Crossing national borders

However liberal the patient consent and licence agreement is, you must ensure that personal data is not passed to a country without legal protection for personal data equivalent to that in the UK. The Data Protection Act 1998 doesn't place any special restrictions on identifiable data within the European Economic Area nations but for any data sent outside of the EEA the data must either be anonymised or have explicit consent from the patient to send their data to another centre. This is particularly important when considering uploading to an open repository, a website or VLE.

The ICO provides a list of countries in the EEA and also 'safe countries' that are classified as offering an adequate level of protection for personal data.