SW03375 - Using Shared Workspace: Using Shared Workspace Outside of the United Kingdom
This guidance replaces that which referred to Using Shared Workspace Outside the European Economic Area.
When using Shared Workspace with customer members outside the UK, the Business Unit must consider the UK General Data Protection Regulation (UK GDPR)(link is external) & the Data Protection Act 2018 (DPA) (link is external).
Chapter V of the UK General Data Protection Regulation (UK GDPR)(link is external) states;
‘The UK GDPR imposes restrictions on the transfer of personal data outside the United Kingdom, to third party countries or international organisations. These restrictions are in place to ensure that the level of protection of individuals afforded by the UK GDPR is not undermined.
Personal data may only be transferred outside of the UK in compliance with the conditions for transfer set out in Chapter V of the UK GDPR.’
If the transfer of personal data is for law enforcement purposes, the transfer must be compliant with Chapter V of the Data Protection Act 2018, Part 3.
The Business Case
The Business Case should make it clear if,
- Collaboration is intended with customers outside the UK and,
- It is intended to share personal data
Where the business has identified that the transfer will include personal data, which will be sent outside the UK, the business should complete a Data Protection Impact Assessment (DPIA). The DPIA, should identify whether the importing organisation’s country has received a UK adequacy decision. For sharing under UK GDPR, the list of adequate countries can be found here. For sharing under DPA 2018, Part 3, the list of adequate countries can be found here.
Where the country in question does not have a UK adequacy decision, the business should seek advice from their SIBP team on alternative mechanisms for transfers. The alternative transfer mechanism should be documented within the DPIA.
Once the DPIA has been concluded, the business should then complete their business case and provide a copy of their DPIA, outlining the approved data protection transfer mechanism.
Once the Business Case has been approved by the appropriate Board, the Shared Workspace, Live Service Support Team (CSIR Director)(link sends e-mail) will ask for confirmation from the Business that the Customer Organisation is DPA compliant.
Security & Information Business Partner (SIBP)
When requesting the Data Usage Agreement, the Business should advise the Security & Information Business Partner (SIBP) of the intended collaboration with an Organisation outside the UK.
Expansion of Shared Workspace
The Business Unit must inform the Shared Workspace, Live Service Support Team (CSIR Director)(link sends e-mail) as soon as there is an intention to expand Shared Workspace to include an Organisation outside the UK or it becomes evident that an Organisation intends to outsource all or part of their business to a location outside the UK. .
The Shared Workspace, Live Service Support Team (CSIR Director)(link sends e-mail) will need confirmation from the Business Unit that they and their Security & Information Business Partner (SIBP) are satisfied that the organisation is DPA compliant.
Further information about the Data Protection Act is available on the Office of the Data Protection Officer (oDPO) Intranet Site.