The 1998 Data Protection Act in the UK largely restates existing good practice: individuals have a right to know what data are held about them and why; and those processing data have a duty to proceed with fairness and transparency, maintain high data quality and keep data secure. Some health researchers have criticised the Act, seeing it as a legal minefield, unnecessary bureaucracy and interference from the European Union. This is largely based on misconceptions. Recent guidance from the Information Commissioner aims to assist researchers by advising how legal requirements can be met through anonymisation of data, attention to data-processing methods and fair collection of data. The Act provides a clear framework of rights and responsibilities that should be embraced with enthusiasm rather than with the reluctance of a person forced to carry out a meaningless chore.