Division of General Counsel, Governance and Compliance

Transferring data outside the UK

 
Data protection legislation prohibits the transfer of personal data outside of the United Kingdom, unless appropriate safeguards are in place.

A transfer can include both physical and electronic transfer of personal data outside of the UK, as well as data which is hosted in other countries. The following are all examples of a transfer:

  • Posting saliva samples to a lab in Germany;
  • Sharing applicant data with a recruitment agency in India;
  • Using a file sharing platform for data sharing or using software for teaching activities, where the platform data is hosted in America;
  • Sending personal data by encrypted email to a research collaborator in Japan; and
  • The use of cloud hosting services or data centres in Ireland.

Adequacy decisions

For some countries, the UK government has decided that their data protection regime provides equivalent and adequate safeguards – known as an adequacy decision – and so personal data can be transferred to those countries without additional requirements.

The following countries have an adequacy decision* and we are able to transfer personal data to them without additional requirements:

Countries with an adequacy decision

*PLEASE NOTE the limitations below for Canada and Japan:

  • Japan – only covers private sector organisations.
  • Canada - only covers data that is subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

Please seek advice from the Data Protection Officer for advice on transfers to these countries.

Appropriate safeguards

If the University transfers personal data to a country without an adequacy decision, we can only do so where the recipient has provided appropriate safeguards, and if data subjects have enforceable rights and effective legal remedies.

In most cases, this will mean having an International Data Transfer Agreement in place. This is a detailed agreement that includes the measures and safeguards that must be in place to protect personal data and first requires a risk assessment to be undertaken.

Please seek advice from the Data Protection Officer at the very earliest opportunity in any case where you are transferring personal data outside of the UK to a county without an adequacy decision, so the necessary risk assessment can be done and the International Data Transfer Agreement can be put in place.

Other permitted transfers

Data protection legislation allows personal data to be transferred outside of the UK in some other limited circumstances such as where it is necessary to defend a legal claim. Please also seek advice from the Data Protection Officer in these circumstances.

How to proceed when transferring data outside the UK

 

Last updated 27 April 2022