According to the security expert Bruce Schneier 'data is the pollution of the information age'. It hangs around and although it is 'valuable when reused...it must be done carefully'.
If you are processing personal data
Solicitors processing personal data need to formally notify the Information Commissioner.
As recently as May 2009 a firm of solicitors was prosecuted by the Information Commissioner's Office (ICO) for failing to do so.
The Law Society recently published practice notes on data protection and information security to explain all the issues - a good starting point for firms wondering how to take care of the personal data they hold.
In relation to both areas the practice notes advise both appointing someone to take responsibility for data issues as well as having a written policy.
Re-using personal data for AML
The question of reusing personal data for AML purposes is a difficult one. The ICO has issued a data protection code of practice.
The guide discusses the use of personal data available on the internet and the question of telling people about information collected from other sources. Both issues are worth a look.
And the short answer to the question of reusing data? There isn't one. What's important is that you comply with the Data Protection Act and the principles of fair processing in particular.
One way of tackling this issue is to go back to basics. Appointing someone to take responsibility for data protection and drawing up a written policy are good starting points.
As Bruce Schneier points out, the future is being brought to us 'not by some 1984-like dystopia, but by the natural tendencies of computers to produce data.' Personal data can turn toxic if it is not well managed.
Personal data guardianship code
The British Computer Society and Information Security Awareness Forum launched a personal data guardianship code (endorsed by the Information Commissioner's Office) on 1 June.
Timothy Hill is the Law Society's Programme Manager