We are often asked how data protection legislation affects Pianola. It's an issue we take very seriously. This is our understanding of UK and international legislation and our position as a company, based on advice we have received from the Information Commissioner's Office (www.ico.org.uk).
The Data Protection Act 1998 distinguishes between data controllers and data processors and puts obligations on each.
According to the ICO, data controller means "a person who (either alone or jointly or in common with other persons) determines the purpose for which and the manner in which any personal data are, or are to be, processed". The data controller, in this context, is the bridge club (whether they use Pianola, a different system, or none).
The ICO defines data processor as "any person - other than an employee of the data controller - who processes data on behalf of the data controller". The data processor, in this context, is Pianola.
Requirement to register
Organisations that hold personal information about individuals on computer are required to register with the ICO. However, there is a specific exemption for not-for-profit organisations; eg small clubs.
Furthermore, even if your club is privately owned and operates for profit, there is an exemption from registration if the only processing you are doing is for:
- Staff administration
- Advertising, marketing and public relations
- Accounts and records
Data processors are not required to register with the ICO, as data controllers who use the services of data processors carry liability under the Data Protection Act.
You can use the ICO's self assessment online to determine if you should notify them of your data use.
How Pianola protects your data
We believe your data is safer with us than it is on your own PC, where it is vulnerable to loss by theft, mechanical failure or human error. We take a number of steps to protect your data.
We take backups of your data every hour, day, week and month. These backups are stored in a different physical location to the main database.
When you login to Pianola, look for the padlock in your web browser. This shows that you are connected to our server across a secure connection. This means that data is encrypted as it passes between your PC and our server, so nobody can read it except you.
We also hold all of our users' passwords in an encrypted form, so that nobody is able to read them - not even us. (This is why we'll ask you to reset your password if you ever forget it - we're not able to give you a reminder.)
Pianola is hosted by Amazon Web Services (AWS) in their West Virginia Data Centre. Not only does this infrastructure power Amazon's own store (surely one of the biggest and busiest in the world), it also hosts many other web companies, large and small. Examples include: Netflix, The Guardian, U-Switch, Yelp, Sega, Virgin Atlantic and Zoopla.
AWS complies with the US-EU Safe Harbor Principles, which provide a streamlined process for US companies to comply with the requirements of Directive 95/46/EC on the protection of personal data. Although this framework was recently ruled to be invalid a new framework, "EU-US Privacy Shield" will supersede the Safe Harbor agreement. Amazon.com, Inc. is taking the necessary steps to certify under the EU-US Privacy Shield. Upon completion of this process, AWS will be covered under this certification.
Your users' privacy
We believe your members are the only people who can decide how much of their information they want to share with other people. Therefore, Pianola allows each individual to choose whether or not to share with other members:
their contact details
their results history
If a member chooses not to share this information it will not be visible to any other members (except for people to whom you grant administrator access. Administrators can see all information about all members). However, some features will not work for members who choose not to share information. For example, to use the partner-finder, players will need to make their contact details available so that potential partners can contact then.
If you have any further questions about data protection or privacy, we'd be happy to hear from you. Please email firstname.lastname@example.org or call +44 (0)113 320 1352.