Since the introduction of the Data Protection Act 1998 in the UK everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
The key point of concern is the eighth principal that states that you must not transfer Personal Data outside the European Economic Area without the data subject’s permission unless that country has an adequate level of protection for the rights and freedoms of the individual in relation to the processing of personal data.
If the transfer is to the United States of America, you need to check if the US recipient of the data has signed up to the US Department of Commerce Safe Harbor Scheme. The Safe Harbor scheme is recognised by the European Commission as providing adequate protection for the rights of individuals in connection with the transfer of their personal data to signatories of the scheme in the USA. Therefore if the US recipient has signed up you are permitted to transfer the data but if they haven’t then you must not.
Be aware that certain types of companies cannot sign up to Safe Harbor – you can view a list of the companies who have signed up through the US Department of Commerce website. If you are intending to transfer personal data under Safe Harbor, you should check whether the US Safe Harbor entity to which you are transferring the personal data is compliant with its Safe Harbor obligations.