The Data Protection Act 1998 ('the Act') regulates how and when information relating to individuals may be obtained, used and disclosed.

The Act also allows individuals access to personal data relating to them, to challenge misuse of it and to seek redress. Enforcement of the Act is through the Information Commissioner ('the Commissioner').

The Act places a duty on any person or organization that holds personal information about living individuals (ie personal data) on computer or in certain manual data systems (or has such information processed on computer by others) to comply with the eight data protection principles and to notify the Commissioner about the processing carried out.

Failure to notify is a criminal offence. However there are a number of exemptions from the notification requirement of the Act for individuals and organizations that make only limited use of personal data.

The Commissioner has produced a self-assessment guide to determine whether notification is necessary (available at www.dataprotection.gov.uk).

Remedies for misuse of personal data include compensation if the individual has suffered damage, rectification or destruction of inaccurate data and the right to request a review by the Commissioner of whether the Act has been contravened.

.