I'm not sure any additional legislation would be needed. Just make sure that information is only used for the purposes for which it was collected, kept securely and for no longer than necessary for the original purpose.
All it needs is somebody in charge who understands this and has the ability and determination to ensure that it's adhered to.
Biting the hand that feeds IT
