Warning: Use of undefined constant includes - assumed 'includes' (this will throw an Error in a future version of PHP) in /homepages/14/d377707900/htdocs/tvpe.com/wp-content/themes/targetpro/functions.php on line 322
Export - The Virtual Privacy Expert
Call On: 0845 5442755


Who’s in?


We have talked about transferring information about people outside the UK.  The actual Act refers to “outside the EAA” – so why do I talk about outside the UK?  It is best practice to make a check if you are considering transferring information about people anywhere outside the UK.  You will need to consider whether the destination is within the EEA, has a ‘finding of adequacy’  or has signed up to Safe Harbor – dependant on whic it falls under will depend on what action you need to take.


There are no restrictions on information about people being transferred within the EEA. So what countries are in the EEA? These are currently:

Czech Republic

Finding of Adequacy

The European Commission has decided that certain countries have an adequate level of protection for personal data. Currently, the following countries are considered as having adequate protection.

Faroe Islands
Isle of Man
New Zealand

View an up to date list of such countries, at the European Commission’s data protection website.

Safe Harbor

The Information Commissioners guidance also states “Although the United States of America (US) is not included in the European Commission list, the Commission considers that personal data sent to the US under the voluntary “Safe Harbor” scheme is adequately protected. When a US company signs up to the Safe Harbor arrangement, they agree to:

  • follow seven principles of information handling; and
  • be held responsible for keeping to those principles by the Federal Trade Commission or other oversight schemes.

Certain types of companies cannot sign up to Safe Harbor. View a list of the companies signed up to the Safe Harbor arrangement on the US Department of Commerce website.

In July 2007, the EU and the US signed an agreement to legitimise and regulate the transfer of passenger name record information (PNR) from EU airlines to the US Department of Homeland Security (DHS). This agreement is regarded as providing adequate protection for the personal data in question.” Source Information Comissioner’s website.

Don’t delay in getting your processes in place NOW!

Yours in best practice!



Principle 8 – What Else Do I Need to Know?


In my last post we discussed the need to comply with principle 8, when sending information about people outside of the UK, but what else needs to be considered?

The other principles of the Act will also be relevant to sending information about people outside of the UK. Primarily, principle 1 and principle 7:

  • Principle 1 – “Personal data shall be processed fairly and lawfully”
  • Principle 7 – “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

In relation to the first principle you should be asking questions such as,

  1. Has the individual been informed that their information will be disclosed outside the UK?  
  2. Is there a schedule 2 (more on that later) condition for the processing?

In most instances you will find that you have already complied in this area, but it is always best practice to check, and evidence that this has been considered before taking any action – if in doubt, ask!

In practice, principle 7 compliance can be achieved using a risk based approach – what does this mean?  Typically, what is appropriate for one organisation, will not suit another.  Therefore, you carry out a risk assessment and decide what is appropriate to mitigate the risks that you have identified.  Some of the essential areas that you will need to consider are:

  1. Who, within my organisation, is responsible for information security?  
  2. What physical and technical security is in place and is it appropriate for the risks identified?  
  3. Is this backed up by robust policy and procedure?  
  4. Is there an appropriate training plan in place for all employees?  
  5. Are we ready to respond to a breach swiftly and appropriately?

REMEMBER – this principle is not just about technology, it is also about people, policies and processes.

This may seem like an extra level of work and detail that adds to your already heavy workload, but by putting the time and effort in to getting it right now, it will restrict, if not avert, any potential fine or action taken against you!  Why wait?

Yours in getting it right NOW!



Transfer of Personal Data – How to avoid Penalties & unwanted Publicity…


…which both ultimately lead to loss of reputation!

Principle 8 of the Data Protection Act 1998 “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”

This is the UK law that applies to whether a transfer of personal data, information that can identify an individual, can legally take place.

Personal data can only be transferred within the EEA, or to a country subject to a ‘finding of adequacy’ or if they have signed up to the Safe Harbor Scheme (more on that later).  Otherwise, you will need to assess whether the transfer will provide an adequate level of protection “for the rights and freedoms of data subjects in relation to the processing of personal data”

For the most part the Data Protection Act does not stop this activity, it merely forces an appropriate decision making process.  These are some of the elements that you will need to consider, when making your decision:

  1. does the information being transferred fall under the definition of ‘personal data”as laid out within the law?
  2. has the data been collected and processed in accordance with the law?
  3. if the transfer is not within the EEA, or to a country subject to a ‘finding of adequacy’ or if they have signed up to the Safe Harbor Scheme, can an assessment be carried out for an adequate level of protection?
  4. if adequacy cannot be established, can other adequate safeguards be put in place?

This may seem a little daunting, but really, it serves as a protection for you, your business and the trust of your clients.  It dictates a best practice led approach to ensure that you remain within the law when dealing with information about people.

So, to avoid penaltiesprevent unwanted publicity and loss of reputation keep in mind what I have mentioned here and if you are in doubt or need help, check out my series of blogs over the next week, or contact me.

Yours in staying within the law!