A summary of the Data Protection Act 1998
The Data Protection Act sets out eight protection principles which form the legislative framework and with which a data controller must comply.
1st: Personal data shall be processed fairly and lawfully.
2nd: Personal data shall be obtained only for one or more specified and lawful purposes.
3rd: Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4th: Personal data shall be accurate and, where necessary, kept up to date.
5th: Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.
6th: Personal data shall be processed in accordance with the rights of data subjects under the Act.
7th: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data.
8th: Personal data shall not be transferred to a country or territory outside the European Economic Area…

IMPORTANT - Interpretation of the 7th principle
10. The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.
11. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle-
(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
(b) take reasonable steps to ensure compliance with those measures.

12. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless-
(a) the processing is carried out under a contract-
(i) which is made or evidenced in writing, and
(ii) under which the data processor is to act only on instructions from the data controller, and
(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

BREACHES OF THIS ACT MAY RESULT IN CRIMINAL PROCEEDINGS AGAINST THE DATA CONTROLLER AND THE AWARD OF FINANCIAL COMPENSATION TO THE DATA SUBJECT IN RESPECT OF PERSONAL DATA WHICH NOW INCLUDES DATA IN A 'RELEVANT FILING SYSTEM', NOT JUST COMPUTERS.