The UK Data Protection Act (DPA) has a reputation for complexity. Whilst the basic principles are honoured for protecting privacy, interpreting the act is not always simple.
According to the provisions of the DPA, data discovered by one party may only be used by another party for the specific purposes for which they were discovered. Details may only be kept for an appropriate length of time and must not be disclosed to other parties without the consent of the data owner. Schools, for example, may keep information on former pupils for no longer than ten years.
The Act covers all personal data which an organisation may hold, including names, birthday and anniversary dates, addresses, telephone numbers, etc.
Processed fairly and lawfully.
Obtained for specified and lawful purposes.
Adequate, relevant and not excessive.
Accurate and up to date.
Not kept any longer than necessary.
Processed in accordance with the "data subject's" (the individual's) rights.
Reasonably securely kept.
Not transferred to any other country without adequate protection
Source: wikipedia.org