Prevents unauthorised or inappropriate use of ‘personal data’ held electronically or manually. Individuals (‘data subjects’) are allowed access to information held about them and given redress if the Act is contravened. Organisations (‘data controllers’), unless exempt, must notify the Information Commissioner of the data held and how it is used. They must follow eight data protection principles. Certain breaches amount to criminal offences and in some instances data subjects have the right to damages. Insurresponses arise under public liability, legal expenses, directors’ and officers, and professional indemnity policies (www.dataprotection.gov.uk). ance