The following information is adapted from the official UK data protection website. The guidelines given below are not the full set of guidelines - you should only use the information below as an introduction to some of the data protection registration issues. The information was adapted from the official website in early 2005. For full unabridged up-to-date information please visit their website.

Order processing software, such as TOPS © incorporates a customer database.

If you store your customer details in a database then by law you must register this activity in order to conform to the Data Protection Act 1998 UK and its registration requirements. It is quite simple and easy to do, and costs around £35 for a two year period. Normally your solicitor would advise you to do this when setting up your business. However you might have found yourself in business without setting yourself up so formally and registration may have been overlooked.

The Act aims to promote high standards in the handling of personal information and so protect the individual's right to privacy. It applies to firms holding information about living individuals in electronic format and, in some cases, on paper. You must follow the eight data protection principles of good information handling.

These data protection principles say that personal information must be:

• Fairly and lawfully processed;
• Processed for specified purposes;
• Adequate, relevant and not excessive;
• Accurate and, where necessary, kept up to date;
• Not kept for longer than is necessary;
• Processed in line with the rights of the individual;
• Kept secure; and
• Not transferred to countries outside the European Economic Area unless the information is adequately protected.

The Act covers any information that relates to living individuals which is held on your computer. For example, this may include information such as name, address, date of birth and opinions about the individual or any other information from which the individual can be identified.

The processing of personal information, so far as the Act is concerned, includes obtaining, disclosing, recording, holding, using, erasing or destroying personal information.

The Act requires the Information Commissioner to maintain a Register of:

• Certain data controllers (broadly speaking, firms and others who are responsible for processing information); and
• The purposes for which they use personal information.

If you hold and process information about individuals who are customers, employees, suppliers, clients or other members of the public, you may need to join the Data Protection Act Register. This is called 'notification'. Not everyone has to notify - for example, you may not need to notify if you only process personal information for core business purposes such as your own marketing, staff administration and accounting, although you should check with the Data Protection Registration Notification Helpline on 01625 545745. You DO need to notify if you process personal information for purposes such as accounting or auditing, crime prevention and prosecution of offenders, pensions administration, mortgage / insurance broking or insurance administration.

Please note: Beware of bogus agencies requesting payment for data protection registration. There is no connection between the Information Commissioner and such agencies. You are advised not to reply or make any payment to them but to tell the local Trading Standards Office instead. Remember the standard fee for notification is only £35.

Individuals have a right under the Act to get a copy from you of the information you hold about them on computer, and in some manual filing systems. This is known as the right of subject access. If you do receive a subject access request, you must deal with it promptly and in any case within 40 days of the date of receiving it. You should send the individual a copy of the personal information you hold on them and certain other details of your processing. You can charge a fee of up to £10 for responding to a request.

There are some circumstances where you need not supply personal information and there are also circumstances where you need not give information about other people.

Compliance with the Act also makes good business sense. For example:

• Sending out a mailing from incorrect or out-of-date records could not only annoy your customers, but also waste time and money.
• Good information handling can improve your business's reputation by increasing customer and employee confidence in you.
• Good information handling should also reduce the risk of a complaint being made against you. Every day members of the public contact the Information Commissioner with enquiries about the way their information is handled. They can also ask the Information Commissioner to assess whether particular processing is likely or unlikely to comply with the Data Protection Act.
• What's more, if you are not processing information in line with data protection requirements, and an individual suffers damage as a result, then that individual may seek compensation for the damage through the courts.

The Act also gives us all certain rights as individuals, including the right to see information that is held about us and to have it corrected if it's wrong.

Failure to notify or renew a notification when you are not exempt from notifying is a criminal offence. The Information Commissioner could also take enforcement action to make you bring your processing into line with the data protection principles. Failure to comply with an enforcement notice is also a criminal offence. An individual may seek compensation through the courts for any damage suffered. Your business's reputation and finances could be affected.

You need to make sure that you and all your staff follow the eight data protection principles. These principles are central to the Data Protection Act, and everyone who handles personal information must abide by them. You also need to find out whether you need to notify the Commissioner of certain details about your processing.

• Data Protection Helpline: 01625 545745.
• Data Protection Publications Line: 0870 600 8100
• For more information on the rights of individuals: 0870 600 8100
• Information about Data Protection Act notification

Data Protection Act Registration

Information Commissioner's Office

Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
65