The law in the UK states that everyone is responsible for using personal data and has to follow rules called 'data protection principles'. 

They must make sure all personal information is: 

• Accurate and, where necessary, kept up to date
• Kept for no longer than is necessary
• Handled to ensure security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
• Used fairly, lawfully and transparently 
• Used for specified, explicit purposes
• Used in a way that is adequate, relevant, and limited to only what is necessary

Other people's data should be treated as you would want your own to be treated - used only for what is necessary, and not be passed to other organisations.