Storing Personal Information Dos and Don'ts [closed]

Question

I run a small php/mysql website for a camera club where users can upload photos. I have recently started storing email addresses for doing password resets.

My question is what is the best practice for dealing with users' personal information: are there any laws/legislation regarding what I can do with personal information? Do I need to display my policy for dealing with personal information?

Any further information regarding this subject is greatly received.

Thanks

Answer 1

IANAL, but after studying the regulations, consider the privacy policy from your users' point of view. They probably want to know what you are going to do with the information, and also what you are doing to protect their information from unauthorized used by others into whose hands it could fall.

For example, do you intend to use the email addresses for sending them promotional messages? Do you have an opt-out policy? Would you ever consider selling your email list? It could have some commercial value due to the special interest (photography) of the users. Can you promise never to sell their email addresses? Or if you can't promise that, can you promise to warn them before you do that?

Would you ever release personal information about the user who posted a particular photo? Even an innocuous-looking photo of a couple or a child could have unforeseen consequences if the identity (and location) of the photographer were revealed.

Think also of the viewpoint of the club leadership. They don't want to get in trouble with their club members because you have released (or sold) their personal information, or the club's membership list.

To earn the trust of the club leaders and members, consider stating your policy clearly. Mention that the policy might change. You could give the member the option of declaring that all of their personal information will be kept confidential.

If you are seeking to expand your website, you will benefit from having your user's trust.

Answer 2

You have rules about storing credit card information. Abut personal information as name, telephone, etc, i think it's depends from the country. In Australia for example, they have a specific act about it: http://www.privacy.gov.au/publications/ipps.html. You must check in your country. Here in Germany, we are having a lot of troubles with information leakage.