exactly Jeff - which brings me right back to first post about utility of a gov approved & certifiable architecture / design pattern for databases containing personal data that would standardize the way we do this and allow standard security tools & tools to be applied. The structure could be included as a requirement within the FOI or other relevant guidelines. There are best practices out there but no standards that i know of...