data protection

[huzzi]

If you have a registration page on your site where you collect people's home address, telephone, email etc.. i am talking about a site hosted on a server, not on your own decided server.

what do you do about user's data protection?

[Not sure if i posted it on the right forum]

 

[Webstuff]

If you're storing it in a mysql db, you simply make sure that db is only accessible for you. (IE; make sure its username password isn't something simple like "root"/"root"). If you're with a good server (and if you've given them your credit card info for payment, chances are you trust them), the data can pretty much be considered to be "secure". So long as you aren't storing credit card numbers, etc, a secure socket layer and advanced encryption methods might be a bit of overkill.

 

[huzzi]

Only personal details, not credit card information.

What about stopping the hosting company's system admin looking at your databases? I know they got better things to do than looking at clients databases.

 

[Webstuff]

Unless its a really small or really untrustworthy company, you probably won't have a problem. As I've said; you can encrypt the data, but then of course encryption methods will have to be stored either on your server, or on another server where someone can look at them, if they're so inclined.

 

[Ozzy]

If you are taking/storing ANY information that makes it possible to identify who the person is you MUST register with the DPA (Data Protection Act).
It is only £35 a year so not bank breaking, but if you don't you're in trouble. Also, once you register ignore all the dodgey junk mail you get from companies saying you have to register in this directory, or that system and so on!

 

[huzzi]

Thanks Richard,

Do i need to register with the DPA when the information will be kept on the hosting server? i thought the dpa thing applies to a company.. i am talking about data protection on a hosting server.

 

[Ozzy]

You will be running this as a business because you will be making money out of it, so yes you will need to register with the DPA.
Also, and this needs checking, but you will only be able to host it in the UK if it is UK individuals you are wanting to host details of on the server.

 

[annethedonn]

http://www.hmso.gov.uk/acts/acts1998/19980029.htm

Check this out it explains what the DPA is. I have been in touch with them about what I store on my computer and they said I probably didn't have a need for it so it's best to contact them in my opinion!

 

[Webstuff]

Ozzy, I'm sorry if I'm wrong, but I thought the DPA only applied to "sensitive" information (ie; medicines someone takes, criminal record, etc), and not to normal "census" type data (name, address, listed phonenumber, etc)...? Could someone correct me on this?

 

[vigo]

The DPA applies to any identifable information - this covers name, email address, phone number etc, basically everything. You can store identifiable data outside the EU if the country is approved under the EU/GB data protection laws or the company operates under the conditions of the UKs "safeharbour" scheme. Otherwise you may store the data but you must gain what lawyers call affirmative consent - on a website this is normally demonstrated by showing a privacy statement (which would have to match the policy of your hosts all the way up the line) and having the user tick a box before any data is taken.

 

[Webstuff]

vigo, thanks for that, I didn't realize!

 

[vigo]

No problem Webstuff. I went to a seminar last year which covered, among other things, the DPA in the global marketplace (ie the internet). Very useful stuff to know!

 

[Ozzy]

Both useful to know and at the same time with big consequences if you dont abode correctly.