It has been a while since Computing reported on vendors making mandatory and unexpected changes to their commercial terms to the financial detriment of customers.

Searching back through our archives you would find plenty of examples ­ – Microsoft and the controversy over its Software Assurance scheme; Oracle used to be perpetually under fire for its licensing programmes; there were unexpected charges when companies outsourced non-transferable software licences; or even back in the big mainframe days when contractual small print seemed to lead to unfathomable reasons for price hikes.

More recently, there has been much debate over the impact of virtualisation on products historically priced on a per-processor basis.

But in general, these days IT suppliers are much more sensitive to such commercial criticisms, and the rise in active and vocal user groups has helped lead to a more conciliatory process of introducing new terms and conditions.

Yet software licensing, support fees and maintenance pricing remain among the biggest potential causes of fallout in the buyer-supplier relationship. Experienced IT decision-makers still roll their eyes to the heavens when the subject is broached.

For IT managers carefully scrutinising vendor invoices, now is a good time to be wary.

Although most of the biggest suppliers will be insulated from the worst of the current economic uncertainty, if the crunch starts to hurt you can bet a bean-counter somewhere in even your friendliest vendor will be looking to see where they can accrue a few extra pounds.

For any supplier under pressure, the desire to extract every penny from you will become even more acute.

In successful IT companies, when the marketing blurb talks about “partnerships”, that is usually the goal, and many are good at delivering on such a promise.

But ultimately, it remains a commercial relationship, and tough times can lead to unpleasant measures. For IT managers looking to control their own costs, be sure to keep a close eye on those invoices.

When the anonymous civil servants who drafted the Data Protection Act (DPA) in 1998 set about their work, they were smart enough to realise that the world of computers was likely to evolve considerably.

Keeping the law up to speed with the pace of technological change was always going to be a challenge, and the principles-based approach that underpins the DPA has worked well. Precedents set through case law have allowed the Act to encompass technical developments ­ although Marks & Spencer’s challenge to the Information Commissioner’s enforcement of laptop encryption represents a new test.

But even such legal foresight was unlikely to have taken into consideration the internet, cheap storage, USB drives, broadband, social networking and all the data-intensive applications upon which modern business life depends.

So it is right to heed the calls for a review of the DPA that will see it through its next decade.

But today, law enforcement is not enough to securely protect data. A new DPA needs to go hand in hand with best practice IT management.

When the DPA came into force in March 2000, the article in Computing concentrated on the specifics of the new law and the challenges it posed for IT departments.

Any similar feature now would cover the legal aspects in just a few lines. The complexity of the IT protecting people’s personal information has increased exponentially. And with it, the awareness of identity theft and the potential for misuse of our data has grown in parallel.

Self-regulation and self-discipline are now just as important as legislation.

Every employee needs to be constantly reminded to protect corporate data as if it were their own. And processes such as information lifecycle management need to sit alongside all the security procedures necessary to treat our information with the care we each wish it to be handled.

A review of the law is timely. The review of your IT management practices should be constant.

The oldest and truest cliché about data privacy is that technology is both the problem and the solution.

This is the cleft stick in which the government finds itself when it comes to the use of information in the growing number of databases storing our personal details.

There have already been murmurings that ministers want to relax elements of the Data Protection Act to allow further cross-matching of data in different Whitehall systems.

Where such a practice has been put in place, there have been successes. For example, cross-referencing between visa applications and the police fingerprint database has led to the arrest overseas of people that committed crimes in the UK.

Perhaps the highest-profile example is the car tax disc web site, which combines information on MOT results and motor insurance details to deliver one of the better online public services.

But the downside of this cross-matching has privacy campaigners up in arms.

What might the government learn about each of us were it to piece together fragments of our lives scattered across disparate departmental databases?

The fundamental principle of data protection legislation is that personal data should only be used for the purpose for which it was originally recorded. Excessive cross-matching would be a clear and controversial infringement ­ but you can be sure the government will look for more situations where it can claim that the benefits outweigh the risks.

The difficulty will come from the fact that trust in the way government uses our data is at an all-time low. HM Revenue & Customs has been told in no uncertain terms that it must develop a culture of information security and data protection as the price of the failings that led to the loss of CDs containing 25 million child benefit records.

The rest of government needs to learn the same lesson ­ as do corporations. The potential benefits of information sharing, cross-matching and data mining are real ­ but the risk can only be justified when the right culture and processes are in place.