Introduction to Website Security
- General Information It may seem redundant but you should provide a basic summary of your privacy policies before you give all of the specifics. Be sure to include the domain name for your website even though it is obvious.
- Contact Information Be sure to include as much contact information as is appropriate. If your website is a club or other non-commercial website the contact information may be as limited as an email address. If the policy is used for commercial purposes such as an ecommerce store then more information such as an address, telephone number and email address is expected.
- Dispute Resolution In the unlikely event that one of your visitors feels that you have somehow violated your own policies, they need to be provided a method to contact you or whoever handles your privacy policies. In most cases this is as simple as an email address for the person in charge of your privacy policies.
- Information Collection Here is where you list the specifics of what information you collect and whether or not that information is optional. For example, a users name and email address may be optional while http header information is logged automatically for statistical purposes without explicit consent from the use, which is not optional. If you intend to implement P3P, you may find it easiest to list the information you collect with the same naming convention used in the P3P policies XML file (e.g. user.home-info.online.email for the users home email address). More about P3P in the next section. This section should also include details on who has access to the data that you collect and whether the data is shared with anyone outside your company or organization.
- Information Recipients This is something that you probably will have already included in the Information Collection section above but it is good practice to repeat it again here. Define again who has access to the data that you collect and whether the data is shared with anyone outside your company or organization.
- Information Retention This will probably be the shortest section of your policy. Simply define how long you retain data that you collect. If need be, break it down into logical sections. For example, personal data may be retained for 2 years but http header data may be retained indefinitely.
- Opt-in and Opt-out This gives the user options for how their information is shared and/or whether their information is retained. All users should have the option of having their personal data removed from your database if they so choose. You can achieve this with something as simple as an email address where they can send a request all the way up to an online form that is as complex as you need it to be.
- Cookies Last but not least is the old cookie. Generally this is a reassurance that you will not place any identifiable personal information in a cookie which, by the way, should be your common practice. You may also want to include a brief description of what cookies are and what purpose they serve.
Presenting Your Security Policy
The Lazy Method