The EuropeanUnion has a strict policy on who is allowed to access ''personal'' information. If you, as an individual or a company, process information about real people, you have to declare: what data you store and/or process; why you process it; who can access it. If you let your developers use ''live'' data for software testing, you might have to justify this to the authorities. In the UK, the initial implementation of the legislation only covered computer based information storage and processing, but now it also covers paper-based (or anything-based) storage and processing.