ICO updates International Data Transfer Guidance: 


Webinar 10 March

The ICO, UK's Data Protection Authority, recently updated its International Data Transfer Guidance and will hold a Webinar on this topic on 10 March.


On 15 January 2026, the ICO released Receiving personal information from the EEA Receiving personal information from the EEA | ICO


Also, the ICO published A brief guide to international transfers | ICO


Lastly, on 10 March, the ICO will hold a webinar on  International transfer guidance – webinar | ICO: click on the link to register.


In the released documents, you will find a very interesting and clear example about a hospital in the Republic of Ireland (which lies in the EU) who provides care to a patient from Northern Ireland (which is in the UK).


2 sentences surprised us a bit:

  1. 'The role of a representative is to act on your behalf regarding your EU GDPR compliance’: 
  2. our understanding at PharMarketing per article 27 of the EU GDPR is that a EU DPR is just a 'go between' between people in EU/EEA and an organisation outside EU/EEA.

  3. « You also need to make the details of your representative easily accessible to supervisory authorities, for example, by publishing their contact information on your website.” 
  4. our understanding at PharMarketing is that this is optional, at the discretion of the organisation which has appointed a EU/EEA DPR: what is mandatory is to describe how to contact the EU/EEA DPR on documents like information notices, contracts with vendors.


For any question on UK privacy's guidances, feel free to contact our UK senior consultants:

  • Dave Edwards at d.p.edwards@pharmarketing.net
  • Julianne Hull at j.m.hull@pharmarketing.net




Examples of Non-Compliance 


with Health Data Privacy

Data Protection Authorities ('DPAs') published several decisions related to the processing of health data in the past months.


Such decisions shed light on the key measures to implement to stay compliant with privacy (and healthcare) laws and avoid a critical finding.


For each decision, we propose key takeaways: use them as ideas and guidelines for your own organisations: check that such measures are implemented at your organisation, and if not, talk to your management (or talk to us!).


Many thanks to GDPR hub NOYB and to databreaches.net for all this valuable information!


Italy:


Fact:

The Italian DPA, the Garante, fined a doctor €5,000 for unlawfully disclosing a patient's health data by publishing photos relating to a surgical procedure on a social media platform that were not effectively anonymized, and the consent obtained was invalid.


Takeaway:

It is mandatory to inform people and get their informed consent before publishing their personal data.


United Kingdom:


Fact:


A GP surgery, Staines Health Group shared far too much of a terminally ill patient’s medical information with an insurer. Instead of sending the five years of history the patient requested, Staines Health Group sent 23 years of records, including highly sensitive details the insurer didn’t need to see. The patient believes this mistake led to a smaller insurance payout. Read ICO's article here.


Takeaway:

Organisations providing healthcare must appoint a Data Protection Officer ('DPO'): Staines Health should have asked the opinion of its DPO before answering the request of the insurer. Health records are some of the most sensitive information we hold, and mistakes like this can cause real distress. That’s why organisations must take extra care to handle medical data correctly and only share what’s necessary.


United States:


Fact:


The Illinois Department of Human Services, which exposed the protected health information of more than 700 000 state residents. A website created for internal use to help with resource allocation and decision-making was inadvertently made accessible over the public Internet. Read more in the HIPAA journal here: https://www.hipaajournal.com/j...


Takeaway:


Organisations should always implement the IT security measures contained by ISO 27001 or by similar guidelines. In this case, if the access to the website had been protected by a complex password, the data breach would not have happened.


Fact:


A data breach was caused by a former employee of Nuance Communications, a vendor of Geisinger Health, a health provider in Pennsylvania, USA.. After his employment was terminated, the employee was still able to access Geisinger patient data. Geisinger detected the breach and notified Nuance.


Takeaway:


Organizations must have a process in place to remove access to systems when an employee or a vendor is leaving the company.




Privacy News 


from around the Globe


Privacy News from around the globe:


  • 1st February 2026: EU-Singapore Digital Trade Agreement enters into force. This DTA calls for a free transfer of data between the two geographies and can be seen as a 'pre-adequacy' step. Key takeaways: organisations on both sides will need the consent (or 'opt-in') of recipients before sending marketing communications. Our opinion at PharMarketing is that consent should be used globally for B2C communications. For B2B, unless in countries where clearly the consent is not mandatory (e.g. France and UK), organisations should use the consent also. Read full text of the DTA here: L_202600126EN.000101.fmx.xml 

  • On 2 February, Singapore's Data Protection Authority ('DPA'), the PDPC ,released a message saying it will sanction organisations using citizen's id number as a way to identify people. Read full text here: PDPC | PDPC to Step up Enforcement Action Against Misuse of NRIC numbers and Issues New Advisory on Data Protection 
  • Comment from PharMarketing: keeping id numbers of people is against privacy laws everywhere.


  • 5 February 2026: Most UK Data Use and Access Act provisions are now in force; the Complaints Management will be applicable around June 2026, the ICO said. Read more here: Statement on the commencement of the Data (Use and Access) Act (DUAA) | ICO

  • US and Argentina signed a trade deal with data adequacy recognition on 5 February 2026: the factsheet states 'Argentina has committed to recognizing the United States as an adequate jurisdiction under Argentine law for the cross-border transfer of data, including personal data. Argentina has also committed not to impose customs duties on electronic transmissions or digital services taxes, and to refrain from discriminating against U.S. digital services or digital products.' Read factsheet here https://ustr.gov/about/policy-... and the press release here: https://ar.usembassy.gov/u-s-a...
  • Opinion of PharMarketing: this could be used to circumvent the protections given by the GDPR to personal data transferred from EU/EEA/, UK and CH to the US, if an organisation in EU/EEA/UK/CH transfers personal data to the US via Argentina, as such personal data would not benefit of the protections given by the GDPR.

  • US and Bangladesh also signed a trade deal with data adequacy recognition on 9 February 2026: read here: https://www.whitehouse.gov/bri....

  • Colombia released new model contractual clauses for international data transfers. They were introduced in December 2025 by the  Circular Externa No. 003 of 2025.

  • Saudi Arabia: the Saudi Data and AI Authority (SDAIA) released the rules governing the licensing of activities for issuing accreditation certificates for Controllers and Processors and for auditing and inspection activities related to the processing of personal data. Download the document in English here: CertificatesControllersProcessorsAuditingInspectionPersonalDataProcessingActivities.pdf

  • 11 February 2026: Israel's Privacy Protection Authority and Ministry of Health issued a guide for deidentifying medical data. The guide contains information on common methods of anonymization, as well as challenges of the anonymization process and how to conduct re-identification risk assessments. Access the press release and the guide here (in hebrew): https://www.gov.il/he/pages/me...

  • 19 February 2026: Oklahoma passed a comprehensive privacy law: it is expected to take effect on 1 Jan. 2027. Read here: https://legiscan.com/OK/bill/S...


  1. DPIA means: b) Data Protection Impact Assessment

  2. If we redact the names of European patients from a data set, it is not personal data anymore: No
  3. privacy laws in Europe state that even if all direct identifiers (last name, first name, email address etc.) are removed from a data set, the data set is still personal data and falls under European privacy laws
  4. it is worth noting that this also applies in Canada