The Data Protection Act 1998 governs the use of personal information through the eight data protection principles. These principles require that personal information is: processed fairly and lawfully processed for limited purposes adequate, relevant and not excessive accurate and up to date not kept for longer than is necessary processed in line with the rights of individuals secure not transferred to other countries without adequate protection The definition of processing is wide and covers virtually any action carried out on a computer. This includes obtaining, recording, holding, processing and analysing personal information. If you are processing personal information covered by the Act, you and your staff must comply with the data protection principles. Complying with the principles is largely a matter of common sense and you may well be meeting the requirements already. Data security Your business must have appropriate security measures in place to protect personal information against unlawful or unauthorised use or disclosure. If your Company handles public data then you will be required to comply with the data protection act and register for notification.