Data protection law has been a feature of the UK legislative landscape for 20 years and has arguably had a significant impact on the way in which personal data are held and treated. Although the law does not of itself proscribe personal profiling, data matching and data sharing, controls which have been introduced on the circumstances in which this can lawfully take place have introduced a greater awareness of the possibilities of damage arising out of inappropriate processing. Data matching by government has arguably been treated less stringently in some states than that which occurs in the commercial world and, in the UK, specific enactments expressly allow data matching for a number of purposes independently of the wishes and/or expectations of the data subject[i]. Nonetheless, the now generally accepted principles of informational privacy have been challenged by recent developments advocating data retention by communications service providers for far longer periods than are required for business purposes, and allowing subsequent use of that data for a variety of enforcement purposes not contemplated at the time of collection. On the other hand, the collective interest in a safe society in the context of the perceived threat from terrorism, especially since September 11th has been used to justify this response. This paper will consider the proportionality of the introduction of data retention in the Anti-Terrorism, Crime and Security Act 2001 and the potential effect of the Code of Practice on Data Retention, brought into effect in December 2003, in the context of the existing data protection laws.