The ICO’s TRA tool
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
In detail
- What is the ICO’s TRA tool?
- What questions do we ask?
- How do we assess the levels of risk?
- Is the ICO’s TRA tool relevant to part 3 of the DPA?
What is the ICO’s TRA tool?
Our TRA tool is a template document with questions and guidance that sets out one way to complete a TRA.
You don’t need to use our tool, but you could use the questions to guide you through completing your TRA.
What questions do we ask?
The questions are:
- Question 1: What are the specific circumstances of the restricted transfer?
- Question 2: What is the level of risk to people in the personal information you are transferring?
- Question 3: What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organisation?
- Question 4: Is the transfer significantly increasing the risk of a human rights breach in the destination country for the people the transferred information is about?
- Question 5:
(a) Are you satisfied that both you and the people the information is about will be able to enforce the safeguard in the UK against the receiver?
(b) If enforcement action outside the UK may be needed: Are you satisfied that you and the people the information is about will be able to enforce the safeguard in the destination country (or elsewhere)?
- Question 6: Do any of the exceptions to the restricted transfer rules apply to the ‘significant risk data’?
(The ‘significant risk data’ is the information you identify in questions 4 and 5 that your safeguard does not sufficiently protect.)
Our TRA tool template includes instructions for how to complete each question.
How do we assess the levels of risk?
In the appendix of our tool, we provide a list of typical categories of personal information with an initial harm risk score (low, moderate or high). These categories are not exhaustive.
While we recommend that you use these initial risk scores as the starting point for your assessment, they're only a suggestion. It’s your responsibility, considering the specific circumstances of your restricted transfer, to decide what risk score each category of personal information should have in your TRA.
For example, even if you’re transferring typically ‘high risk’ personal information, you may find that it’s not high risk in the specific circumstances of your restricted transfer. You may base this decision on factors including:
- the quantity of information;
- the type of recipient;
- the destination country; and
- the purposes of processing.
In using our tool, you may decide that, even with your safeguard in place, the standard of protection will be materially lower for some or all of the personal information after you transfer it. In this case, you could consider whether one of the exceptions applies to the relevant personal information. If you can’t identify an appropriate exception, you must not make the restricted transfer.
If you want to go ahead with the restricted transfer using a safeguard, you must:
- put in place extra steps and extra protections; and
- work through your TRA again.
You could seek professional data protection advice to review your assessment.
Is the ICO’s TRA tool relevant to part 3 of the DPA?
If you’re processing information for law enforcement purposes, our tool may help you complete a TRA in your particular circumstances.
However, we did not write the tool for competent authorities operating under part 3 of the DPA. For example, you should carefully consider the categories of risk for the personal information you’re transferring. This is because the indicative scores may not be appropriate in the context of law enforcement processing. In addition, for question 6 (Do any of the exceptions to the restricted transfer rules apply to the ‘significant risk data’?), the exceptions (‘special circumstances’) under part 3 of the DPA are different.
For further advice, see our separate guidance on international transfers in our Guide to law enforcement processing.
Further reading – ICO guidance