Skip to Main Content

Research Data Management: International transfers

Research Data Management (RDM) Library guide

Data Management Plans (DMPs) - High-risk data

To help comply with legislation, international transfers of personal data or other high-risk data must be documented in the Data Management Plan before the start of the project.

These should be documented in the following sections/questions of the BU Data Management Plan (DMP) template:

Ethical and legal compliance

  • Will any of the data be received from partners outside of the UK? > International data transfers
  • Briefly list the countries/partners where data will be received from.
  • Will any of the data be sent to partners outside of the UK? > International data transfers
  • Briefly list the countries/partners where data will be sent to.

International data transfers and GDPR

It is potentially a breach of UK GDPR to transfer personal data outside of the UK. This could include sharing research data with a partner employed at another institution. It therefore needs to be documented in a Data Management Plan (DMP) if data will be shared/transferred to people or organisations outside of the UK.

A comprehensive guide to international transfers has been produced by the Information Commissioner's Office (ICO). It includes a checklist of conditions that would allow the international transfer of personal data, including a list of all the countries or territories covered by 'adequacy regulations'.

Trusted Research

Researchers must familiarise themselves with the Trusted Research Agenda.

The Trusted Research Agenda raises "awareness of the risks associated with research collaborations that involve organisations or research partners with links to nations whose democratic and ethical values are different from our own."

Personal or special category data, or other high-risk data, must be managed appropriately to avoid placing individuals at risk, breaching export controls, international sanctions or theft of intellectual property.

The Data Management Plan must document:

  • Whether data will be received from, or sent to partners outside of the UK. 
  • Any high-risk data that will be generated or collected.
  • Whether any of this high-risk data will be transferred overseas (directly or indirectly).