Are you breaching your ongoing duty of care under the Data Protection Act?