Transferring personal data from RGU to other organisations
There are many instances when RGU transfers the personal data of staff and students to other organisations for legitimate purposes, for example for the purpose of collaborative research.
This page explains the Data Protection Act 1998 and legitmate sharing of personal data between RGU and other organisations.
For advice and guidance on the sharing of personal data within RGU, please visit the following web page:
Sharing personal data with other organisations within and outside the European Economic Area (EEA)
The eighth data protection principle states that personal data must not be transferred to countries outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects, in relation to the processing of personal data, or unless an exemption applies.
Under the Data Protection Act, there are different legal requirements for sharing personal data, depending on which country the data will be held in. The most important distinction is whether personal data will be held within the EEA, by a country on the European Commission's approved list or another country.
The following are the countries, which are currently in the EEA:
Austria; Belgium; Bulgaria; Czech Republic; Cyprus; Denmark; Estonia; Finland; France; Germany; Greece; Hungary; Iceland; Ireland; Italy; Latvia; Liechtenstein; Lithuania; Luxembourg; Malta; Netherlands; Norway; Poland; Portugal; Romania; Slovakia; Slovenia; Spain; Sweden; and United Kingdom.
There are no restrictions on the transfer of personal data to other EEA countries. However, you must still comply with the 8 Data Protection Principles and the Data Protection Act.
Currently, the European Commission (EC) considers the following countries as offering an adequate level of protection for personal data:
Argentina; Canada; Guernsey; Isle of Man; and Switzerland.
The European Commission's data protection website can be accessed here:
United State of America
In the USA there are laws that apply to specific industries which provide some protection for personal data, but there is no general data protection law. However, the European Commission considers the 'Safe Harbor' scheme to provide an adequate level of protection.
For further information, please see the Information Commissioner's data protection guidelines:
Any transfer of personal data from RGU to another organisation must comply with the Data Protection Act and the 8 Data Protection Principles:
Contract
A written contract between RGU and the other organisation is the best way to ensure that this external organisation complies with the Data Protection Act.
For advice and guidance on writing up a contract for sharing personal data with an external organisation, please contact the University Records Manager, Keith Fraser, on 262882 and at k.fraseratrgu.ac.uk.
Points to note when writing up such a contract:
Staff are required to inform individuals before their data is passed onto other organisations;
Similarily, staff need to ensure individuals have given their consent for their personal data to be passed to you;
The written contract must state that the organisation will comply with the Data Protection Act and the 8 Data Protection Principles. Without this, the University is liable for any distress or damage caused.
For information, regarding exemptions to the prohibition on transfers of personal data outside the EEA, please click on the following link to the ICO's website:
Please inform Keith Fraser if you wish to transfer personal data from RGU to external organisations. Keith can be contacted on 262882 and at k.fraser at rgu.ac.uk.
Last updated: 12.09.12 (KF)
