I have now learned that the data is sent outside the EU, to a company in the USA on a daily basis. Unlike HMRC the data transfer is encrypted. The data in question contains name, address, phone number, email address, place of birth, date of birth and if you have any disabilities.
The company is called Pearson and they are apparently a Safe Harbor registered company. Safe Harbor was developed by the US Department of Commerce to allow US company to comply with EU data protection and privacy laws.
What's odd though is that Safe Harbor is just a self-certification framework. In other words, you get a form, say you have done everything on the checklist and get yourself registered and UK agencies or companies can freely send data over the wire. Sounds likea false sense of security to me, but there you go.