The EU’S data privacy and security law, the General Data Protection Regulation (GDPR) came into effect in May 2018. When we left the EU, we retained the regulation in our own laws with the right to keep it under review.
As part of this right to review, on 11 August 2021 the Information Commissioner’s Office (ICO) published a consultation on how personal data can continue to be protected when it is transferred outside of the UK (the “Consultation”).
The Consultation includes draft guidance for international transfers of personal data, together with the following transfer tools:
- Transfer risk assessment (the “TRA tool”)
- International data transfer agreement (the “IDTA”)
- UK addendum to allow the use of the European Commission’s Standard Contractual Clauses (“SCCs”) in a UK context (the “Addendum”)
These will be relevant to all schools transferring or receiving personal data from overseas subject to the UK GDPR. In this article we consider how they might affect schools, for example, contacting parents of prospective pupils based outside of the UK, arranging school trips overseas or transferring student files between schools, for example where a student relocates overseas.
The TRA tool and how it could help schools assess risk
The UK GDPR makes it clear schools are expected to understand and assess risk ahead of making a transfer. The Schrems II judgment took matters one stage further and means schools must carry out a risk assessment prior to making an international data transfer.
The TRA tool is aimed at assisting schools when completing these risk assessments. The proposals say that the TRA tool guides schools and helps them to thoroughly consider the following points in assessing transfer risks:
- The circumstances of the specific transfer
- Would the IDTA be enforceable in the country where the personal data is being sent?
- Is there appropriate protection for the personal data to protect against third-party access?
The tool isn’t proposed to be mandatory but rather to offer a useful tool to guide schools through the ICO’s expectations. The ICO understand that transfer risk assessments can be complicated for schools, particularly where there are limited resources. Therefore, schools may continue to use their own methods to assess risk if they prefer to do so.
Schools may want to use the Consultation as an opportunity to provide feedback on the TRA tool, including whether the TRA tool is practical and helpful.
The IDTA and how it will affect schools
To act as the equivalent of the SCCs, the ICO has produced the IDTA. The IDTA is a contract which schools should use when making a restricted transfer of personal data to a country outside the UK. It is aimed to act as an approved, standard form safeguard.
The IDTA is split into four main sections:
- Tables to set out specific information about the restricted transfer
- The option to include extra protection clauses
- An option to include commercial clauses, so long as they do not contradict the IDTA
- Mandatory clauses which must always be included
This structure differs from the SCCs in that it does not include all transfer scenarios, such as processor to controller transfers.
The Consultation seeks to obtain views on matters such as:
- Whether the IDTA provides effective safeguards for data subject rights
- Whether it is clear how schools will use the IDTA alongside the TRA tool
- Whether the IDTA is clear and easy to understand.
The Addendum and how it will affect schools
Currently, the approved protection for transfers of data from the UK is the old version of the SCCs, which are now being phased out. The ICO has designed the Addendum to be used alongside the SCCs, instead of the IDTA, to safeguard a transfer under the UK GDPR. In doing so, minimal amendments have been made to the SCCs so that they work in a UK context.
Schools which are subject to both the EU and UK GDPR will not be required to implement both the SCCs and the UK IDTA. Instead, they can adapt the SCCs with the Addendum should they not wish to use the IDTA.
What are the timescales for the Consultation and when will any legislation come into effect?
The Consultation is due to close on 7 October 2021, so all response and feedback must be provided to the ICO by that date. If you would like to submit a response, you’ll find information on how to do this on the ICO’s website.
Once the Consultation is complete, final documents will be produced by the ICO and laid before Parliament for approval.
It is estimated that it will take 40 days for the IDTA to come into force once they are laid before Parliament. After three months, the old EU Standard Contractual Clauses will be disapplied for use for new transfers under UK GDPR, and 21 months later the use of all old SCCs in ongoing transfers would need to cease. Accordingly, schools will have 3 months to introduce new transfer safeguards, and 2 years to stop relying on the old SCCs altogether.