HSE People - Health and Safety Community

Hey everyone. Just wanted to let you all know I've launched my new company - www.corehse.com. This site is designed specifically for HSE people! You can track Employees, Training, Incidents (and soon - Action Items, Energy Use, and Waste). The site is a subscription service, so there is no software to install. Just one yearly fee gives you every feature.

I've designed the site to be useful for small and big companies alike. If you get a second, check it out and let me know what you think.

Steve Krile
President, Blue Rail Solutions, LLC
www.corehse.com

Steve

Are your servers based in the USA? If so how do you help your clients in Europe comply with the data protection laws here given the data protection laws of the US are much weaker than the EU.

The regulations in the UK and other European countries require data retention for many years, up to 40 for some types of data. How do you ensure data integrity over this period of time? What would happen to the data if your company went out of buisiness, or was bought by another company?

Great question - and one we've been struggling for a while with at work. In my day job, I manage the HS&E information for a large automotive supplier. Our servers are located in the US and we have operations all over Europe and the rest of the world. To overcome this issue we've applied for (and obtained) Safe-Harbor status for our data center. This of course is not easy to do.

For CoreHSE.com I'm just getting started. I currently have all of the data hosted by a third-party in California. They have a very stringent security protocol and I've used the highest levels of security in my application design to ensure unwanted access is extremely difficult.

As for the data persistance (what would happen if I were purchased or went out of business), in the Terms and Conditions it is stated that subscribers "own" their own data. I host their data for them and make it available through a web-based interface, but the data is theirs. Should I go out of business or ownership change, all subscribers would recieve notice of the change and be given an option to either continue with the service or close their account and receive the data (in a structured format of course).

But really, your question touches on an intangible. The same questions could be asked of anyone storing data in any way - whether it's on an internal or external system. The bottom-line question then is one of trust and verification. I take the protection of my customer's data very seriously, and as my reach extends beyond North America, I will take every step required to comply with the laws of the land.

Whoops, double posting here as I used "Quoting" incorrectly and created a new topic

Original Post
But really, your question touches on an intangible. The same questions could be asked of anyone storing data in any way - whether it's on an internal or external system. The bottom-line question then is one of trust and verification. I take the protection of my customer's data very seriously, and as my reach extends beyond North America, I will take every step required to comply with the laws of the land.

You are correct , this is the reasons businesses should have offsite backups. It isn't that internet based software-as-a-service is a bad idea, there are a great many positives. But the questions about data security have to be asked, and in your case answered well.

To some extent data security in the UK is becoming irrelevant as Her Majesty's Government routinely disperses our information to the four corners of cyberspace - but that is just me becoming cynical.

regards

Richard

Yes, I imagine I will be asked much more difficult derivations of the same question!

Kev posted:

Steve

Richard makes a good point. You might want to register with the information commisioners office. Its a requirement in the UK under the data protection act. It costs next to nothing but will demonstrate to your customers that you are in compliance.

http://www.ico.gov.uk/

Kev

uh oh....
"If the Data Controller address above is outside the UK or any other EEA state you MUST complete the representative name and address. This address must be a UK address for the notification to be valid. Furthermore, when you come to complete the Contact Address (if this is different from the Representative details) this must also be a UK address."

Steve

Not quite sure how it works maybe worth sending them an email. Its probably not a requirement for you but more a good to have.

Kev