O-Music Privacy and Data Protection Policy
O-Music Ltd is fully compliant with the GDPR law for the UK/EU from 25th May 2018
We keep securely the name and email address of the person or persons allocated by the school as the administrator(s) of the software for the school.
We supply a temporary password and username, which the administrator can then alter. All passwords are encrypted and as soon as the administrator changes it, only the administrator knows what it is.
It is the responsibility of the administrator to ensure no student or any other unauthorised person has access to these logon credentials.
The administrator can add the names, usernames and classes of students to the system. He/she can also add teacher details: names, usernames, email addresses and encrypted passwords.
The administrator can also attach teachers to classes so that the teacher can see a list of students in that class, with names and usernames. Passwords are hidden.
The administrator can also in certain circumstances ask O-Music Ltd to undertake some of these tasks, in which case the operation will be carried out by a member of O-Music staff trained in data protection.
Teachers have access to the names and usernames of the students in the classes to which they have been attached by the administrator. They can change their own details and those of the students in those classes. They do not have access to any secret student passwords but may change them, for instance if a student has forgotten theirs.
Each student has access to his/her name and username. The password is hidden but may be changed by the administrator. Students have no access to anybody else’s details unless they become aware of another person’s username and password.
The administrator can immediately delete any student, teacher or groups of students from the list, or delete all students and all teachers.
The administrator may in an emergency ask O-Music Ltd to suspend the software. This will be done by changing the access URL (web address) to a new secret version. This will have the effect of stopping any user making use of the software.
O-Music uses two servers:
•Server 2 in the US stores the O-Generator software, media and test results.
Data Processing in the European Economic Area (EEA)
A MusicFirst “Data Region” is a set of data centres located within a defined geographical area where User data is stored. Personal data is not transmitted between Data Regions. For Users with accounts located in MusicFirst’s European Data Region, all processing of personal data is performed in accordance with privacy rights and regulations following the EU Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (the “Directive”), and the implementation of the Directive in local legislation. From May 25, 2018, the Directive and local legislation based on the Directive will be replaced by the Regulations (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, known as the General Data Protection Regulation (“GDPR”), and MusicFirst’s processing will take place in accordance with GDPR.
MusicFirst processes personal data as both a Processor and Controller, as defined in the Directive and the GDPR. Consequently, MusicFirst processes all data provided by its Users with accounts in its European Data Region, in the European Economic Area (“EEA”) only.
What are your choices regarding collection, use, and distribution of your information?
The disclosure of very limited personal information is required to create an account on our site, which is required to access certain services. If you do not wish to disclose the requisite information you are free to discontinue use of the MusicFirst website and service.
You also have choices with respect to cookies. By modifying your browser preferences, you have the choice to accept all cookies, to be notified when a cookie is set, or to reject all cookies. If you choose to reject all cookies MusicFirst may not be displayed or function in the way intended by MusicFirst.
Right of confirmation – Users and Visitors will have the right granted by the European legislator to obtain from MusicFirst the confirmation as to whether or not personal data concerning him or her his being processed. If a data subject wishes to avail him or herself of this right of confirmation, he or she may, at any time, contact our Data Protection Officer.
Right of access – Users and Visitors will have the right granted by the European legislator to obtain from MusicFirst free information about his or her personal data stored at any time and a copy of this information. Furthermore, the European directives and regulations grant the data subject access to the following information: (1) the purpose of the processing; (2) the categories of personal data concerned; (3) the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations; (4) where possible, the anticipated period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (5) the existence of the right to request from MusicFirst rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject, or to object to such processing; (6) the existence of the right to lodge a complaint with a supervisory authority; (7) where the personal data is not collected from the data subject, any available information as to its source; (8) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and anticipated consequences of such processing for the data subject.
Furthermore, the data subject shall have a right to obtain information as to whether personal data is transferred to a third country or to an international organisation. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
If a data subject wishes to avail him or herself of this right of access, he or she may at an time contact our Data Protection Officer.
Right of rectification – Each User or Visitor shall have the right to obtain from MusicFirst without undue delay, the rectification of inaccurate personal data concerning him or her; and to complete incomplete data.
Right of restriction of processing – Each User or Visitor shall have the right to obtain from MusicFirst restriction of processing where: (1) the accuracy of the personal data is contested; (2) processing is unlawful and the data subject requests restriction rather than erasure; (3) MusicFirst no longer needs the personal data for the purpose of the processing; or (4) the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of MusicFirst override those of the data subject.
Right to withdraw consent – Each Visitor and User shall have the right to withdraw his or her consent to processing of his or her personal data at any time by contacting our Data Protection Officer.
O-Music Ltd will keep securely names, addresses and email addresses of teachers who ask for trial versions or otherwise ask for more information. This information will be used in the following ways:
•To tell trial users their logon credentials and to remind them.
•To send further details including prices
•To warn users of the ending of trials
Administrators will also be contacted from time to time with newsletters and information about the expiry of their subscription.
All contacts will have the right to have their details deleted from the database.
Privacy impact assessment
O-Music Ltd has a number of strategies in place to secure data, with strict limits on the number of people who have access. Only the administrators have access to the full data, i.e. the list of students the administrator has assigned to O-Music Ltd. Class teachers only have access to data for individual classes to which they have been assigned. All data is protected by secret usernames and passwords. Passwords are hidden and encrypted.
In the extremely unlikely event of data being stolen, the impact will be limited to student names, usernames and classes. No student email addresses, phone numbers, gender information, age, date of birth or address are stored.
The only other data stored consists of the teacher’s names, school email addresses and school address.