1 / 12

Overview of the 8th principle

Overview of the 8th principle. Emma Butler Senior Policy Officer - international. #dpoc2012. What does it say? . Personal data can’t be transferred outside the European Economic Area (EEA) unless the territory offers an adequate level of protection No transfer without adequacy

brinda
Download Presentation

Overview of the 8th principle

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Overview of the 8th principle Emma Butler Senior Policy Officer - international #dpoc2012

  2. What does it say? • Personal data can’t be transferred outside the European Economic Area (EEA) unless the territory offers an adequate level of protection • No transfer without adequacy • Determine adequacy (different ways) • Derogations – where the principle doesn’t apply

  3. The preferred approach • 1 Do you need to transfer personal data? Can the data be anonymised for example? • 2 Is there a transfer? (consider transit, s1(3) - information held as data after transfer, Lindqvist). • 3 Have you complied with the other data protection principles? • 4 Is the transfer to a country outside the EEA? • 5 Has there been a finding of adequacy by the EU Commission of the destination country?

  4. The preferred approach • 6 Is the transfer to a member of the US Safe Harbor scheme? • 7 Can you assess adequacy in line with schedule 1, part 2, paragraph 13? (adequacy assessment) • 8 Can you put in place adequate safeguards by the use of model contracts / BCR (for intra-group transfers)? • 9 Do any of the schedule 4 derogations apply? • 10 Have you recorded the basis on which you have made your decisions?

  5. Derogations – Schedule 4 • Eighth principle does not apply if a Schedule 4 condition applies. • Data subject consent • Contract with data subject • Contract in the interest of data subject • Substantial public interest • Personal data in public register • Legal proceedings/advice/rights • Vital interests of data subject • Adequate safeguards for rights and freedoms of data • subjects – terms approved by Commissioner (model clauses); authorised by Commissioner (BCR)

  6. Adequacy assessment • An adequate level of protection requires consideration of: • nature of personal data being transferred • origin and destination countries involved • purpose of processing and period of processing • nature of regimes (international obligations) • relevant codes of conduct • applicable laws in force which can apply to the processing • security of processing. • Note: the above considerations should be included in any risk analysis which is performed (link to seventh principle).

  7. Adequacy assessment • When considering international obligations look at: • adoption of Council of Europe Convention No. 108? • adoption of OECD and UN Guidelines on Data Protection? • human rights considerations (due process if the police and other authorities want to interfere with private life; the rule of law)? • “Safe Harbor” in the USA or whether territory appears in the European Commission list of “approved states”? • the rule of law in general

  8. Transfer to a data processor • Principle less of an issue if transfer is to a data processor. • Data controller subject to UK law • Data processor bound by contract to data controller • Risk analysis covers both 7th and 8th principles • Data processor cannot process personal data for own purposes • Problems with security (rather than transfer) can arise if the data processor is based in a country where the rule of law and respect for rights, as per a democratic state, are not established.

  9. Transfer to a data controller • Issues arise when the transfer is to a data controller. • Transfer is a “processing” operation, so all the other principles apply • First principle – Schedule 2 grounds (and Schedule 3 if necessary) • First principle – fair processing requirements re disclosure • First principle – lawful processing re disclosure • Second principle – compatibility of disclosure with purpose(s) specified at the time of obtaining • Seventh principle – security of disclosure; disclosure authorised; risk assessment; disclosure procedures in place

  10. Resources • ICO website • ICO data protection guide - principle 8 • ICO's preferred approach to transfers • Outsourcing • BCR page • European Commission website: international transfers • Model clauses • 2004 controller to controller • 2001 controller to controller • 2010 controller to processor • Safe Harbor

  11. Keep in touch Subscribe to our e-newsletter atwww.ico.gov.uk or find us on… • www.twitter.com/iconews

  12. A Cloud computingThe Buckingham Suite Data SharingThe Grand Room B C Subject access requests and information held in complaints filesPalace 7 Do all members of your organisation understand the importance of data management?Palace 6 D E2 Principle 8: Binding Corporate RulesPalace 1 Reporting breachesThe Oak Room F G Using personal data for medical researchPalace 4 Section 40 Tribunal decisionsPalace 5 H

More Related