Hi
Just saw this today. I would suggest (and I am no legal expert so you would have to get these opinions confirmed by an appropriate person/organisation) that the limits to the application of the DPA depend very much on both the purpose of your site, the nature of the personal information you are gathering and the subsequent purposes to which you will put the data.
Classically I understand that if you were to request core personal demographic data (i.e. age, dob, income rations and all that malarkey) for a “Social Connections” site then you would need to ensure the elements of both your security and PURPOSE are clear to the users.
Data Protection is largely concerned with the false gathering and/or use of data i.e. asking for it for one purpose and using it for another – selling it on to a third party without notification. Essentially it aims to protect people from having their personal information willfully (or negligibly I think) shared with third parties.
So essentially you’d need to be clear for WHAT purpose you were gathering the information, what it would be used for, who it would intentionally be shared with and crucially, that the user provides the information of their own free will in clear knowledge of the above.
You also need to have a robust procedure in place for gathering, securing and deleting personal information.
That said, I do not think that individual websites have to register with the DPA unless certain thresh holds are met which I am unaware of. If you are seriously concerned that you might need to engage more fully with the DPA then, check out the following websites at:
http://www.ico.gov.uk/
http://www.ico.gov.uk/for_organisations/data_protection.aspx (Good publications here)
and
http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications.aspx
There was also some recent EU stuff on cookies used on websites which might be worth digging into.
Hope that helps!
