The Information Commissioner’s Office has finalised new standard clauses (known as the IDTA, or ‘international data transfer agreement’) to support international data flows. The clauses have been laid before Parliament, and if no objections are raised, they will come into force on 21 March 2022.

External international transfer of data is prohibited under the UK GDPR unless:

1. it is sent to an ‘adequate’ country,
2. an organisation has put in place legally approved contractual or other arrangements which support the transfer, or
3. an exemption set out in the UK GDPR applies.

Organisations will be able to use the IDTA as an approved transfer tool under the second of these routes.

Using the new clauses

There are two options available within the IDTA clauses toolkit:

• using the standalone clauses published by the ICO, or alternatively
• using the EU’s own updated standard clauses, published last year, supplemented with a new UK-specific addendum published by the ICO.

The ICO promises further clause-by-clause guidance on the new arrangements, as well as on conducting risk assessments that should form part of the decision-making around whether and how to transfer data overseas.

Transitional provisions set out that agreements made using the existing templates will remain valid until 2024, provided that (1) the processing operations that are the subject matter of the contract remain unchanged and (2) reliance on the clauses ensures that the transfer of personal data is subject to appropriate safeguards.

IDTA arrangements do not need to be entered into where the data is being transferred to countries that are deemed ‘adequate’. These include EEA member states, Israel, and the Channel Islands.

Making transfers to directly employed staff working overseas

The ICO has also published revised guidance on the definition of what constitutes an ‘International transfer’. The ICO’s guidance states that an ‘international transfer’ occurs where the receiver is legally distinct from the sender, as a separate company, organisation or individual. This includes transfers to another company within the same corporate group, or non-employed contactors. In these cases one of the options described above needs to be considered.

However, the ICO’s guidance is explicit that from their perspective, sending personal data to someone directly employed by the sender but who is working overseas is not an ‘international transfer’ requiring further specific measures for UK GDPR compliance. In other words, it is not necessary to put in place IDTA arrangements with an organisation’s own employees, and this guidance will be helpful for organisations with directly employed staff who may be working remotely.

What you should do now

Organisations transferring data overseas under existing data flows, or as part of new arrangements, will need to take account of the new IDTAs, forthcoming ICO guidance, and consider risks to data arising from international data transfers.

Even if it is unnecessary to enter into IDTA clauses with employees working abroad in higher-risk countries, we recommend that employers still think carefully about the security of data overseas, as well as other issues, such as tax, and practical implications of staff working overseas. Having a policy would be a first step to reducing risks.

How Capsticks can help

Our team at Capsticks consists of experts in all areas of information law concerning healthcare and housing organisations, regulators and emergency services. We give practical advice on the full range of advisory, transactional, regulatory and litigated issues including effective information sharing between organisations, complex subject access requests, and responding to information security incidents and cyber-attacks.

For questions relating to how these provisions may affect your organisation, please speak to Andrew Latham or Lauren Danks, or for employment law matters relating to staff working overseas, please speak to Nicola Green or Saira Ramadan.