That's only one of the data protection principles (principle 8). The others still apply, such as principle 7:
> Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
... which I would say has pretty clearly not been followed in this case.
It's probably a breach of many of the other principles, too. For example, principle 3:
> Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
... it's hard to see how the data used was not excessive for the purpose in question.
