Before personal data are transferred from the country of collection to a third country, the researcher must
ensure that the data transfer is legal, and that all reasonable steps are taken to ensure adequate security to
maintain the data protection rights of individuals. This also applies if using a “remote” server in a different
country to collect data from the respondent or if it is processed in an international “cloud.” The researcher
should explain this process in their privacy policy and provide appropriate safeguards to protect personal
data when asking the respondent for permission for the data transfer.
Given the heightened sensitivities concerning personally identifiable data among the general public and
regulators, researchers should always use conservative approaches to data release and transfer, bearing in
mind their desire to maintain consumer trust and have this recognised by legislators.