Making Music Platform - data agreement

Introduction

What is Making Music Platform?

Making Music Platform is a web-based service that provides an online administration system, a member database, a member login area and an optional public-facing website for Making Music member groups.  

Making Music Platform is based on a website and related software called HarmonySite, which is owned by an Australian company called Virtual Creations P/L. Virtual Creations have created Making Music Platform for Making Music and license it to Making Music for use by our members.

What does this agreement cover?

This agreement covers how data will be processed within a Making Music Platform. It explains the roles and responsibilities of: the group (the member group using the Making Music Platform), Making Music and Virtual Creations.

This agreement applies to any personal data stored within a Making Music Platform.

Definitions

  • ‘you’, ‘your’ or ‘user’ means the Making Music member group using the Making Music Platform product.
  • ‘we’, ‘us’ or ‘our’ means Making Music.
  • ‘process’, ‘processing’ or ‘processed’ used in relation to data means any interaction with data such as storing it, viewing it on a screen, updating it, deleting it or exporting it.
  • ‘access’, ‘accessing’ or ‘accessed’ in relation to data means being able to view data.
  • ‘use’, ‘using’ or ‘used’ in relation to data means working with the data beyond simply viewing it, which could include updating it or using it to contact a person.
  • ‘developer level access’ is how Making Music and Virtual Creations can log into any Making Music Platform and have full access to the site. 
  • ‘data controller’ means the organisation responsible for personal data in accordance with the Data Protection Act 2018.
  • ‘data breach’ this is the deliberate or accidental misuse of data. It could include; loss or deletion of data, changing data without permission or good reason, changing data incorrectly, unauthorised use of data, unauthorised access to data (e.g. by a third party gaining access without good reason or permission), or unauthorised disclosure of data (data being passed to a third party without good reason or permission)

Further information about data terms can found on the ICO website


The Basics

  1. Who owns the data on your Making Music Platform?

You do. We will set up a Making Music Platform for you. Virtual Creations owns the software it is built on, but it is your site. You own the content (images, video etc.) and you are the data owner.

This means you are responsible for any data you choose to process in your Making Music Platform and its databases. That includes responsibility as the data controller in respect of any personal data, such as information about your members. Making Music accepts no responsibility for the data you process.

The data you are most likely to store is the personal data of the people in your group and of any other individuals you work and interact with (e.g. audience members and business contacts). Personal data typically stored in a Making Music Platform includes:

  • Names
  • Email addresses
  • Postal addresses
  • Phone numbers
  • Membership information
  • Music information (voice type, instrument played, grade/standard)
  • Date of birth
  • Height
  • Uniform size

Making Music Platforms have the facility to store any kind of personal data. If you decide to store personal data of a sensitive nature (such as information about person’s race, politics or health), there are additional responsibilities for your group. You can find more information about your responsibilities in respect of personal data on the Information Commissioner’s Office website.

As the data controller you have various responsibilities to the individuals whose data you process and the way in which you process data in your Making Music Platform. Such as:

  • providing individuals with a privacy statement explaining how you will use their data,
  • data protection procedures around access to data, and
  • ensuring individuals understand and can exercise their rights over data you hold. (e.g. to access or delete data).

As data processors we will provide guidance and assistance, and take reasonable steps, to help you meet these responsibilities.

  1. What is Making Music’s role? 

We are data processors. As the data controller you are responsible for the personal data you enter, store and manage on your Making Music Platform. As providers of the service we are responsible for processing that data for you.

  1. What is Virtual Creation’s role?

They are a data sub-processor. We have a relationship with them and a data agreement that details how they will process data in Making Music Platforms. We will explain more about this later. By signing up to this data agreement, you are also agreeing to us using Virtual Creations as a sub-processor.

  1. Where is the data stored?
  • All Making Music Platforms and the data held in them is housed on physical servers located in the UK. The server is provided by Hosting UK (registered name EasySpace Limited), the account is owned by Making Music and Virtual Creations help us manage it.
  • If you are using the nightly back-up optional extra, that is housed on a PC server located in the Making Music offices (UK). The server is owned by Making Music and managed by Virtual Creations.
  • If you are using the Additional storage optional extra some data will be stored in an Amazon cloud facility within the UK. The account owner is Making Music and Virtual Creations help us manage it.
  • By signing up to this data agreement, you are also agreeing to the services provided by Hosting UK and Amazon Web Services Inc.

Making Music is the account holder for all hosting and back-up service providers. By signing this agreement you give your permission to the appointment of alternative hosting and back-up providers. If we do change providers, data security will be our primary concern when looking for new providers and we will always notify you of any changes in advance of them happening.

  1. Is the data backed-up?

As standard your Making Music Platform is backed up once every 24 hours, and once every month.  Whenever a new back-up is taken the old ones is deleted – so there are always two backups available - one from last night (the 24 hour back-up) and one from the first of the current month. These standard back-ups are stored on the same physical server as your Making Music Platform. This is a physical server located in the UK. The server is provided by Hosting UK (registered name EasySpace Limited), the account is owned by Making Music and Virtual Creations help us manage it.

If you are using the additional Nightly Backup option your website is backed up every night and all historical copies of your data are kept. So, you have a version of your site from every day it has existed. These back-ups are stored on a physical PC severer housed in the Making Music office (UK). The server is owned by Making Music and managed by Virtual Creations.


Making Music’s role and responsibilities

  1. Does Making Music have access to the data?

Yes. As data processor we make the software and databases available for you to store and manage data. As such we have to access the data to deliver the service, make sure it is working properly and to provide you with technical support.

  1. How we will process your data?
  • We will only process data when instructed to do so in writing by you. This will include:
    • The delivery and provision of the Making Music Platform - this will most commonly be automatic and instigated by your use of the Making Music Platform features. It includes hosting and back-up services.
    • Providing technical support as requested by you. The provision of technical support will include accessing data for investigative purposes.
  • When we are instructed to process data on your behalf it may involve us logging directly into your site via developer level access.
  • We will never input data into your Making Music Platform apart from:
    • During the initial set-up process.
    • Where we are requested to do so by you.
  • We will never update or delete data unless requested to do so by you.
  • We will never transfer your data to our own systems unless it is required for providing technical support.
    • If we do transfer data for this reason, we will not store it for longer than is necessary for providing the support and we will delete it after this time.
    • An example of this type of support is importing membership data into your Making Music Platform.
  • We will never use the data to contact any individuals directly. Please be aware that we may already have, or establish, relationships with individuals listed in your Making Music Platform. These relationships and any relevant data permissions exist separately to your Making Music Platform.
  • We will never pass the data to third parties other than where it is essential for providing technical support (see paragraph 9 below).
  • We will sometimes access anonymous statistical data:
    • Examples of this include demographic data about individuals registered on all Making Music Platforms or the total number of events listed.
    • This will always be anonymous data about users as a whole and will not be the personal data of individuals listed in the system or about specific groups.
    • For example, we might say ‘X people over 50 are listed across all Making Music Platforms’, rather than ‘X group has Y members over 50’.  
    • We will collect and use this data to help us monitor service usage, and to collect data on the leisure-time music sector to help with our lobbying and advocacy work on behalf of our member groups and the wider sector.
  • We will ensure the security of personal data we process on your behalf. Data held on Making Music Platforms is held on secure UK-based physical and cloud servers with reputable companies. Data will only be accessed by Making Music staff via our own secure password protected networks and systems. Staff accessing data will do so in line with our own IT security and data protection policies. Making Music staff are subject to appropriate confidentiality obligations in respect of their handling of any personal data.
  • If a breach of data held on your Making Music Platform does occur due to our processing, we will contact you without undue delay. We will work with you in all reasonable ways to manage the data breach.
  • If we become aware of a potential data breach caused by your own processing of data, we will contact you without undue delay. We will work with you in all reasonable ways to manage the data breach.
  • If an individual makes a request to you about the data you hold about them and how you process it we will take reasonable steps to help you respond to that request.
  • We will take reasonable steps to make information available to you to help you demonstrate your compliance with data protection laws.
  • We think it is unlikely your use of data via the Making Music Platform will pose a high risk to the rights and freedoms of individuals whose data you hold, but if you think they do, we will take reasonable steps to help you to meet any responsibilities you have as the data controller.
  1. What happens if you stop using your Making Music Platform?

If you decide to stop using your Making Music Platform you will be able to export, download and retain all data from your platform. We will assist you with this. Once this has been done you will have the option of:

  • Disabling your site – this means it still exists on our servers (including all data) but is not publicly visible or accessible by you. It can be reactivated on your request. In this instance we will have access to the data but would only process the data if requested to do so by you.
  • Deleting your site – we can delete your site and all data meaning we no longer have access. In this instance the site and data cannot be reactivated by you.

Virtual Creations role and responsibilities

  1. Will Virtual Creations have access to the data?

Yes. Virtual Creations have developed the Making Music Platform software for us and manage our UK-based servers. They also provide us and Making Music Platform users with technical support. As such they have access to all Making Music Platforms and the data stored in them.

  1. How will Virtual Creations use the data?
  • They will only process data when instructed to do so by us or by you to provide technical support as requested by you. The provision of technical support will include accessing data for investigative purposes.
  • When they are instructed to process data on your behalf it may involve them logging directly into your site via developer level access.
  • They will never input data into your Making Music Platform unless requested to do so by you.
  • They will never update or delete data unless requested to do so by you.
  • They will never transfer your data to their own systems unless it is required for providing technical support.
    • If they do transfer data for this reason, they will not store it for longer than is necessary for providing the support and will delete it after this time.
  • They will never use the data to contact any individuals directly about anything other than requested technical support. Please be aware that individuals can establish relationships directly with Virtual Creations (such as signing up to their HarmonySite newsletter), any such relationships are separate to this agreement.
  • They will never pass the data to third parties other than where it is essential for providing hosting and back-up facilities.
  • They will sometimes access anonymous statistical data to monitor service usage.
  • They will ensure the security of personal data they process on your behalf using various methods including the following:
    • Technical security features (such as passwords, firewalls and encrypted databases and hard disks).
    • Data protection procedures for staff, such as changing passwords regularly and only accessing data via secure networks.
    • Physical security measures for their premises, including out of hours security service visits.
    • Recruitment procedures to ensure the technical competency and professional integrity of staff.
  • If a breach of data held on your Making Music Platform occurs due to their processing, they will contact us without undue delay. We will then contact you without undue delay, and will work with you and Virtual Creations, in all reasonable ways, to manage the data breach.
  • If they become aware of a potential data breach caused by your own processing of data, they will contact us without undue delay. We will then contact you without undue delay, and will work with you and Virtual Creations, in all reasonable ways, to manage the data breach.
  1. As Virtual Creations are based in Australia doesn’t that mean some data will be transferred outside the EU?

Yes it does. Although all Making Music Platforms and the data stored in them is housed in the UK, Virtual Creations will be accessing them from Australia to provide support, and so some data will be transferred to Australia.

We have a data agreement in place with Virtual Creations to cover this. The agreement includes standard contractual clauses approved by the European Commission, as is required under the Data Protection Act 2018. It establishes how Virtual Creations will access and process data and ensures they will treat the data responsibly, fairly and securely.

By agreeing to this data agreement, you acknowledge that we will pass data stored in your Making Music Platform to Virtual Creations. We will not pass the data to any other international organisation unless we have written instructions from you or are required to do so by EU or UK law, in which case we will inform you of the legal requirement before processing (unless we are legally unable to do so).


Your group’s data

As well as storing personal data in your Making Music Platform you will store data about your group, such as official documentation and event details. Whilst organisational data is not covered in the same way as personal data is by the Data Protection Act, our commitment to the fair and safe processing of it is the same.

We will treat data about your group in the same way as we will treat personal data. Briefly:

  • We will only process it when requested to do so by you.
  • We will never store data about your group on our own systems, unless required to do so in the provision of technical support, and then never for longer than is required for providing that support.

Note: we may store data about your group as part of your membership with us. Data stored for this purpose is separate to this agreement.

  • We will never pass it to third parties (apart from where it is essential for providing technical support).
  • We may sometimes collect anonymous statistical data to report on service usage and to help with our lobbying and advocacy work on behalf of our member groups and the wider leisure-time music sector. An example of this would be that in ‘X year all groups using the service have listed Y public performances’. 

See the MM Platform Terms and Conditions