On 3 Nov 2010, at 15:39, Hassan Schroeder wrote: > OTOH, while keeping it online in a DB is also a potential exposure, > it's a lot easier to track access, as well as offer better management > (auditing, reporting). If it's actual *sensitive* personal information (UK legal definition: http://www.ico.gov.uk/for_organisations/data_protection/the_guide/key_definitions.aspx ) you really should be encrypting *before* putting it in the db, even if the db has good access controls on it. Score double if your db is on a different box to the webserver - you need to encrypt before it leaves the webserver box. Cheers Martin -- > Spammers: Send me email -> yumyum at easyweb.co.uk to train my filter > http://dspam.nuclearelephant.com/