Information Commissioner's Office
ICO consults on how organisations can continue to protect people’s personal data when it’s transferred outside of the UK
The Information Commissioner’s Office (ICO) has launched a public consultation on its draft international data transfer agreement (IDTA) and guidance.
When organisations send personal information to a country outside the UK, they must ensure people’s data protection rights continue to be protected. An IDTA is a contract that organisations can use when transferring data to countries not covered by adequacy decisions.
The IDTA will replace the current standard contractual clauses (SCCs) to take into account the binding judgment of the European Court of Justice in a case commonly known as ‘Schrems II’. The ruling required organisations to carry out further diligence when making a transfer of personal data outside of the UK to countries without an adequacy decision.
The consultation is split into three sections, offering a selection of proposals and options to consider.
- Proposal and plans for updates to guidance on international transfers.
- Transfer risk assessments.
- The international data transfer agreement.
The ICO is also asking for views on any relevant privacy rights, legal, economic or policy considerations and implications. Responses will help the regulator understand the practical impact of proposed approaches on organisations.
The new IDTA will support the UK’s digital economy by continuing to enable the global flow of people’s information with the safeguards of high standards of data protection.
Steve Wood, ICO Executive Director of Regulatory Strategy, said:
“The modern world involves increasing flows of personal data about citizens to deliver goods and services. Ensuring data is well-protected when transferred outside of the UK will be vital in maintaining people’s trust in the system. Our new IDTA is developed to ensure such protections are in place.
“We understand that international transfers can be complex, especially for smaller businesses. Our new guidance has been designed to be accessible and to ensure they support all organisations, from SMEs without the benefit of large legal budgets to multi-national companies. The agreements will help organisations to continue to trade freely while ensuring the correct protections are in place before transferring people’s data.
“This consultation is important. We know how important it is for transfer tools to work in practice, and the ICO wants to support businesses in this area. The responses we receive will inform our final work and I encourage all organisations that undertake international transfers to engage with the consultation and provide feedback”.
The ICO’s work around IDTAs, and its consultation, are a requirement under s119a of the Data Protection Act 2018. The consultation will inform the final documents the ICO will lay before Parliament. The consultation will remain open until 5pm on 7 October 2021.
Notes to Editors
- The Information Commissioner’s Office (ICO) is the UK’s independent regulator for data protection and information rights law, upholding information rights in the public interest, promoting openness by public bodies and data privacy for individuals. It has its head office in Wilmslow, Cheshire, and regional offices in Edinburgh, Cardiff and Belfast.
- The ICO has specific responsibilities set out in the Data Protection Act 2018 (DPA2018), the General Data Protection Regulation (GDPR), the Freedom of Information Act 2000 (FOIA), Environmental Information Regulations 2004 (EIR), Privacy and Electronic Communications Regulations 2003 (PECR) and a further five Acts / Regulations.
- The ICO can take action to change the behaviour of organisations and individuals that collect, use and keep personal information. This includes criminal prosecution, non-criminal enforcement and audit.
- To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.
Latest News from
Information Commissioner's Office
Blog: A day in the life of the ICO’s information management team13/05/2022 12:25:00
“It’s important to remember the people behind the information.”
ICO response to Channel 4 ‘Inside the Metaverse’ documentary29/04/2022 12:25:00
A recent C4 Dispatches – Inside the Metaverse looked at the metaverse and how the platforms enforce against users that act inappropriately.
Conclusion of ICO investigation into unauthorised disclosure of CCTV footage from DHSC – 19 April 202220/04/2022 12:25:00
The ICO found insufficient evidence to prosecute two people suspected of unlawfully obtaining and disclosing CCTV footage from the Department for Health and Social Care (DHSC).
Statement following conclusion of ICO investigation into unauthorised disclosure of CCTV footage from DHSC13/04/2022 16:20:00
The Information Commissioner’s Office (ICO) has found insufficient evidence to prosecute two people suspected of unlawfully obtaining and disclosing CCTV footage from the Department for Health and Social Care (DHSC).
Children's privacy and international collaboration12/04/2022 15:20:00
John Edwards, UK Information Commissioner, is in Washington DC this week to meet with regulators, civil society, lawmakers and tech companies, as well as present the work of the ICO at the IAPP Global Privacy Summit.
Blog: Why protecting children online in UK living rooms starts 5,000 miles away12/04/2022 09:10:00
Blog posted by: John Edwards, UK Information Commissioner, 11 April 2022.
Statement in response to open Democracy's letter08/04/2022 12:25:00
openDemocracy has issued an open letter about the Freedom of Information Act.
John Edwards article in Civil Service World – 5 April 202207/04/2022 12:25:00
Civil Service World have published an article by John Edwards, in which he discusses what he’s learned so far from his listening tour, and offers reassurance about the service that the ICO is looking to give to people and businesses.