Transfer Risk Assessment
UK Data Protection legislation provides a legal framework under which individuals’ rights and freedoms are protected when their personal data is processed. Many other countries have similar data protection laws, but not all.
A Transfer Risk Assessment (TRA) considers whether, as a result of the transfer of personal data to another country, there is any increase in the risk to people’s privacy and other human rights, compared with the risk had the data remained in the United Kingdom.
When to complete a TRA
A TRA may be required if:
- personal data is being transfered to an organisation in another country (e.g. transfer of student data for an exchange programme); and
- when instructing an organisation in another country to process personal data on the University's behalf (e.g. carrying out a research project in another country requiring the use of a translator based in that country to translate interview transcripts containing personal data)
Whether a TRA is required will depend on where the other organisation is based.
Applicable countries
The following countries have data protection laws broadly equivalent to the laws in the United Kingdom, therefore a TRA is not required for transfers:
- European Economic Area (EEA) countries
- Andorra
- Argentina
- Faroe Islands
- Guernsey
- Isle of Man
- Israel
- Jersey
- New Zealand
- Switzerland
- Uruguay
- Canada (only if the transfer is to a private organisation)
- Japan (only if the transfer is to a private organisation)
- USA (only if data is transferred under the EU-US Data Privacy Framework)
If the transfer is to any other country not listed above, a TRA will be required.
Completing a TRA
The University has adopted the Information Commissioner's Office TRA tool.
The TRA tool contains several decision points. You must seek advice from the DP&FOI Office if:
- at decision point B, your assessment results in the need for a Level 3 investigation.
- at decision point F, your assessment results in response 2 (“you may not proceed with the transfer”).
You should complete a TRA before entering into a contract with the organisation that you are transferring personal data to, so that any measures that you need to put in place as a result of the TRA can be captured in the contract.
You should store a copy of your completed TRA alongside your contract with the organisation to whom you are transferring personal data.
For advice and guidance on drafting, reviewing, or negotiating contracts please contact the University's Contracts Team.
Further guidance
Further guidance on TRAs can be found on the Information Commissioner's website.