The Data Protection Act was enacted to give individuals rights of access to information about them being held by others and to ensure that people who process data do it properly. If your business holds information (however sensitive or not) about living, identifiable individuals, you may need to notify the Data Protection Commissioner -failure to do so can result in fines up to £5,000.

However, you may be exempt from notification – though still required to comply with the law – if you use the data for core business purposes only, including staff administration (of all employees, office holders, temporary and casual workers, agents and volunteers); accounts and records; advertising, marketing and PR. So, if you hold information about your customers and prospects and use the data only to market your own products and services, you are unlikely to need to notify the Data Protection Commissioner.

The principles of the Act include stringent guidelines for data management. To be allowed to hold information on individuals you must show that they have given their consent, that it’s necessary to fulfil a contract with the person, protect the person’s vital interests or comply with a particular law.

The information must of course, be accurate, relevant and not excessive and you must not keep it longer than necessary while at the same time ensuring it is adequately secured.

In most cases, consent is implied if someone gives you their name and address. However, if you possess sensitive information you must obtain the individual’s explicit consent to hold it. This includes information such as a person’s racial or ethnic origins, medical records, religious beliefs, trade union membership, sexual life or criminal records.

Individuals have the right to receive a copy of the data you hold about them within 40 days of asking. You can charge for this, but no more than £10 for each register entry.