Division of General Counsel, Governance and Compliance

Transferring personal data outside the UK

 
UK data protection legislation prohibits the transfer of personal data outside of the United Kingdom unless appropriate safeguards are in place.

A transfer can include both physical and electronic transfer of personal data, access to personal data in our systems, and data which is hosted in other countries. The following are all examples of a transfer:

  • Posting saliva samples to a lab in Germany;
  • Sharing applicant data with a recruitment agency in India;
  • Using a file sharing platform where the platform is hosted in Canada;
  • Using a software or database for teaching activities where the data is hosted in the US;
  • Sending personal data by encrypted email to a research collaborator in Japan; and
  • The use of cloud hosting services or data centres in Ireland.

Countries with adequacy decisions

For some countries, the UK government has decided that their data protection regime provides equivalent and adequate safeguards – known as an adequacy decision – and so personal data can be transferred to those countries without additional requirements.

The following countries have an adequacy decision and we are able to transfer personal data to them without additional requirements:

Countries with an adequacy decision

PLEASE NOTE the limitations below for Canada and Japan:

  • Japan – only covers private sector organisations.
  • Canada - only covers data that is subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

Please seek advice from the University's Data Protection Officer on transfers to Japan and Canada.

Transferring personal data to the US

In October 2023, the UK introduced a US data bridge in the form of a UK Extension to the EU-US Data Privacy Framework. The US data bridge allows the free flow of personal data from the UK to US based organisations that are appropriately certified under the scheme without the need for additional transfer mechanism or exception.

Please seek advice from the he University's Data Protection Officer who can advise whether your transfer to the US is permitted.

Countries without appropriate decisions

If the University transfers personal data to a country without an adequacy decision, we can only do so where the recipient has provided appropriate safeguards, and if data subjects have enforceable rights and effective legal remedies.

In most cases, this will mean having an International Data Transfer Agreement (IDTA) in place. This is a detailed agreement that includes the measures and safeguards that must be in place to protect personal data and first requires a risk assessment to be undertaken.

Please seek advice from the University's Data Protection Officer at the very earliest opportunity in any case where you are transferring personal data outside of the UK to a county without an adequacy decision, so the necessary risk assessment can be done and the IDTA can be put in place.

How to proceed when transferring personal data outside the UK

Transferring personal data outside the UK flowchart


 

Last updated 06 March 2024