ICO consults on new way forward for international data transfers

The IDTA is the ICO’s draft document which UK education institutions will need to implement when transferring personal data outside of the UK (available here). 

The IDTA, which will replace the current set of Standard Contractual Clauses (“SCCs”) for transfers of personal data from the UK, consolidates the full range of SCCs that may be required into one document. The IDTA caters for controller-processor, controller-controller and processor-processor; but notably it does not provide for processor-controller scenarios in the same manner as the new EU SCCs. The IDTA includes four parts: 

• template tables to be populated for each relevant transfer, capturing specific information about the parties, for example the names of the parties, the details of the personal data transferred and any security requirements; 
• optional extra protection clauses, such as additional technical security protections, organisational protections or contractual protections; 
• optional commercial clauses agreed between the parties, provided that these do not contradict the IDTA; and 
• a set of mandatory clauses, which must be adopted in their entirety except only to remove sections that the parties explicitly agree to omit, adapt cross-referencing and add more parties to the IDTA. 

The ICO has produced a UK addendum for inclusion to the European Commission’s standard contractual clauses (available here). The UK Addendum can be used as an alternative to the IDTA and substitutes references to the EU GDPR with UK GDPR and addresses issues such as governing law and choice of forum and jurisdiction for disputes. This will be invaluable for institutions that are routinely making data transfers to international campuses or partners; the UK Addendum allows you to use just one set of SCCs (the EC SCCs along with the UK Addendum) to cover both transfers, avoiding the need to use both the EC SCCs and the UK IDTA, thereby simplifying the contractual process. The inclusion of the UK Addendum undoubtedly shows the ICO’s willingness to integrate with global privacy positions. 

The ICO’s guidance on international data transfers has been produced in response to Schrems II, in order to assist organisations with carrying out a transfer risk assessment. The guidance includes a practical and user-friendly draft TRA tool (available here). It is designed to be used alongside the IDTA to evaluate risks associated with personal data transfers to third countries, with clear examples of the criteria to take into account, decision trees, risk factors, and mitigations that institutions can apply when undertaking a risk assessment.  

The draft risk assessment tool takes into account three steps to evaluate the risk: 

• appraise the transfer itself (e.g. consider the purpose of the transfer, types of personal data and categories of data subjects); 

• assess if the IDTA is likely to be enforceable in the destination country; and 
• consider whether there is appropriate protection for the data from third-party access.