If you outsource a function to the other side of the world to a country such
as India, or if you do business abroad, you may have to export UK data
containing details about customers or employees.
Exporting such data within the European Economic Area (EEA) is not an issue.
But the eighth data protection principle of the Data Protection Act states that
personal data will not be transferred to a country outside the EEA – unless
that country ensures an adequate level of protection for an individual’s rights
when processing the data. This covers member states plus Norway, Iceland and
Liechtenstein.
Other countries have been recognised as adequately protecting data: Hungary,
Switzerland, Argentina and, in relation to private companies covered by federal
law, Canada. US companies can safely be sent personal data as long as they have
signed up to something called the voluntary Safe Harbor Agreement. Note that
India is not yet recognised as a country adequately protecting data.
So what do organisations need to do if a country is not accepted as ‘safe’
by the European Commission? As only ‘personal data’ is affected, your first
step is to investigate anonymising the data if you want to send it to such a
country. If that is impossible, you have another two options:
– Option 1: Adequacy test
Your organisation must assess the risks of sending personal data to an
intended recipient. Relevant factors include whether the country has adopted
any data protection standards, and whether your organisation has an ongoing
commercial relationship with the recipient of the data.
If the assessment shows a low risk of the data being misused under the
interpretation of the Data Protection Act, your organisation can proceed with
exporting it. If it shows a medium or high risk, your organisation would have
to notify the individuals on your data list of the outcome of your risk
assessment, and your organisation would have to obtain their individual consent
to exporting the data. Blanket consent may not be acceptable.
The logistics for an organisation trying to export personal data about a
large customer database or workforce are awesome .
– Option 2: Model contract clause
The EC has authorised the export of data outside the EEA if the sender and
recipient have signed up to certain prescribed clauses in the contract between
them. These are unwieldy. A more user-friendly version has been devised by
business group representatives, but has not yet been ratified by the EC.
The EC is also currently working on a binding corporate code of conduct for
exporting personal data between group companies. If yours is such a company
wanting to export personal data between groups outside the UK, note that you
will have to draw up a code that must be approved by the local information
commissioner.
By Jill Kelly, Clarks employment team, Reading
