All good things must come to an end and this, sadly, is the last in our series of blogs on data protection compliance. So far, we’ve explored seven of the eight Data Protection Principles (DPPs) established under the Data Protection Act 1998 (DPA). This week’s blog will focus on the Eighth DPP which regulates ‘international transfers’ involving Personal Information.
What are ‘international transfers’?
The Eighth DPP requires that personal data are not transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of their personal data. The EEA constitutes all of the EU member states, plus Norway, Iceland and Liechtenstein and a special arrangement with Switzerland.
If your website collects service user data then you need to be data aware
At this point you are probably asking yourself how this is relevant to your situation but let me ask you: do you have a website? Do you use, or thinking about using, a cloud based platform for your computing system? If the answer to either is yes, then you need to consider compliance with this DPP because the clue is in the name: the World Wide Web; the Cloud. Neither is confined by territory. They can, by their very nature, be located/accessed anywhere in the world at any given time.
If your website collects service user data then you should look at the ICO’s Personal information online code of practice and our Small Business Checklist. Even if you don’t collect data, you need to be careful what personal information you might upload and, remember, it might not be the obvious such as a name but a description or even equality statistics in a small population might be enough to identify an individual. In addition, if you use social media for business purposes, you should read our Guidance on social networking and online fora.
Cloud computing offers access to a range of technologies and services typically delivered over the internet and the storage of data could be anywhere in the world. You may be considering a move to the Cloud for perceived benefits such as increased security, reliability and resilience for a potentially lower cost. However, it’s important to understand the potential risks involved so read through the ICO Guidance on the use of cloud that offers a set of questions and approaches an organisation should consider, in conjunction with your provider, to ensure compliance. Remember, it is likely that all eight DPPs will have to be part of your consideration and you may well think about carrying out a Privacy Impact Assessment before going down this road.
Finally, the new year is often a time of review and renewal: reviewing where we’ve been and renewing our commitment to where we’d like to be. In data protection terms I’d like to encourage everyone to review their data protection regime using the ICO’s Data protection self-assessment toolkit and put in place a strategy for renewal over the next 12 months. This will provide a sound data protection strategy and can be done in conjunction with our 12 Steps guidance in preparation for the new data protection regime in 2018.
The 28th of January is Data Protection Day, why not use these blogs to work towards doing something special (and fun!) to raise awareness in your workplace?
Maureen H Falconer is Regional Manager – Scotland with the Information Commissioner’s Office