(a) To cut a long story short, there are eight principles under the DPA that data controllers (people who collect and process personal information) must adhere to. These include things like only collecting as much personal data on an individual as you actually need for the purpose in question (e.g if a data controller only needs an individual's name and address for a certain purpose, he or she might find it difficult to justify to the information commissioner why they also have information on that person's employment/income/health etc etc.), only keeping that information for a reasonable period and keeping it confidential. The Act also gives individuals the right to ask for a Subject Access Request, from anyone who holds information about them and who is subject to the Act, whether it be your bank, doctor, employer etc. Obviously, you can only request details of information held relating to you and not anyone else. Data controllers are obliged to withhold any information identifying another individual, unless that individual consents to such disclosure. If a data controller discloses info relating to another individual, they risk getting sued (s.13(1)). Hence, in the examples you mention, the information could not be disclosed. There is little case law around at the moment to help us see how the courts are interpreting the Act, but this is probably because the Act only came into effect in 2000. Hope that helps a bit. Good luck in your studies, sounds like you're through the worst bit! I'm sure you'll find it's a really useful and marketable qualification to have.