A risk assessment for data transfer involves the Collector conducting due diligence on a specific third-party recipient to whom the Collector plans to transfer the audio data. The Collector should assess whether the recipient will continue to safeguard the audio data, including the audio data’s evidentiary value.
The risk assessment should additionally identify:
- whether transfer to the third-party recipient is in line with the objectives of the collection effort;
- any privacy and security concerns posed to the audio data subjects in the course of or as a result of the transfer; and,
- any risk posed to the integrity of the audio data in the course of or as a result of the transfer.
If the GDPR applies to the collection effort, the Collector must be sure that equivalent privacy protections will be guaranteed by the third-party recipient.1
The Collector should carry out a risk assessment prior to transferring audio data to each third-party recipient. A risk assessment should also be carried out in the event of a material change in an existing third-party recipient’s capacity or circumstances, such that it could affect that party’s ability to safeguard the data and its evidentiary value.
Any such assessment should be documented in writing per BP 3 and preserved by the Collector. The assessment should include a clear delineation of what information can be transferred safely to the third party. If the risk assessment establishes that transferring the data would pose a risk to the data, associated individuals, or other aspects of the collection effort, then the data must not be transferred unless the risk can be managed2 (for example, by redacting the data as needed, per BP 23).
Tech Specs & Resources
Refer to BP 6, Technical Specifications + Resources, ‘Risk management resources’.
Legal Framework
See section 4.2.2.C. on the factors relevant to finding that an interference with the right to privacy is proportionate, and can therefore be seen as justified. In particular, see the discussion on limiting who has access to data.
See section 4.2.4.B on ‘Scope of the GDPR’, ‘Data Protection Measures’, and ‘Data Transfers’ under the GDPR.
See also the European Court of Human Rights decision in Big Brother Watch and Others v. United Kingdom, Judgment, para. 362, wherein the Court stated that, in relation to data transfers, ‘the transferring [entity] must ensure that the receiving [entity], in handling the data, has in place safeguards capable of preventing abuse and disproportionate interference. In particular, the receiving [entity] must guarantee the secure storage of the material and restrict its onward disclosure.’
Applicable Ethical Principles Do No Harm; Legal Awareness; Accountability; Accuracy, Impartiality, and Objectivity.