Organisations that process personal data, whether held on paper or on computer, need to do so in line with obligations placed on them by various pieces of legislation such as the Data Protection Act, Freedom of Information Act, which came into force on January 1, 2005, and the Privacy and Electronic Communications Regulations.The Data Protection Act 1998, which came into force on March 1, 2000, sets out rules for processing personal data including your name, address and date of birth, as well as your opinions and other information that could identify you. It requires that the controller of the data, which in this case is my financial advisory firm, complies with the rules of good information handling practice, known as the eight data protection principles. Data must be fairly and lawfully processed; processed for specified purposes; adequate, relevant and not excessive; accurate and, where necessary, kept up to date; kept for no longer than is necessary; processed in line with your rights;kept secure and not transferred to countries outside the European Economic Area unless it is adequately protected. A firm which holds relevant data needs to notify the Information Commissioner that they are a data controller. The Information Commissioner exists to police the rules to “promote public access to official information and protect your personal information”. The Information Commissioner’s helpline can be contacted on 01625 545745 or at www.inf oramtioncommissioner.gov.uk. As a financial advisory firm, we are not exempt from registering and complying with the data protection rules. We pay an annual fee to be a member of the data protection register and face fines of up 5,000 if we do not comply its rules. You have the right under the Data Protection Act to ask for a copy of the information my firm holds on you either on our computers or on manual systems. We need to provide you with this information in 40 days and are allowed to charge you a 10 fee for the time taken to retrieve the information. In many instances, we need to pass your information to an insurance company, bank or investment house. You usually supply this on an application form that is necessary for the policy or investment contract to be issued to you. A case concerning personal data being passed to a call centre of a British bank in India is going through the courts. It resulted from a complaint made to the Information Commissioner about data protection. The outcome is not yet known. Another instance where financial services companies need to ensure they comply with the data protection rules is when investigations take place to find out information about people complaining or believed to be submitting fraudulent claims. If the data protection rules are broken, the company handling the data could be held legally responsible. The rules covering data protection are complex and specialist lawyers are often required to provide expert guidance. As a business owner, you need to be aware that the rules for data protection are continually updated. Updates were issued in December 2004 with the publication by the Information Commissioner of the Employment Practices Data Protection Code Part 4: Information about Workers’ Health. This provides guidance to employers on complying with the Data Protection Act in relation to such measures as pre-employment health questionnaires, drug and alcohol testing and sickness records. Under the Data Protection Act, information about an individual’s health is categorised as sensitive data and extensive rules apply as to how it may be collected, stored and used. Workers should be informed if information about their health is collected or stored by their employer and how it is to be used. They have the right to access information about their health that their employer holds. I hope I have eased your concern and highlighted some of the rules that all firms need to be aware of.