The introduction of the UK-US Data Bridge, effective from 12 October 2023, marks a pivotal development in data protection, with particular relevance to UK pension schemes. This extended framework not only simplifies data transfers between the UK and the US but also opens up new opportunities for pension schemes in their choice of data processing suppliers.
Understanding the UK-US data bridge
The UK-US Data Bridge extends the EU-US Data Privacy Framework and acts as a certification scheme for US companies. It mandates compliance with a set of principles centred around the protection of personal data, replacing the earlier Privacy Shield Framework. US organisations who have been certified to the Data Privacy Framework can opt in to receiving data from the UK.
Implications for UK pension schemes
- Data transfers via sub-processors: Many pension schemes utilise suppliers who, in turn, may employ sub-processors operating in the US. The Data Bridge streamlines these data transfers, ensuring compliance with UK GDPR while simplifying the process.
- Access to US-based data processing suppliers: For pension schemes and their advisers, the Data Bridge could provide access to a broader range of data processing suppliers based in the USA. This can potentially lead to more competitive pricing, innovative technology solutions, and enhanced efficiency in data management.
- Compliance and protection standards: Despite these opportunities, it’s crucial for pension schemes to continue adhering to UK data protection laws. The Data Bridge does not diminish the importance of protecting sensitive data and upholding the rights of data subjects.
Trafalgar House’s position
Trafalgar House does not employ any sub-processors based in the US. This ensures a direct control over data processing and compliance with UK data protection laws, offering an added layer of security and trust for our clients.
Due diligence for pension schemes
Pension schemes considering US-based data processing options should:
- Verify that US entities are certified to the UK Extension and are registered under the Data Privacy Framework.
- Conduct thorough checks on their privacy policies and data protection measures.
- Ensure that all contractual agreements explicitly cover data processing terms, in line with Article 28 (3) GDPR requirements.
The UK-US Data Bridge opens new avenues for UK pension schemes in terms of data processing options. However, it is crucial to balance these opportunities with stringent compliance and data protection practices.
An important consideration in this respect is the sharing of special category or sensitive data with US organisations. UK pension schemes must correctly identify such data when it’s being shared to ensure it receives appropriate protections under the Data Protection Framework (DPF). Special category data includes personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, and data concerning an individual’s sex life or sexual orientation.
When sharing this type of data, it’s essential for UK organisations to:
- Explicitly classify the data as ‘special category’ or ‘sensitive’.
- Ensure that US counterparts are fully aware of the nature of the data and the obligations under the DPF.
- Apply additional safeguards and measures to protect the data during the transfer process.
This added layer of diligence will ensure that such sensitive data is handled with the utmost care and in accordance with the stringent standards set by UK data protection laws.
For UK pension schemes, the UK-US Data Bridge presents an opportunity to explore data processing options in the US while maintaining the high standards of data protection required under UK law. Trafalgar House, currently remains committed to UK-based data processing as we believe it sets the benchmark for maintaining stringent data protection and compliance standards.