OK, so I have just figured out how to do it with a sessionID on the Data Assist created page, and I have found out that there is a hidden field with the data assist created page which holds $_GET['ID'] for the passed URL. Changing that and the recordset to use $_SESSION['SecurityAssist_UserID'] has enabled me to forgo passing a url variable and thus overcome security issues.
What I want to know is why the page I attached in the first post which was created by Security Assist wizard doesn't have a hidden field with the ID, but the Data Assist Update page does? Why does the security assist update page that I attached work with all content on the correct record apart from the checkboxes?
I'm obviously missing something fundamental but probably very simple!