The Data Protection Act (1998)
There is a requirement to register.
Data must be:
1. Obtained and processed fairly and lawfully.
2. Held for specified (limited) and lawful purposes.
3. Adequate, relevant and not excessive.
4. Accurate and up-to-date.
5. Not kept longer than necessary.
6. Processed in accordance with the data subject's rights.
7. Kept secure.
8. Not transferred to countries outside the EEA without adequate protection.