• to the extent your business processes ‘sensitive personal data’ (i.e. data relating to health, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual life or criminal offences), satisfying additional specified conditions. It is often necessary to obtain explicit consent of the data subjects • providing data subjects with certain information when collecting data from them (or, if data is not collected directly from them, then before processing their data). This information must include: −− the identity of the data controller(s) for the data −− the purposes of the intended use of the data −− any other information that is necessary to enable the processing to be fair. It is good practice to provide data subjects with a privacy statement providing details of how their data will be used. Other requirements of the DPA include: • you may need to obtain a registration with the UK Information Commissioner’s Office (ICO) covering the purposes for which your business will process personal data • the scope of data you collect must be adequate and relevant for the purposes for which it was collected, and must be kept up to date • personal data must be kept secure from unauthorised use or accidental loss. This includes a requirement to enter into a written contract with any ‘data processor’ who processes data on behalf of your business (e.g. a service provider), imposing controls on how data processors handle the data and requiring them to implement appropriate security measures. • you must not hold personal data for longer than is necessary • transfers of personal data to countries outside the European Economic Area (EEA) are prohibited unless the recipient country ensures an ‘adequate’ level of data protection for individuals.
Doing Business and Investing in the UK 2010
81