If you are collecting personal data, "How should I protect this?" is actually your third question.
"Should I collect this?" is only the second question.
The first question is: "What would the worst people do of they got hold of this?".
But if you must collect data, here is some information about the relevant law:-
Like human rights law, data protection legislation is firmly based on a European law, but this time it is based on a very old and poorly drafted (or at least very dated and highly bureaucratic) EU Directive, which was itself based on 1950s German legislation, reacting to the excesses of the period of Nazi government. The Directive, and hence our legislation, accordingly seeks to protect people, rather than protect data, and so is hard to enforce in these days of electronic data etc.
There are two aspects to this legislation.
The first is the accessibility of personal data to those interested in knowing what has been said and written about them. This applies particularly to employees, including fellow civil servants.
The second is the protection of personal data in general, and by extension the data held on IT systems.
The first and primary aspect of the data protection regime is the more troublesome, given our political masters’ natural tendency to be less than wholly frank with the public and our staff. The law is complex, but it is best to work on the basis that the public and our staff are entitled to know what has been written about them. References provided “in confidence”, for instance, need not be disclosed to the subject by the writer, but the subject can approach the person who received the reference, who then needs to judge whether “it is reasonable in all the circumstances” to disclose it. As with FoI, therefore, the best approach is to be prepared to disclose information and honest views about individuals to those individuals (but to no-one else) – but take advice if you believe that this would be unwise. Also, as with FoI, you might do a lot worse than to start by reading the very helpful good practice notes on the Information Commissioner's website.
Following the events of early 2008, when HMRC lost two discs containing detailed information about all child benefit claimants, there can hardly be anyone in government who is not acutely aware of the second aspect of the legislation, and the need to put a lot of effort into protecting personal data. Put crudely, it needs to be protected just as well as we protect money. Just as you need to learn and comply with the rules which limit the scope for financial fraud so you need to learn and comply with your department’s rules which require the encryption, safe transmission etc. of personal data. If you are handling any form of such data, and don’t understand the rules, then you must ask.
Finally, two general points:-
Data protection legislation trumps FoI legislation, so that you cannot, for instance, provide personal information about an individual, including an employee, in response to an FoI request.
But the legislation does not stop you providing personal information to another authority when it is clearly in the person’s or public interest to do so – for instance if their life or health is in serious danger. Police forces may therefore exchange information about those likely to commit serious offences, and energy utilities can alert the authorities if power or gas is about to be disconnected – unless the householder has explicitly forbidden such a disclosure. So, if faced with an apparent conflict, just apply common sense, and if necessary consult the Information Commissioner’s office. I have always found them to be both helpful and sensible.
Facebook's data breach is discussed here, including a nice 'Butt Inspector' analogy which contains a useful warning to us all.