Are you aware that your website is trawling information concerning your organisation? Do think this might be "sensitive"? Would you pay to have ths information for your competitor's websites? How about intercepting his on-line purchases?
Perhaps your site has no feedback of any sort. Perhaps it is a bit more sophisticated, with registration forms, purchasing, log in etc. Whatever degree of sophistication your website provides IT WILL BE GATHERING INFORMATION.
Your website is collecting information every time somebody visits it ... even simple websites. Whenever a visitor arrives at your website, the web server will automatically collect information concerning the visitor. For example, the web server will record the visitors IP address. You can use this to find out where the visitor is located (not always 100% accurate, but pretty interesting all the same).
Has it struck you that this, and all your precious visitor information, is held on your web server? Perhaps this is also open to your web developer?
You need to ensure your data is managed securely and within the classifications of the Data Protection Act 1998 ... because it makes business sense and because it is Law.
Webree develop and host web services for many organisations. Yet we have NEVER been asked for our DPA registration. The abuse of information collected on your behalf should worry you! You must insist on all of your contractors who are working on your data are adequately registered.
You also need to think hard about employing companies who themselves utilise contract web development staff. They will most likely be able to access the data at any time after their contract has expired. Can you guarantee they can't? The DPA puts the responsibility for ensuring your data is safe squarely on your shoulders. So does your business!
You must choose an organisation that you consider can carry out the work in a secure way and you should check that you are doing this. You should have a written contract with them that lays down how they can use and disclose the information you have entrusted to them. It must require them to take proper security measures.
Our good practice note on Outsourcing - a guide for small and medium sized businesses has more information on this subject.
Check out potential contractors using the online DPA Register http://www.ico.gov.uk/ESDWebPages/search.asp
Now this is going to sound like sour grapes ... but it isn't. We frequently come across clients who have complete e-commerce solutions developed for them by web designers who simply middle man for off-shore web development companies. Very cheap. I discussed this with a product import company recently. They purchased a site for £1,700. They don't know where the site is hosted, who can access any aspect of the data and what happens to it. If