Ok sorry to be really annoying, but you need to be aware that a lot of this data is potentially covered by the Data Protection Act 1988.This Act covers Personal Data:
Any data which can be used to identify a living person. This includes names, birthday and anniversary dates, addresses, telephone numbers, Fax numbers, e-mail addresses etc. It only applies to that data which is held, or intended to be held, on computers (‘equipment operating automatically in response to instructions given for that purpose’), or held in a ‘relevant filing system’.
It should be noted that an ordinary paper diary can be classified as a ‘relevant filing system’ if it can be demonstrated that the diary is used to support commercial activities (eg, a Salesperson’s diary).
The eight principles of Data Protection are:
Data may only be used for the specific purposes for which it was collected. Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation. Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime). Personal information may be kept for no longer than is necessary. Personal information may not be transmitted outside the EEA unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data. Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner. Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training). The Act is structured such that all processing of personal data is covered by the act, while providing a number of exemptions in Part IV. Notable exemptions are:
Section 28 - National security. Any processing for the purpose of safeguarding national security are exempt from all the data protection principles, as well as Part II (subject access rights), Part III (notification), Part V (enforcement), and Section 55 (Unlawful obtaining of personal data). Section 29 - Crime and taxation. Data processed for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of taxes are exempt from the first data protection principle. Section 36 - Domestic purposes. Processing by an individual only for the purposes of that individual’s personal, family or household affairs is exempt from all the data protection principles, as well as Part II (subject access rights) and Part III (notification). You need to go through the list and let me know if the exemptions apply etc…If I think of any other legal/compliance stuff, Ill let you know…