Disclosure of communications data to overseas authorities paras 7.16 to 7.20
Disclosure of communications data to overseas authorities
7.16 Where a United Kingdom public authority is considering the acquisition of communications data on behalf of an overseas authority and transferring the data to that authority it must consider whether the data will be adequately protected outside the United Kingdom and what safeguards may be needed to ensure that.[79] Such safeguards might include attaching conditions to the processing, storage and destruction of the data.
- [79] The eighth data protection principle is: ‘Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.’ (Paragraph 8, Schedule 1, DPA 1998)
- [80] Paragraph 4, Schedule 4, DPA 1998
7.17 If the proposed transfer of data is to an authority within the European Union that authority will be bound by the European Data Protection Directive (95/46/EC) and its national data protection legislation. Any data disclosed will be protected there without need for additional safeguards.
7.18 If the proposed transfer is to an authority outside of the European Union and the European Economic Area (Norway, Liechtenstein and Iceland) then it must not be disclosed unless the overseas authority can ensure an adequate level of data protection. The European Commission has determined that certain countries, including Canada and Switzerland, have laws providing an adequate level of protection where data can be transferred without need for further safeguards.
7.19 In all other circumstances the United Kingdom public authority must decide in each case, before transferring any data overseas, whether the data will be adequately protected there. If necessary the Information Commissioner can give guidance.
7.20 The DPA recognises that it will not always be possible to ensure adequate data protection in countries outside of the European Union and the European Economic Area, and there are exemptions to the principle, for example if the transfer of data is necessary for reasons of ‘substantial public interest’[80]. There may be circumstances when it is necessary, for example in the interests of national security, for communications data to be disclosed to a third party country, even though that country does not have adequate safeguards in place to protect the data. That is a decision that can only be taken by the public authority holding the data on a case by case basis.