On 17 November 2022 the Information Commissioner’s Office (ICO) published much needed guidance on international data transfers alongside a Transfer Risk Assessment (TRA) tool. The tool is designed to assist data controllers in assessing whether restricted data transfers can be made. Restricted transfers (UK) are data transfers made from the UK to a third country where the third country is not covered by UK adequacy regulations. These are data transfers authorised by appropriate safeguards (under Article 46) such as Standard Contractual Clauses (SCCs). This article gives an overview of what is required for each section in order to simplify its application.
Overview of the TRA tool
The ICO’s TRA tool is based around six questions (listed below). It would be more accurate to refer to them as six sections as within each of these ‘questions’ includes further sub-questions. The TRA tool contains detailed guidance for each question.
Question 1: What are the specific circumstances of the restricted transfer?
Perhaps the most straightforward aspect of the TRA tool, this section includes questions on the details of the transfer, such as the entities involved, types of personal data involved, any technical and organisational measures in place amongst other details.
Question 2: What is the level of risk to people in the personal information you are transferring?
Here, for all types of personal data involved in the transfer you are asked to assign both an inherent and a residual risk score. The inherent risk score reflects the risk prior to mitigations, and the residual score indicates the remaining risk after mitigations have been applied. For this the ICO includes both a risk index (below) and examples of risk scores for different types of data.
Question 3: What is a reasonable and proportionate level of investigation, given the overall risk level in the personal information and the nature of your organisation?
This section considers the size of the organisation, the residual risk scores (from question 2), and the volume of data involved to determine the type of investigation required (see below).
Question 4: Is the transfer significantly increasing the risk for people of a human rights breach in the destination country?
Here the focus is whether there are any human rights concerns relating to the data or whether the transfer will make a data breach more likely or more severe if it were to happen. Where this is the case, the data is deemed ‘significant risk data’.
(a) Are you satisfied that both you and the people the information is about will be able to enforce the Article 46 transfer mechanism against the importer in the UK?
(b) If enforcement action outside the UK may be needed: Are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country (or elsewhere)?
This section focuses on examining the importer country and any factors which may make enforcement of the Article 46 transfer mechanism problematic, such as concerns with adherence to the rule of law. Where any concerns are raised, the data in question is again deemed, ‘significant risk data’.
Question 6: Do any of the exceptions to the restricted transfer rules apply to the “significant risk data”?
Finally, you are to consider whether any exceptions apply (these are the Article 49 derogations), for example the data subject having given explicit consent.
The TRA tool concludes that where any significant risk data has been captured from questions 4 and 5, and the exceptions listed in question 6 do not apply to all the significant risk data, the transfer cannot go ahead.
Impact and Applicability of the TRA tool
The ICO’s accompanying guidance clarifies that the TRA tool is just one way to complete an assessment as an alternative to EDPB guidance. UK data controllers will be pleased it is a relatively streamlined approach, not requiring the more detailed comparison of the legal frameworks which the latest EDPB recommendations require. That being said, the TRA tool is still relatively complicated, and a lengthy document at 41 pages. As the investigation chart included above suggests, there is still a detailed analysis to be completed on the importer country.
With this publication, the ICO has become the first regulator to provide step-by-step instructions for a transfer risk assessment. Given the impact of the Schrems II decisions, this is a useful move, that increases clarity for practitioners in this area. The ICO are also planning on publishing worked examples of assessments completed using the TRA to give more clarity on how the tool should be applied.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience supporting organisations to make lawful data transfers using SCCs and conducting Transfer Risk Assessments. For more information, please feel free to contact our advisers, who would be more than happy to help.