The Data Protection Act sets rules for processing personal information and applies to personnel records as well as those held on computers. It also covers both facts and opinions held about the individual. There is no exemption from the legislation for small companies.

Anyone processing personal data must comply with the eight enforceable principles of good practice. They say that data must be: 

• Fairly and lawfully processed

• Processed for limited purposes

• Adequate, relevant and not excessive

• Accurate

• Not kept longer than necessary

• Processed in accordance with the data subject's rights

• Secure

• Not transferred to countries without adequate protection.

Please note:  The Information commissioner has published a number of codes of practice which give advice on a range of Data Protection issues.  In total these run into several hundred pages.  In this website we have picked out what we think is a sensible course for small businesses but it may not fully comply with the Commissioner's views.  Full details of the Codes of Practice are available on their website (link given opposite).