Wednesday, December 12, 2007

Where that trainee teacher data goes

Last month I mentioned that the Teaching and Development Agency for Schools has a privacy policy on its website that suggested the personal data of those applying to be teachers is transported outside the EU into countries with limited data protection.

I have now learned that the data is sent outside the EU, to a company in the USA on a daily basis. Unlike HMRC the data transfer is encrypted. The data in question contains name, address, phone number, email address, place of birth, date of birth and if you have any disabilities.

The company is called Pearson and they are apparently a Safe Harbor registered company. Safe Harbor was developed by the US Department of Commerce to allow US company to comply with EU data protection and privacy laws.

What's odd though is that Safe Harbor is just a self-certification framework. In other words, you get a form, say you have done everything on the checklist and get yourself registered and UK agencies or companies can freely send data over the wire. Sounds likea false sense of security to me, but there you go.

2 comments:

Surreptitious Evil said...

"is just a self-certification framework. In other words, you get a form, say you have done everything on the checklist and get yourself registered"

A bit like PCI-DSS then? An arse-covering tick-box exercise for the big boys?

Morus said...

No defence of Safe Harbor, but surely the point is that private third-party corporations are much better at data security, because if they fail in their duty of care, they are fined and prosecuted, and the employees dismissed withour references.

My company handles plenty of data outside of the EU, but our measures are stringent, and (as far as I have ever seen) followed, because of the disciplinary/fines/prosecutions that would inevitably follow.