This is a Memorandum of Understanding (“MoU”) between the following Parties:

The Secretary of State for Digital, Culture, Media & Sport (“DCMS”)

at 100 Parliament Street, London, SW1A 2BQ

and

The Information Commissioner (“ICO”)

at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

1. Definitions

1. “UK Adequacy Regulations” means regulations, made by the Secretary of State under section 17A (general processing) or section 74A (law enforcement processing) of the Data Protection Act 2018[footnote 1] (“DPA 2018”), giving effect to a finding by the Secretary of State that the specified country ensures an ‘adequate’ level of protection of personal data.

2. “UK GDPR” has the same meaning as in section 3(10) of the DPA 2018.

3. “UK Adequacy Assessment Work” means all activity by DCMS in preparation for, or otherwise relating to, potential or actual adequacy decisions to be taken by the Secretary of State for the purposes of the UK Adequacy Regulation-making powers conferred by sections 17A and 74A of the DPA 2018. Such activity includes, but is not limited to, the activity of DCMS as described in this MoU.

4. ‘Country’ – refers to a country, territory or sector therein, or international organisation, unless the contrary is specified.

2. Background

1. Sections 17A and 74A of the DPA 2018 confer powers on the Secretary of State to make UK Adequacy Regulations, in relation to general and law enforcement processing respectively, for the purposes of domestic law after the Transition Period ends at 23.00 GMT on 31 December 2020.

2. The effect of UK Adequacy Regulations is to permit personal data to flow from the UK to a country specified in the Regulations without any further Chapter V UK GDPR or Chapter 5, Part 3, Data Protection Act 2018 (as appropriate) safeguards being necessary.

3. Decisions relating to the making, review, amendment and revocation of UK Adequacy Regulations are, in accordance with the relevant provisions of the DPA 2018, ultimately a matter for the Secretary of State. Before making UK adequacy regulations, the Secretary of State is required to consult the ICO and such other persons as the Secretary of State considers appropriate (section 182(2) of the DPA 2018). This also reflects the requirement, in Article 36(4) of the UK GDPR, for the Secretary of State to consult the ICO in such circumstances.

4. Article 57(1)(c) of the UK GDPR (Tasks) provides that the ICO must advise Parliament, government and others on legislative and administrative measures relating to data protection (for general processing), and this is reiterated in section 115(3) of the DPA18 (for law enforcement processing).

5. This task is in addition to the Information Commissioner’s general power to issue an opinion on any issues related to data protection (Article 58(3)(b) and section 115(3)). Equivalent provisions in respect of law enforcement processing are found at paragraphs 1(1)(c) and 2(d) of Schedule 13 to the DPA 2018.

6. This MoU only relates to the role of the ICO in relation to potential “new” UK Adequacy Regulations (that is, the making of Regulations under the powers in ss. 17A or 74A of the DPA 2018 for the first time in respect of a country). For the avoidance of doubt, this MoU relates to any such UK Adequacy Regulations to potentially be made in respect of any country that is, at the time such Regulations are to be made, “specified” for the purposes of paragraphs 4(1) or 10(1) of Schedule 21 to the DPA 2018.

7. The Information Commissioner’s role in any Adequacy Assessment review process (for the purposes of ss.17B or 74B of the DPA 2018 in respect of existing regulations made under ss. 17A or 74A of the DPA 2018) will be subject to a separate MoU between the parties.

3. Purpose and key principles

1. This MoU sets out an agreed understanding between the Parties on the role and responsibilities of the ICO in relation to UK Adequacy Assessment Work.

2. In particular, this MoU describes the agreed understanding between the Parties on the:

  1. Working-level cooperation and consultation between DCMS and the ICO;

  2. Status of the cooperation and consultation, including the status of the views of the ICO; and

  3. Respective roles and responsibilities of DCMS and the ICO in the context of future decision-making by the Secretary of State in relation to UK Adequacy Regulations.

3. The Parties agree to the following guiding principles as part of this MoU:

  1. ‘No surprises’ environment – Close working-level engagement between DCMS and ICO teams at all stages to provide both Parties the opportunity to discuss in a timely manner issues relating to UK Adequacy Assessment Work to help ensure ‘no surprises’ relating to future positions and decision-making.

  2. Sharing expertise – DCMS recognises that the ICO, as the UK’s supervisory authority for data protection, can bring valuable factual information, insights, and knowledge in those areas where the ICO is well placed to assist (an example would be sharing information relating to the role and effectiveness of the relevant country’s regulator).

  3. Forward planning – In this context, DCMS recognises that sharing information in a timely manner on its programme of UK Adequacy Assessment Work with the ICO will inform appropriate management of ICO resourcing in pursuit of the ICO’s role set out in this MoU. Similarly, the ICO will share information with DCMS to inform DCMS planning of UK Adequacy Assessment work, taking account of ICO resourcing and the implications of substantive issues raised by ICO

  4. Independent decision-making by the Secretary of State – As required by s.182 of the DPA 2018, the Secretary of State will consult the ICO before making UK Adequacy Regulations and will take into account, but is not bound by, the ICO’s views. DCMS will undertake UK Adequacy Assessment Work and the Secretary of State alone retains the decision-making power as to the “adequacy” of another country.

  5. Independence of the ICO – Nothing in this MoU impacts the independence of the ICO.

4. Roles and responsibilities

1. The Parties recognise that DCMS and the ICO have different roles:

1. The Secretary of State is empowered to make UK Adequacy Regulations in respect of a country. To assist with this, a specific team of officials within DCMS will undertake UK Adequacy Assessment Work. This includes conducting research and carrying out engagement to collect information, consulting on this information with relevant stakeholders (including, where appropriate, the ICO), undertaking analysis of any information obtained and making recommendations to the Secretary of State. The Secretary of State will consider recommendations for adequacy decisions in respect of a country and undertake any necessary consultation (including with the ICO) before taking a decision as to whether or not to make UK Adequacy Regulations.

2. The UK Adequacy Assessment Work to be undertaken by DCMS can be categorised into four broad phases: (1) Gatekeeping, (2) Assessment, (3) Recommendation, and (4) Procedural.

  1. Gatekeeping is the programme of work associated with making a decision as to whether to commence an assessment in respect of a country, by reference to numerous policy factors reflecting HMG and UK interests.

  2. Assessment is the programme of work associated with collecting and analysing information relating to the level of data protection in another country.

  3. Recommendation is the programme of work associated with the DCMS UK Adequacy Assessment team making a recommendation to the Secretary of State who will then decide whether to make a finding of adequacy and make UK Adequacy Regulations in respect of another country.

  4. Procedural is the programme of work associated with making the relevant UK Adequacy Regulations, laying these in Parliament, and any subsequent publication of the ICO’s opinion.

3. The ICO’s role in relation to UK Adequacy Assessment Work – in line with its independent regulatory role and statutory responsibilities – includes:

  1. During the Gatekeeping and Assessment phases in response to being engaged by officials in DCMS: providing comments and advice to DCMS officials, including via provision of relevant factual information that relate to a country’s data protection laws and practices (e.g. the role and effectiveness of the relevant country’s regulator);

  2. During the Recommendation phase: providing a response on the draft conclusions of a DCMS assessment so that the Commissioner’s view can be included in the recommendation to the Secretary of State and factored into their decision making. In forming its view, the ICO will consider, inter alia, the features of a country’s data protection laws and practices in the round, recognising that different countries have different ways of ensuring adequate levels of data protection; and

  3. During the Procedural phase: providing advice and/or an opinion to Parliament, including on the process followed and the factors taken into consideration by the DCMS Adequacy Assessment team and the Secretary of State.

2. The Parties agree, where appropriate, to provide assistance to each other, in light of their particular roles, as set out below:

     
  DCMS ICO
Gatekeeping Share factual research and analysis relating to countries’ data protection laws and practices. Share information on which countries are being considered as potential candidates for future assessment. Provide the list of countries agreed by the Secretary of State to commence assessments (the ‘pipeline’). Provide comments and advice, including factual information to supplement DCMS research and analysis, especially on issues the ICO is well-placed to comment on (e.g. the practical implementation of relevant data protection law and its understanding of the role of the foreign regulator).
Assessment Request comments and supplementary information from the ICO.Share issues relating to a foreign country’s laws or practices that differ from the UK. Provide comments and advice on supplementary information to DCMS. Provide informal views on issues identified by DCMS (including what recommendations they will make in any advice or opinion to Parliament).
Recommendation(No proposed policy position nor any response from the ICO on that proposed policy position will be taken as the final position for either DCMS or the ICO, respectively, and neither Party will make the other Party’s proposed position public (except if a disclosure is required by law). Share a proposed policy position with the ICO prior to the Secretary of State taking a decision. Take any appropriate follow-up action in light of the ICO response to this policy position.Make recommendations to the Secretary of State, incorporating the views of the ICO. Notify the ICO of the decision. Share a response on the proposed policy position so that this view can be included in the recommendation to the Secretary of State and factored into their decision-making.
Procedural Notify the ICO of the proposed timeline for laying UK Adequacy regulations in Parliament. Where requested, provide comments to assist DCMS with the drafting of relevant adequacy regulations. Notify DCMS of the ICO’s timings for the publication of any advice or opinion for Parliament after adequacy regulations are laid in Parliament.

3. In respect of all phases of work both Parties agree to meet at agreed intervals to discuss:

  1. The ongoing and future programme of UK Adequacy Assessment Work, including sharing information where appropriate on upcoming milestones and timelines and;

  2. International engagement opportunities, including those opportunities where HMG and the ICO can appropriately engage with other stakeholders together (e.g., in conversations with another country and its regulator(s)).

4. In respect of all phases of UK Adequacy Assessment Work both Parties agree, where appropriate, to share relevant information relating to resourcing capacity, assumptions, and risks so that the programme of UK Adequacy Assessment Work is not hindered by a bottleneck due to the DCMS-ICO relationship.

5. DCMS will ensure that only appropriate material arising from all phases of the UK Adequacy Assessment Work is shared with the ICO, protecting (amongst other things) HMG’s national security, broader policy and legal interests, whilst still seeking to ensure that the ICO has sufficient information for it to provide meaningful and detailed comments, advice and opinions to DCMS and to Parliament. Information will be shared via the appropriate processes, including appropriate Government IT systems, dependent on classification of the material to be exchanged.

5. Confidentiality

1. All information will be appropriately classified under the Government Security classification system and protected by each party accordingly.

2. In particular, the ICO confirms that its usual process will be for it not to publish, share, disclose or otherwise disseminate or make available, directly or indirectly, any information (including its opinion) about UK Adequacy Assessment Work in relation to a particular country, except in exceptional circumstances or if such a disclosure (etc.) is required by law, in which case ICO would consult with DCMS prior to such disclosure (save in exceptional circumstances). Notwithstanding the foregoing, in accordance with the ICO’s role in the Procedural phase, the ICO will, if appropriate, publish any advice and/or opinion relating to the specific UK Adequacy Regulations once those UK Adequacy Regulations have been made and laid in Parliament.

3. Similarly DCMS confirms that it will not publish, share, disclose or otherwise disseminate or make available, directly or indirectly, any information provided to it by ICO in relation to UK Adequacy Assessment Work without prior agreement with the ICO, except in exceptional circumstances or if such a disclosure (etc.) is required by law, in which case DCMS would consult with ICO prior to such disclosure (save in exceptional circumstances).

4. Nothing in this MoU shall be taken as in any way affecting any legal obligation or duties or powers of either Party, including but not limited to any obligations under the Freedom of Information Act 2000.

5. The Parties agree, to the extent permitted by law and where appropriate to do so, to co-operate with each other to enable them to comply with their respective legal obligations, including but not limited to those arising under the Freedom of Information Act 2000.

6. In particular, to the extent permitted by law and where appropriate to do so, the Parties agree to notify each other in advance of sharing, disclosing or otherwise disseminating or making available, directly or indirectly, any information in respect of UK Adequacy Assessment Work, including where this is to be done in compliance with any legal obligation.

6. Review

  1. This MOU will be reviewed between 1 July 2021 and 31 December 2021 and annually thereafter, unless a review is mutually agreed to be required sooner.

The Rt Hon Oliver Dowden CBE MP, Secretary of State for Digital, Culture, Media and Sport

22 December 2020

Elizabeth Denham CBE, Information Commissioner

15 January 2021