[LRUG] Data protection, the EU and PAAS suppliers - arrgh!

Kevin Monk kevin at mangoswiss.com
Tue Aug 14 03:31:38 PDT 2012


I'm not sure about the ins and outs of whether Heroku is compliant but as a supplier for UK public sector orgs we went with Linode's London based data centre so we wouldn't have to worry about it.

On 14 Aug 2012, at 11:21, Mark Weston wrote:

> Hi there,
> 
> Has anyone who's using or considered using PAAS providers like Heroku got any thoughts about data protection and concerns about transfer of data outside the EU?
> 
> Our amateur reading of the guidelines from the ICO seem to be that if you're processing personal data outside the UK it can be 
> 
> 1) somewhere within the EU/EEA which has equivalent data protection rules.
> 2) in another jurisdiction judged by the EU Commission as having adequate data protection laws (i.e not the US)
> 3) in the US as long as the data processor has certified compliance with the US - EU 'Safe Harbor' frameworks.
> 4) in the US with a data processor with whom your contract includes standard terms drawn up by the EU to guarantee protections equivalent to EU data protection rules.
> 5) in the US if you can "make an assessment that the level of protection for data subjects’ rights is ‘adequate in all the circumstances of the case'" (on the base of the data processors' existing terms of service and policies, or of extra technical measures you take to protect the data, or maybe just by getting users' consent to the transfer).
> 
> We had originally settled on Heroku for hosting our application - until the discussion turned to data protection.  I'm pretty sure (awaiting confirmation) that Heroku aren't Safe Harbor certified, and am sure that they won't agree to a modified contract/terms of service in order to win one small customer.  So that leaves us with option 5, and our business owners are understandably queasy about the idea of making a legal judgement (about the adequacy of Heroku's privacy and data management policies) ourselves and being liable if we turn out to have got it wrong.
> 
> Any Heroku customers here?  How have you dealt with this?
> 
> Mark
> 
> 
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org

Kevin Monk
Technical Director

Mango Swiss Ltd
Westow Hill Studios
45 Westow Hill
Upper Norwood
London SE19 1TS

E: kevin at mangoswiss.com
T: 020 8670 5461
M: 07736 066408






More information about the Chat mailing list