Looking again at BIP 0002 it would appear that Principle 1 DPA may often supply the legal rules which apply restrictions. The publication actually uses the electoral register as an example - maybe its subliminal rememberance that I also did so :-)) BIP 0002 discusses whether data subjects might anticipate that their data might be used for testing - i.e. whether that purpose is obvious or whether data subjects need to be informed before the processing takes place. I would commend the BIP 0002 publication to anyone wrestling with this problem (I have no connection with BSI other than as an employee of a customer). Regards, Graham ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html If you wish to leave this list please send the command leave data-protection to [log in to unmask] All user commands can be found at : - http://www.jiscmail.ac.uk/help/commandref.htm Any queries about sending or receiving message please send to the list owner [log in to unmask] (all commands go to [log in to unmask] not the list please) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^