> If it's actual *sensitive* personal information > (UK legal definition: http://www.ico.gov.uk/for_organisations/data_protection/the_guide/key_definitions.aspx ) > you really should be encrypting *before* putting it in the db, even if the db has good access controls on it. > > Score double if your db is on a different box to the webserver - you need to encrypt before it leaves the webserver box. +1 to the above, if its info *about* someone else you need to show that you are registered as a data controller. think its small figure per yr, worth doing if thats what the OP is about -- rgds, Alex bit.ly/my-posts