I think this presumes a developer knows the law around privacy. I have a passing familiarity with the privacy act in New Zealand, and so I know that collecting data that isn't necessary to do business isn't legitimate, but that is a pretty wide definition.
Generally you will be given a specification and it is up to the company to determine the legal implications in detail.
However, if you are asked to do something you are aware is illegal don't do it. Sometimes it isn't illegal but just very ill advised. For example, when you are given a requirement which is very difficult to do in a secure way but easy to do by 'relaxing' security.
In such situations you need to make it clear to the management what the problem is, what the risks are, and have them make the decision. Clients have asked me to do some ill advised things sometimes. I've always been direct in my communications and usually they reconsider.
Not everything needs to be built like Fort Knox, but certainly weight needs to be given when you are storing critical or confidential data. Sometimes having the client take explicit responsibility for a decision is needed. In one occasion I walked away from a project rather than be implicated in what might follow.
The real question is what happens when the data becomes of interest to law enforcement in a criminal case. That gets interesting from a integrity point of view.
I think that’s the reason government also try to be soft in making these laws. After all it’s the easiest way to track people for them.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.