120 likes | 249 Views
Overview of the 8th principle. Emma Butler Senior Policy Officer - international. #dpoc2012. What does it say? . Personal data can’t be transferred outside the European Economic Area (EEA) unless the territory offers an adequate level of protection No transfer without adequacy
E N D
Overview of the 8th principle Emma Butler Senior Policy Officer - international #dpoc2012
What does it say? • Personal data can’t be transferred outside the European Economic Area (EEA) unless the territory offers an adequate level of protection • No transfer without adequacy • Determine adequacy (different ways) • Derogations – where the principle doesn’t apply
The preferred approach • 1 Do you need to transfer personal data? Can the data be anonymised for example? • 2 Is there a transfer? (consider transit, s1(3) - information held as data after transfer, Lindqvist). • 3 Have you complied with the other data protection principles? • 4 Is the transfer to a country outside the EEA? • 5 Has there been a finding of adequacy by the EU Commission of the destination country?
The preferred approach • 6 Is the transfer to a member of the US Safe Harbor scheme? • 7 Can you assess adequacy in line with schedule 1, part 2, paragraph 13? (adequacy assessment) • 8 Can you put in place adequate safeguards by the use of model contracts / BCR (for intra-group transfers)? • 9 Do any of the schedule 4 derogations apply? • 10 Have you recorded the basis on which you have made your decisions?
Derogations – Schedule 4 • Eighth principle does not apply if a Schedule 4 condition applies. • Data subject consent • Contract with data subject • Contract in the interest of data subject • Substantial public interest • Personal data in public register • Legal proceedings/advice/rights • Vital interests of data subject • Adequate safeguards for rights and freedoms of data • subjects – terms approved by Commissioner (model clauses); authorised by Commissioner (BCR)
Adequacy assessment • An adequate level of protection requires consideration of: • nature of personal data being transferred • origin and destination countries involved • purpose of processing and period of processing • nature of regimes (international obligations) • relevant codes of conduct • applicable laws in force which can apply to the processing • security of processing. • Note: the above considerations should be included in any risk analysis which is performed (link to seventh principle).
Adequacy assessment • When considering international obligations look at: • adoption of Council of Europe Convention No. 108? • adoption of OECD and UN Guidelines on Data Protection? • human rights considerations (due process if the police and other authorities want to interfere with private life; the rule of law)? • “Safe Harbor” in the USA or whether territory appears in the European Commission list of “approved states”? • the rule of law in general
Transfer to a data processor • Principle less of an issue if transfer is to a data processor. • Data controller subject to UK law • Data processor bound by contract to data controller • Risk analysis covers both 7th and 8th principles • Data processor cannot process personal data for own purposes • Problems with security (rather than transfer) can arise if the data processor is based in a country where the rule of law and respect for rights, as per a democratic state, are not established.
Transfer to a data controller • Issues arise when the transfer is to a data controller. • Transfer is a “processing” operation, so all the other principles apply • First principle – Schedule 2 grounds (and Schedule 3 if necessary) • First principle – fair processing requirements re disclosure • First principle – lawful processing re disclosure • Second principle – compatibility of disclosure with purpose(s) specified at the time of obtaining • Seventh principle – security of disclosure; disclosure authorised; risk assessment; disclosure procedures in place
Resources • ICO website • ICO data protection guide - principle 8 • ICO's preferred approach to transfers • Outsourcing • BCR page • European Commission website: international transfers • Model clauses • 2004 controller to controller • 2001 controller to controller • 2010 controller to processor • Safe Harbor
Keep in touch Subscribe to our e-newsletter atwww.ico.gov.uk or find us on… • www.twitter.com/iconews
A Cloud computingThe Buckingham Suite Data SharingThe Grand Room B C Subject access requests and information held in complaints filesPalace 7 Do all members of your organisation understand the importance of data management?Palace 6 D E2 Principle 8: Binding Corporate RulesPalace 1 Reporting breachesThe Oak Room F G Using personal data for medical researchPalace 4 Section 40 Tribunal decisionsPalace 5 H