If you handle personal information about individuals, you have a number of legal obligations to protect that information under the Data Protection Act 1998. There are eight main principles governing the processing of personal data under The Data Protection Act 1998:

·         be processed fairly and lawfully

·         obtained only for specified and lawful purposes, and shall not be processed in any manner incompatible with those purposes

·         be adequate, relevant and not excessive in relation to the purposes for which it is processed

·         be accurate and, where necessary, kept up to date

·         be kept for no longer than is necessary for the purposes for which it is processed

·         be processed in accordance with the rights of data subjects under the Act

·         be subject to appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage

·         not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of data protection

Link to the Act 

Further information:

Information Commissioner’s Office website