overview of the 8th principle
Skip this Video
Download Presentation
Overview of the 8th principle

Loading in 2 Seconds...

play fullscreen
1 / 12

Overview of the 8th principle - PowerPoint PPT Presentation

  • Uploaded on

Overview of the 8th principle. Emma Butler Senior Policy Officer - international. #dpoc2012. What does it say? . Personal data can’t be transferred outside the European Economic Area (EEA) unless the territory offers an adequate level of protection No transfer without adequacy

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Overview of the 8th principle' - brinda

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
overview of the 8th principle

Overview of the 8th principle

Emma Butler

Senior Policy Officer - international


what does it say
What does it say?
  • Personal data can’t be transferred outside the European Economic Area (EEA) unless the territory offers an adequate level of protection
  • No transfer without adequacy
  • Determine adequacy (different ways)
  • Derogations – where the principle doesn’t apply
the preferred approach
The preferred approach
  • 1 Do you need to transfer personal data? Can the data be anonymised for example?
  • 2 Is there a transfer? (consider transit, s1(3) - information held as data after transfer, Lindqvist).
  • 3 Have you complied with the other data protection principles?
  • 4 Is the transfer to a country outside the EEA?
  • 5 Has there been a finding of adequacy by the EU Commission of the destination country?
the preferred approach1
The preferred approach
  • 6 Is the transfer to a member of the US Safe Harbor scheme?
  • 7 Can you assess adequacy in line with schedule 1, part 2, paragraph 13? (adequacy assessment)
  • 8 Can you put in place adequate safeguards by the use of model contracts / BCR (for intra-group transfers)?
  • 9 Do any of the schedule 4 derogations apply?
  • 10 Have you recorded the basis on which you have made your decisions?
derogations schedule 4
Derogations – Schedule 4
  • Eighth principle does not apply if a Schedule 4 condition applies.
  • Data subject consent
  • Contract with data subject
  • Contract in the interest of data subject
  • Substantial public interest
  • Personal data in public register
  • Legal proceedings/advice/rights
  • Vital interests of data subject
  • Adequate safeguards for rights and freedoms of data
  • subjects – terms approved by Commissioner (model clauses); authorised by Commissioner (BCR)
adequacy assessment
Adequacy assessment
  • An adequate level of protection requires consideration of:
  • nature of personal data being transferred
  • origin and destination countries involved
  • purpose of processing and period of processing
  • nature of regimes (international obligations)
  • relevant codes of conduct
  • applicable laws in force which can apply to the processing
  • security of processing.
  • Note: the above considerations should be included in any risk analysis which is performed (link to seventh principle).
adequacy assessment1
Adequacy assessment
  • When considering international obligations look at:
  • adoption of Council of Europe Convention No. 108?
  • adoption of OECD and UN Guidelines on Data Protection?
  • human rights considerations (due process if the police and other authorities want to interfere with private life; the rule of law)?
  • “Safe Harbor” in the USA or whether territory appears in the European Commission list of “approved states”?
  • the rule of law in general
transfer to a data processor
Transfer to a data processor
  • Principle less of an issue if transfer is to a data processor.
  • Data controller subject to UK law
  • Data processor bound by contract to data controller
  • Risk analysis covers both 7th and 8th principles
  • Data processor cannot process personal data for own purposes
  • Problems with security (rather than transfer) can arise if the data processor is based in a country where the rule of law and respect for rights, as per a democratic state, are not established.
transfer to a data controller
Transfer to a data controller
  • Issues arise when the transfer is to a data controller.
  • Transfer is a “processing” operation, so all the other principles apply
  • First principle – Schedule 2 grounds (and Schedule 3 if necessary)
  • First principle – fair processing requirements re disclosure
  • First principle – lawful processing re disclosure
  • Second principle – compatibility of disclosure with purpose(s) specified at the time of obtaining
  • Seventh principle – security of disclosure; disclosure authorised; risk assessment; disclosure procedures in place
  • ICO website
  • ICO data protection guide - principle 8
  • ICO\'s preferred approach to transfers
  • Outsourcing
  • BCR page
  • European Commission website: international transfers
  • Model clauses
  • 2004 controller to controller
  • 2001 controller to controller
  • 2010 controller to processor
  • Safe Harbor

Keep in touch

Subscribe to our e-newsletter atwww.ico.gov.uk

or find us on…

  • www.twitter.com/iconews


Cloud computingThe Buckingham Suite

Data SharingThe Grand Room



Subject access requests and information held in complaints filesPalace 7

Do all members of your organisation understand the importance of data management?Palace 6



Principle 8: Binding Corporate RulesPalace 1

Reporting breachesThe Oak Room



Using personal data for medical researchPalace 4

Section 40 Tribunal decisionsPalace 5