Page: 1 2
11. International Transfers of Personal Data
The potential benefits of obtaining specific and informed consent of data subjects before the transfer of data to a non-EEA country are:
- The data subject can be made aware of the risks that the University may have assessed as being involved in the transfer; and
- The data subject is able to give their clear and unambiguous consent to the transfer
Examples would include the transfer of staff personal data to a non-EEA country to be used in the management of a distance learning course and where a data subject requests a reference be written and sent to a non-EEA country. In the latter case the request itself will indicate consent to the personal data transfer.
Staff involved in any transfers where consent is relied upon as the justification for the data transfer must ensure that they:
- document that the data subject was informed as required
- obtain consent in writing, unless there are suitable technological means to ensure that authenticated consent can be collected on-line
- retain evidence of both the above
11.7 Method of Transferring Personal Data
Where it has been established that personal data may be transferred, this should be done in accordance with section 7.5 of this Code of Practice; electronic transfers of personal data must be encrypted. Information Services provide guidance on both Data Encryption and on Email Encryption.
11.8 Third Party Requests
University staff must ensure that personal data is not disclosed without the specific and informed consent of the data subjects concerned when requested by:
- non-EEA governments, agencies, and organisations for the purposes of assessing the names, numbers and whereabouts of foreign nationals studying overseas where there is no sponsorship arrangement or other agreement between the data subject and a third party
- non-EEA governments for the purposes of determining liability to attend National Service
11.9 Data Controller Assessment of Adequacy for Non-EEA Transfer
Where none of the above options apply for a transfer outwith the EEA, the University may determine that the transfer it wishes to make will provide adequate safeguards. However this must be discussed at the outset with the University's Information Governance Manager who will seek any necessary legal advice and ensure that the relevant area conducts a risk assessment.
Page: 1 2