Latest updates - last updated 09 March 2023
09 March 2023 - We have provided clarification about what, in our view, “strictly necessary” means for law enforcement international transfers. This imposes a more exacting standard than ‘necessary’, and in practice calls for a more rigorous justification for why you are processing and transferring the information. This update can be found under point one of the “Can we make a transfer to recipients other than relevant authorities?” section.
At a glance
- Part 3, Chapter 5 deals with when you can transfer personal data to a third country.
- A third country is a country or territory outside the UK.
- The DPA 2018 places limits on the circumstances when you can share.
- You have to meet certain conditions, including that the transfer is for one of the law enforcement purposes.
- Mostly, you can transfer to a ‘relevant authority’ - a body entrusted with similar law enforcement responsibilities in the third country.
- There are specific provisions if you transfer to bodies that are not relevant authorities, with additional requirements which you must meet before you can do this.
Checklists
☐ We have checked whether we are a competent authority as defined by Schedule 7 of the DPA 2018.
☐ We have checked that the recipient is a relevant authority.
☐ We have confirmed whether the data was received from another competent authority.
☐ The transfer is necessary for one of the law enforcement purposes.
☐ The transfer is covered by adequacy regulations.
☐ If not, we are satisfied that the data will be subject to appropriate safeguards once transferred, and have notified the ICO about the categories of transfer we make on this basis.
☐ We are satisfied that the data will be subject to appropriate safeguards once transferred, and have notified the ICO about the categories of transfer we make on this basis.
☐ If not, we have identified special circumstances which still require the data to be transferred.
☐ We have taken steps to ensure that the data will not be further transferred elsewhere, and we have ensured that appropriate safeguards and conditions for any such onward transfer are in place, including limits on the extent of these transfers.
☐ If the transfer is to a recipient who is not a relevant authority, we have checked it meets the additional conditions, and we have notified the ICO.
☐ We have documented the transfer.
In brief
- What are the general principles for the transfer of personal data?
- Is the transfer covered by an adequacy decision?
- Can we make a transfer subject to appropriate safeguards?
- Are there any special circumstances?
- Can we make a transfer to recipients other than relevant authorities?
- What happens to subsequent transfers?
What are the general principles for the transfer of personal data?
There are three conditions that you have to meet before you can make a transfer:
- The transfer has to be necessary for any of the law enforcement purposes.
- The transfer has to be based on either a finding of adequacy in respect of the third country, or where other appropriate safeguards are in place, or if not, that the transfer is for certain specified special circumstances.
- The transfer is to a relevant authority in the third country, or is a ‘relevant international organisation’ ie an international body that carries out functions for any of the law enforcement purposes.
However it is still possible to transfer personal data to a body which is not a relevant authority, if you meet certain additional safeguards. See Can we make a transfer to recipients other than relevant authorities?
If the data is obtained from a competent authority in another EU member State, then that competent authority has to authorise the transfer. Except if:
- there is an immediate and serious threat to the public security of a third country; or
- there is an immediate and serious threat to the essential interests of an EU member State; and
- authorisation cannot be obtained in good time.
In such cases you must inform the relevant competent authority which would have been responsible for authorising the transfer without delay.
Is the transfer covered by an adequacy decision?
You may transfer personal data if the transfer is covered by UK adequacy regulations.
Adequacy regulations confirm that a particular third country (or a specified territory or sector in a third country) or international organisation has an adequate data protection regime to protect personal data. This is sometimes referred to as an ‘adequacy decision’.
There are adequacy regulations in place to cover transfers to:
- EEA States. (The EU member states and Iceland, Liechtenstein and Norway);
- Gibraltar;
- Guernsey;
- Jersey; and
- Switzerland.
The ICO’s role in assisting the Home Office with this work is set out in a Memorandum of Understanding between the two authorities. Any future adequacy regulations will be finalised in accordance with this Memorandum and issued by the UK Government.
Can we make a transfer subject to appropriate safeguards?
If there is no ‘adequacy decision’ about the country, territory or sector for your restricted transfer, you may still make the transfer on the basis that other appropriate safeguards exist to ensure that individuals’ rights are enforceable and effective legal remedies are available following the transfer.
Appropriate safeguards may be provided for by:
- a legal instrument providing appropriate safeguards which binds the intended recipient; or
- an assessment performed by the controller which concludes that appropriate safeguards exist. In this case, you must inform the Information Commissioner of the categories of data transfers that take place.
You must document the transfer, and provide this documentation to the Information Commissioner on request. You must record:
- the date and time of the transfer;
- the name, and any other pertinent information about the recipient;
- the justification for the transfer; and
- a description of the data you transferred.
You must ensure that any personal data you have transferred is not further transferred to another third country without your authorisation, or authorisation from another UK competent authority, and any authorisation can only be given where the transfer is necessary for any of the law enforcement purposes.
Are there any special circumstances?
Sometimes, you may need to transfer personal data when there is neither a finding of adequacy, nor appropriate safeguards in place. This can only take place in certain, specified circumstances, referred to as the ‘special circumstances’. These are listed in the DPA 2018 as the five circumstances where the transfer is necessary:
- To protect the vital interests of the data subject or another person;
- To safeguard the legitimate interests of the data subject;
- For the prevention of an immediate and serious threat to the public security of third country;
- In individual cases for any of the law enforcement purposes; or
- In individual cases for a legal purpose.
There are a few things to keep in mind.
You need to document the transfer, and provide those records to the Information Commissioner on request. You must record:
- the date and time of the transfer;
- the name, and any other pertinent information about the recipient;
- the justification for the transfer; and
- a description of the personal data you transferred.
These are the same details that you are required to record for transfers on the basis of appropriate safeguards.
Items 4 and 5 of the special circumstances provide for a degree of flexibility, but in those cases it is necessary for you to specifically consider the rights and freedoms of the individual whose data you are transferring. If those rights and freedoms override any public interest in the transfer, then the transfer cannot take place on the basis of special circumstances. Items 4 and 5 are case-specific and this safeguard is there to make sure that the individual’s interests remain at the heart of matters. In such cases, if the transfer is still necessary, you will need to apply another lawful basis for the transfer.
A transfer is deemed to be necessary under item 5:
- for the purpose of, or in connection with, any legal proceedings for any of the law enforcement purposes. This can include prospective legal proceedings, ie where the proceedings are anticipated, but have not yet commenced;
- for the purpose of obtaining legal advice in relation to any of the law enforcement purposes; or
- for the purpose of establishing, exercising or defending legal rights in relation to any of the law enforcement purposes.
In each case, the circumstances must link directly back to any of the law enforcement purposes to which Part 3 of the Act relates.
Can we make a transfer to recipients other than relevant authorities?
For the most part, it is expected that transfers will take place between ‘relevant authorities’, or relevant international organisations ie to any (legal) person in the third country (or operating internationally) who has functions comparable to those of a ‘competent authority’ for the purposes of Part 3 of the DPA 2018.
Sometimes, however, you may need to transfer personal data to a recipient that is not a relevant authority. Before you can do this, you must meet all four of these additional conditions:
- The transfer is strictly necessary in a specific case, for the performance of a task by the transferring controller, as provided by law for any of the law enforcement purposes.
In item 1, ‘strictly necessary’, as required in some sections of Part 3 DPA 2018, imposes a more exacting standard than ‘necessary’, and in practice calls for a more rigorous justification for why you are processing the information.
Further, the transfer must be for the performance of a task for which you have a lawful purpose under the law enforcement provisions of Part 3 of the DPA 2018. - The fundamental rights and freedoms of the data subject do not override the public interest concerning the transfer.
Item 2 means that the rights and freedoms of the data subject can override any public interest in the transfer, so if the rights and freedoms of the data subject in not having their data transferred to the intended recipient are of equal or greater importance than the public interest in transferring the data, then the transfer shall not take place. - The transferring controller considers that the transfer to a relevant authority in the third country would be ineffective, or inappropriate.
Item 3 means that, where possible, transfers to a third country should be undertaken to a relevant authority in that country, and it is only in circumstances where transferring the data to such a relevant authority would be ineffective or inappropriate, that a transfer to another recipient should be contemplated. Transfers may be ineffective, for example, if the transfer is time-critical and the relevant authority would be unable to act on the transfer in sufficient time. A transfer may be inappropriate if the transfer to the relevant authority might prejudice the purposes of the transfer, for example if the data relate to allegations of corruption or impropriety in the relevant authority and there is a risk that the transfer may tip-off relevant personnel within that authority that an investigation is underway.
Where you have transferred data to a body other than a relevant authority, you must inform the relevant authority in that country of the transfer, unless, as above, that would be ineffective or inappropriate.
-
The transferring controller sets out the specific purposes for which the data may be processed by the intended recipient and informs them of these.
You need to document the transfer, and you also need to notify the Information Commissioner about the transfer. This is different to other types of transfers, where you record the details but only have to provide them to the Commissioner on request.
What happens to subsequent transfers?
It is important that control of personal data is not lost once you have transferred it. It is vital that the rights and freedoms of individuals are still uppermost. Therefore, if the data you transferred is to be subsequently transferred elsewhere, it is important that those rights and freedoms continue to follow the data. For this reason, there are certain provisions that you must observe before any subsequent transfer can take place.
Firstly, you must make it a condition of the transfer that any subsequent transfer must be authorised by you, or another competent authority. It would be sensible to have agreements in place with any other competent authorities who you may consider allowing to make such an authorisation.
Secondly, any authorisation can only be for a transfer which is necessary for any of the law enforcement purposes, and you must give consideration to:
- the seriousness of the circumstances leading to the request for authorisation of the subsequent transfer;
- the purpose for which you originally transferred the data; and
- the standards of data protection which apply in the country or international organisation where the data will be transferred.
If you originally received the data from a competent authority in an EU member state, that competent authority must first authorise the transfer before you in turn can authorise it. This creates a chain of accountability, linking back to the original competent authority which first held the data, which ensures that the original competent authority retains a measure of control and influence over any processing of that data.
The only exception is if the transfer is necessary for the prevention of an immediate and serious threat to the public security of a third country, or to the essential interests of an EU member state (note, not the essential interests of any third country) and you cannot obtain authorisation from the originating competent authority in good time. If that happens, then you should inform the originating competent authority without delay.