Then they told you incorrectly.Slinwagh said:
As is always the case, Data Protection is quite a complex area, but the basic situation is :-
1) ANYONE processing personal data needs to be regisistered (notified) with the DP Registrar ...
unless ...
2) .... they fall within one of a fairly limited range of statutory exemptions.
3) One of those exemptions is "domestic purposes", which could broadly be interpreted as what you were told IF it is personal, domestic use to which the data are being put. So a private individual keeping names and addresses, data of birth, etc for family and freinds doesn't need to notify.
4) What toastyman is talking about is not domestic purposes.
5) There are other exemptions, which toastyman MIGHT come under but, as I said, it's far from straightforward.
6) If you should notify and don't, it is an offence and carries a fine which is level 5 in lower courts (i.e. max £5000) and unlimited in higher courts. It is also a "strict liability" offence ... in other words, it doesn't matter what your "intent" was, you don't need to deliberately commit the offence. Merely failing to notify when you should will be enough. Another example of strict liability is speeding. It doesn't matter whether you noticed you were over the limit, or whether you intended to speed or not. If you do it, you're guilty.
Toastyman, the DPA is quite a complex area, and there are several types of implications, with notification only being the first. Even if you don't need to notify because you fall into one of the exemptions, it doesn't necessarily exclude you from some other responsibilites under the act, like security and due care with data.
Finally, since part of the data you're talking about holding is "sensitive personal data" (i.e. medical data) you come under even more detailed and somewhat onerous proivisions of the Act.
I'm not qualified to give detailed advice (and wouldn't do it in a public forum like this if I were), but I will give you this advice .... check this out properly and carefully before going ahead. Especially given that the data will be public-facing, I'd say you need to take the security side very seriously, if for no other reason than that it will be obvious that you're doing the processing.
I would suggest the Information Commissioner's website is a good first stop, and running the notification self-assessment process is probably a good guide. Secondly, get qualified advice, if not from the IC's office then from a lawyer experienced in DP issues. It's better to get advice up-front than a fine and a criminal record.