International Data Transfers
The ICO’s consultation process on international data transfers is currently underway, as part of the UK’s first post-Brexit step to legitimise international transfers of personal data out of the UK.
The consultation is important for education institutions and particularly relevant to any university or college that transfers personal data outside the UK, EEA or those countries which the UK has confirmed provide adequate protection for personal data.
Scope of the ICO consultation
The ICO’s consultation is split into the following three sections:
International Data Transfer Agreement (“IDTA”)
The IDTA is the ICO’s draft document which UK education institutions will need to implement when transferring personal data outside of the UK (available here).
The IDTA, which will replace the current set of Standard Contractual Clauses (“SCCs”) for transfers of personal data from the UK, consolidates the full range of SCCs that may be required into one document. The IDTA caters for controller-processor, controller-controller and processor-processor; but notably it does not provide for processor-controller scenarios in the same manner as the new EU SCCs. The IDTA includes four parts:
- template tables to be populated for each relevant transfer, capturing specific information about the parties, for example the names of the parties, the details of the personal data transferred and any security requirements;
- optional extra protection clauses, such as additional technical security protections, organisational protections or contractual protections;
- optional commercial clauses agreed between the parties, provided that these do not contradict the IDTA; and
- a set of mandatory clauses, which must be adopted in their entirety except only to remove sections that the parties explicitly agree to omit, adapt cross-referencing and add more parties to the IDTA.
A UK Addendum
The ICO has produced a UK addendum for inclusion to the European Commission’s standard contractual clauses (available here). The UK Addendum can be used as an alternative to the IDTA and substitutes references to the EU GDPR with UK GDPR and addresses issues such as governing law and choice of forum and jurisdiction for disputes. This will be invaluable for institutions that are routinely making data transfers to international campuses or partners; the UK Addendum allows you to use just one set of SCCs (the EC SCCs along with the UK Addendum) to cover both transfers, avoiding the need to use both the EC SCCs and the UK IDTA, thereby simplifying the contractual process. The inclusion of the UK Addendum undoubtedly shows the ICO’s willingness to integrate with global privacy positions.
Risk Assessment Guidance
The ICO’s guidance on international data transfers has been produced in response to Schrems II, in order to assist organisations with carrying out a transfer risk assessment. The guidance includes a practical and user-friendly draft TRA tool (available here). It is designed to be used alongside the IDTA to evaluate risks associated with personal data transfers to third countries, with clear examples of the criteria to take into account, decision trees, risk factors, and mitigations that institutions can apply when undertaking a risk assessment.
The draft risk assessment tool takes into account three steps to evaluate the risk:
- appraise the transfer itself (e.g. consider the purpose of the transfer, types of personal data and categories of data subjects);
- assess if the IDTA is likely to be enforceable in the destination country; and
- consider whether there is appropriate protection for the data from third-party access.
What does this mean for education institutions?
The new IDTA and risk assessment guidance is welcome news for UK-based institutions, particularly those that have international campuses or partners and act as both controllers and processors. The consultation provides some certainty on the approach to data transfers from the UK post-Brexit and supports planning around refreshing the SCCs.
For the time being, the trans risk assessment and IDTA are in draft form pending completion of the consultation; following which proposals will be laid before parliament
Institutions should continue to review international data flows, transfers under the existing SCCs and current practices and consider the changes that may be required.
For further information on this consultation and the impact it could have for institutions, contact Isabelle Hugh-Jones or another member of the education team.
Get In Contact
Isabelle has recently qualified as a solicitor in the Commercial and IP team and advises clients on a wide variety of commercial matters including commercial contracts, intellectual property, IT and data protection.