However, employers are not alone in having to keep on top of data protection issues. Technology providers are also working to respond to legislation that affects their systems - in the UK and around the world.

"It is a very complex task to keep track of every piece of legislation - especially on a global scale," says Sudhir Jha, manager for enterprise application services at Bangalore-based Wipro Technologies. "The laws are reinterpreted almost on a monthly basis. A company may have multiple data systems covering their people and if one of those systems is not robust, their entire data is at risk," he says.

It is acceptable for someone from payroll to see that an employee has been off sick, but not acceptable for them to see why. On the other hand, a health professional accessing the same system may be entitled to see the reason for absence.

To overcome this problem, an HR system holds an employee’s record in one place, but allows access to different parts of that data to different people within the organisation. At the same time, under the Freedom of Information Act, the system must allow an employee to have complete access to all data held about them.

"One of the other issues is the expiry of data," says Mike Richards, managing director of HR software provider Snowdrop Systems. "Some data - such as disciplinary information - may have a time limit on how long you should hold it. However, from a data management point of view, you don’t want to create a system that automatically deletes information."

Instead, the Snowdrop system uses a programme that checks for data which might require deletion and flags it up for HR managers. "It’s easy to overlook this side of data management and be in breach of the legislation," he says.

Richards confirms that technology providers do reflect changes in the law in their systems, either by installing updates or advising customers of potential risks. "It can be difficult with existing customers," he admits. "We need to be particularly vigilant as there can be multiple versions of the same product sold over a number of years - and you can’t force buyers to upgrade." In these cases, Snowdrop will warn users of a likely ’administration burden’ connected with legislative changes.

Falling foul of the DPA brings a maximum penalty of £5,000, which if applied to each individual breach across a badly managed set of employee records could prove expensive.

However, according to the Information Commissioner’s Office, this outcome is extremely unlikely. "A reported breach would be investigated and, if proved, the commissioner would issue an enforcement notice requesting the practice to be changed," says a spokesperson. "That is generally enough to put things right, as people don’t deliberately breach the Act - usually, they don't realise they are doing it."

To date it has not been necessary to levy any financial penalty on an organisation. The commission is run on the belief that the DPA is not intended to catch people out but to improve the way information is handled. As long as organisations show a commitment to that improvement, there’s no reason to take further action.