The future of UK international data transfers
International Data Transfer Agreement (IDTA)
Following on from Brexit, the UK received a positive adequacy decision on its personal data security standards by the EU. Building on this, the UK’s Information Commissioner's Office (ICO) has opened a consultation period to introduce its new International Data Transfer Agreement (IDTA). The European Commission has also issued a draft update addressing the same thing. So what triggered this new work? It’s all in response to the work done by privacy activist Max Schrems.
Setting the scene
For those unfamiliar with Schrems case, back in 2015 he challenged Facebook, claiming that the Standard Contractual Clauses used by the company were not adequate to safeguard the transfer of personal data to its US servers. The case was presented to the European Court of Justice (ECJ) where, after much scrutinising, it was found that the SCC were valid. However, as data protection laws vary from state to state in the US, the ECJ said that consideration should be given to the legal system where the data was being transferred to. Such as, does it have data protection laws equivalent to those in the EU.
Max Schrems had good form for challenging big companies’ data protection rules, as in 2013 he challenged the validity of the Safe Harbour Agreement between the EU and the US, when Facebook transferred his (and other EU citizens) personal data to its US servers. The Safe Harbour Agreement allowed data flow between the US Department of Commerce and the EU. This agreement was believed to have had ‘adequate protection’ to allow transatlantic transfer of personal data. However, in 2015 the ECJ found this to be untrue and ruled that the agreement did not provide adequate protection for the EU citizens. This is now famously referred to as Schrems I.
What is the IDTA?
Back to 2021, and the IDTA is in essence a contract between the exporter and importer. It’s formatted in an easy-to-understand way and includes:
- Whether the UK GDPR applies to the importer
- In which UK country a legal claim can be made
- Clarification on the roles and responsibilities of both parties
- Any other agreements you are part of prior to completing the IDTA
This last point is important to note, as any agreements in place will be overridden by the IDTA if there are inconsistencies between the agreements and the IDTA. The exception to this overriding is if the prior agreements provide greater security than the IDTA, or if the agreements are expressly required by Article 28 UK GDPR.
What you need to do to prepare yourself
The draft IDTA so far looks to be a great tool to help organisations in the UK better understand key security measures when considering data transfers. If your organisation transfers data outside the UK to an EEA, or other areas of the world, you should start reviewing the agreements you have in place already to ensure you’re prepared for when the IDTA comes into force. It’s also a good idea to take part in the ICO consultation if you are a data protection practitioner, or if you have legal responsibilities that include giving advice on international data transfers.
Case Study: Care Home leaves patient records behind
Pine Health nursing home closed in 2017 after the CQC published a negative report on its performance. Specifically, Pine Health left behind boxes filled with paper records containing patient medical history and other personal details, which was subsequently compromised. The security company managing the empty building claimed there was 24/7 surveillance and guard dog presence, but journalists were able to gain access to the building to report on this data breach. Both the ICO and the local council investigated the data breach and the locals were shocked to find out people they have known who lived in the care home still had their personal data laying around.
- Update your retention schedule on a regular basis and ensure all records, including paper records, are deleted or destroyed within their retention period.
- Anonymise the personal data that you no longer use, but is still valuable for your business.
- Digitise your paper records where possible so you can apply the same level of security that you use for your electronic records.
IDTA for the future
In the current digital environment, many businesses have moved on from the cumbersome management of paper records in their day-to-day operations. However, paper records exist in many places, and we might just forget about our legacy records in storage boxes. Data breaches like the Pine Health demonstrates to us all that we need to ensure we identify all formats in which we hold personal data, this can be from Teams meeting recordings, voicemails, or old filing cabinets. The International Data Transfer Agreement is another step to a future of organised, compliant and secure use of personal data, but businesses have to be ready for it.
Get help with your data protection obligations
Bulletproof’s experienced data protection officers give your business on-going support and maintenance of your data protection obligations. Find out more about our flexible, cost-effective packagesLearn more
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.