Hi all, We're about to launch a CRM for one of our clients, that allows them to add/remove/edit fields dynamically in the database, as well as their website, for data capture and profiling etc... Now, they're leasing the server from us, so we are still responsible to an extent for data they are holding. It recently came up in a meeting with regards to liability, if they were to breach the data protection act in anyway. Example being, they want to hold user's passport details in the CRM. Can anyone recommend a good dumbed-down resource online which outlines what information you legally can and cannot hold online in a date store? Many Thanks, D.