If you hold any data about a living person then you are subject to the Data Protection Act and as such are required by law to protect and use it in a prescribed set of ways. Public perception tends to be that the act only applies to public and government bodies but it does in fact cover any organisation that holds electronic records.

That the data is used responsibly and for certain purposes is a matter for marketing and PR. Storing the data securely and protecting it is a matter for I.T. In the majority of cases this comes under the security you would have over any company network. Ensuring that firewalls are in place and maintained as well as the general staff ensuring their passwords and workstations are kept secure. This kind of protection also needs to be applied to any mobile or external devices brought into the workplace. Anything that can connect to the network should be subject to the same safeguards as a workplace machine and if it cannot be made secure then the connection should be refused. This can be problematic and it might sound extreme but any connection is a potential access point and no-one can guarantee their device is 100% clean and protected.

Another factor to consider is that the act gives an individual the right to view any material and organisation holds about them. In practice, this means making sure that the data you hold is properly archived and maintained. It doesn’t just come down to simply keeping folders and drives clean but also keeping backups and archives up to date, even version numbering files and documents to demonstrably prove that all the data being produced is the sum total held for a particular individual.

Perhaps the best way to approach this is from the other side’s point of view. If you were trying to find out what a company knew about you as a private citizen you would want them to make every effort to store that data safely and present it in its entirety when asked. It’s difficult in those circumstances not to hold yourself to the same standard.