For Ash et al
Some relevant bits of the Data Protection Act 1998
Part 1 Section 1
"personal data" means data which relate to a living individual who can be identified-
(a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.
[Your ISP is a good example of this. On it's own it's nothing, when someone has access to your BT account details like ermm...BT then it's personal.]
"processing" in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including-
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available.
Schedule 1
Part 1
The Data Protection Principles [There are 8 but you can Google for the Act itself]
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless- (a) at least one of the conditions in Schedule 2 is met [e.g. you've given your consent], and (b) in the case of sensitive personal data [i.e. medical info, gender or ethnicity etc], at least one of the conditions in Schedule 3 is also met [e.g. you've given EXPLICIT consent and it's not carried out for profit].
[Breach of the Principles is ultimately enforceable by court order to cease processing and a possible fine, although the maximum fine is only £5K and BT probably think it's worth the risk that of couple of fines versus whatever they're making from the Phorm deal]
Part 2
INTERPRETATION OF THE PRINCIPLES
The first principle
1. - (1) In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is DECEIVED OR MISLED as to the PURPOSE or purposes for which they are to be processed. [my emphasis]
2. - (1) Subject to paragraph 3, for the purposes of the first principle personal data are not to be treated as processed fairly unless- (a) in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph 2. - (3) The information referred to in sub-paragraph (1) is as follows, namely-
(a) the identity of the data controller, (b) if he has nominated a representative for the purposes of this Act, the identity of that representative, (c) the purpose or purposes for which the data are intended to be processed, and (d) any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.
[This should be a useful starting point for the Data Protection Act - there's probably more stuff I could include but I should actually be working]