when transferring to another country in accordance with the UK General Data Protection Regulation (UK GDPR), alongside any other transfer safeguards that may be required. We also need to assess the risks of sending data to other countries that have not already been considered ‘adequate’. These risks are identified through carrying out a Transfer Risk Assessment (TRA) before sending personal data to non-adequate countries.
A country is considered to be adequate where the data protection laws of that country are considered to be essentially equivalent to the UK’s data protection laws, and in essence, both countries offer a similar level of data protection to individuals. Examples of adequate countries include the EEA states, Gibraltar, Guernsey, Isle of Man, Jersey, Switzerland, Japan, South Korea, New Zealand, Uruguay and Argentina. A decision of adequacy means the requirement to use SCC’s or any other transfer safeguard is not necessary and the transfer can go ahead without additional contractual protections needing to be added.
A transfer of personal data to a country not covered by the adequacy regulations is a Restricted Transfer. This means you need to put transfer safeguards in place, such as SCC’s, before making any transfer. It is also necessary to conduct a TRA to identify any relevant risks associated with the transfer.
Please note that a single TRA can be carried out for similar or connected transfers of personal data (or if preferred/easier – each specific similar transfer can have its own TRA). Please ensure the chosen approach is clear, and transfers that are not similar are treated with separate TRAs. If you have any questions on whether your transfers may need separate TRAs or not, please contact the DPO using the details below.
It is also important to ensure that, for ongoing transfers, the risks involved with the transfer are reassessed after a period of time to determine whether any additional safeguards are required. This could include reviewing any changes to the type of processing undertaken, any security changes, and any updated to the legal framework of the recipient country.
For further information on countries the UK considers ‘adequate’, please click on the following link:https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-transfers-a-guide/#Q1.
If you are unsure if the country you are sending information to is covered by the adequacy regulation, then please contact the UCL Data Protection Officer (DPO) at Data-Protection@ucl.ac.uk.
TRA templates
The ICO has created a toolkit for conducting a TRA which can be used for your relevant transfer:
Transfer risk assessment tool.
Further guidance on TRA’s can be found here: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/completing-a-transfer-risk-assessment/
UCL has already conducted umbrella TRAs for the following countries:
United States of America Australia
If you are in the process of sending personal data to one of these countries, the related umbrella TRA can be found by clicking on the relevant country above.
Some additional information may be required to finalise the TRA. This will be captured in the Data Protection Impact Assessment (DPIA).
It may still be necessary to conduct a further TRA for the countries mentioned above if the Restricted Transfer has a high risk of harm. Please note additional requirements apply to data transfers with a high risk of harm. If you are unsure as to whether you still need to conduct a TRA, please contact the DPO. A high risk of harm is described by the ICO as one that is:
“likely to cause significant financial harm, physical harm, mental health harm or distress. Urgent action is required to put this right and minimise the harm caused. If this was a data breach, you would need to inform the ICO and the people the information is about”.
For all other countries that are not considered adequate and that are not listed above, a TRA will need to be conducted. Use the ICO toolkit to conduct the TRA. Keep a record of it with the rest of the documents pertaining to the transfer to demonstrate compliance with this legal requirement. Please also note that conducting a TRA does not mean a transfer can automatically occur. If the TRA concludes that there are not sufficient safeguards for the transfer and the risk is too high (and no legal exceptions exist) then the transfer should not be made unless agreed with the DPO and the relevant Legal Services team.
You may need advice from other teams at UCL to help with high risk transfers – particularly if you are unsure as to whether a transfer can go ahead after the findings of your TRA. In particular, you may need advice from ISD, Legal Services or the Data Protection Team. You can contact these teams using the following links: