Scope
Due to the diverse range, type and scale of businesses who use Overture (‘the system’), this article cannot be considered to provide specific guidance or advice on the steps your company should be taking to comply with new or existing data protection legislation or regulation.
This article is not intended to be a comprehensive guide to data protection issues in general or the EU General Data Protection Regulation (GDPR) in particular. Instead, it is an outline guide to the data protection measures that are available within the system which we suggest you consider, and as appropriate, implement for your company.
It is important that all our clients consider the data they hold, the purposes they use it for and who has access to it with regard to their own organisation and whether they should be adopting some, or all, of the measures outlined.
Overview
In compiling this guide we have considered our customers relationships with both the individuals and organisations they:
- represent (referred to as ‘Artists’ for the purposes of this article)
- provide these services to (‘Promoters’)
Within this, we have considered, amongst other matters, the core issues of who can access what data and whose consent may be required in order to hold it.
The remainder of this article is designed to help our clients review those data protection measures which concern their use of the system.
It outlines some basic steps you can take with regard to data protection generally then concentrates on Internal and External user access and finishes with further points for consideration.
Generally
Central to data protection is the idea that only those people who require access to particular data can do so and whilst both the Internal Users and External Users sections below highlight the ways in which you can restrict this to specific users, this should not detract from the general principle that everyone in and around an organisation (and who was access to some or all of the data it holds) has to play their part in laying the basis of data protection.
In particular, we would encourage:
- the use of strong passwords of at least 8 to 10 characters
- organisations to prohibit the sharing of individual account logins/passwords between users
- the correct setup of all Internal user accounts (be the ‘Admin’ or standard ‘Internal’)
- setting up individual external user accounts for everyone associated with an Artist rather than sharing one
We have recently updated Overture to make password security easier to manage by incorporating a range of new measures, namely:
- Improved password security when setting up new accounts or changing password on existing
- 2-step verification/login
- Email alerts for logins
These updates are covered in a blog post which is available here:
https://bookingwithoverture.com/blog/overture-security-improvements/
Internal Users
Levels of access
Within the system, there are two levels of Internal user – ‘Admin’ who have access to everything held on the system, including the account Settings and ‘Internal’ whose access can be restricted in a number of ways.
This enables our clients to decide on whether or not all users require ‘Admin’ level access or whether some or most can be restricted.
It is important to remember that Admin users can see and edit everything within the system, including updating your overall account Settings, whilst the default permissions for new Internal users are that they:
- Can see all Bookings
- Have no access to reports
- Can edit all Bookings
- Can see Financial Details on all Bookings
Configuring Internal users
The default Internal user settings are outlined above and are designed to restrict new Users access to ‘bulk’ information, such as can be generated by running a report or exporting contacts.
By default, these settings do not restrict access to personal data as it relates to individual contacts held within the system or to accessing financial information as it relates to individual Bookings.
Access to this data can be restricted as laid out in both this section and Restricting Further Information which applies only to Internal users since External users don’t ever have access to this.
To change an Internal user’s settings, an Admin user will need to go to Settings > Users and select each Internal user one at a time.
The Admin user has the ability to make changes to the default settings in four areas, namely:
- Permissions
- Ability to see Bookings
- Ability to edit Bookings
- Ability to view Financial Details on Bookings
To do so, click on ‘Edit’ below the Internal user details and then click on the appropriate blue heading.
In the case of ‘Permissions’ this will bring up a list of the Reports which you can grant access to.
The other three categories allow you to restrict not only which Bookings an Internal user can see but also whether they can edit these.
Decide on whether you wish your Internal users to see the Bookings and Events associated with all of your Artists or to restrict this to just those they directly work with.
If you choose to limit an internal users ability to see bookings then this is added on an Artist by Artist basis so you’ll need to add those Artists whose details you want the Internal user to be able to see to the list which pops up when you click on the ‘Can see bookings and events for these artists:’ heading.
It follows that if a user can’t ‘see’ a Booking they also can’t edit it, so restricting their access to ‘see’ Bookings to one or more of your Artists necessarily means that their ability to edit is reduced to only those that they can view.
You have the choice to further restrict your Internal Users editing permissions by clicking on ‘Can edit…’ and choosing whether they can edit all Bookings (which they can see) or just those where they are ‘on the Team’ (see Team Membership below) or even those where they are on the Team plus those where another selected Team Member is on that Team.
Finally, you then have the ability to decide on whether they can view the financial details relating to all Bookings they can see or only those which they can edit. If an Internal user can’t edit a Booking then they can’t see the financial details either.
Team Membership
An internal user is considered to be on the ‘team’ if they are listed in the top right hand corner of a Booking (by default as either the ‘Agent’ or ‘Assistant’).
You can set defaults for which of your team appears in these roles by going to each relevant Artist contact and adding them to the Further Information page under ‘Team Members’. Once a Team Member has been added the system also provides the ability to allow you to add this role to all (or all future) Bookings featuring the Artist in question using the three-arrow circular icon shown to the right of the role.
You can also edit and/or add Team Member roles in the system Settings as explained below.
Adding Team Member Roles
This can only be done from Settings > Team Member Roles.
You cannot delete the two default Team roles since these have specific functions within the system in terms of assigning tasks and deciding who emails are from etc.
Instead, if you wish to change the titles displayed on the two default team member roles, you can click on the title which will open a text input field allowing you to overwrite ‘Agent’ with your chosen label, such as ‘Artist Manager’.
You can also add any extra roles you’d like to be available – such as ‘Logistics’ or ‘Finance’ – simply by clicking the blue ‘Add Field’ button below the default roles.
Restricting Further Information
As mentioned previously, restricting Internal user access to specific Bookings does not prevent them from being viewed by individual Contacts or, more importantly, any of the ‘Further Information’ contained therein.
For this reason, there is an additional function built into the system which can be turned on for any account holder, namely ‘Restrict Further Information’.
This prevents anyone other than a Team Member (as listed on a particular Contact record – not as referred to on any given Booking) and/or an Admin user from accessing that Contact’s ‘Further Information’ page which may, after all, contain personal data such as bank account details and other information that many other internal users within your organisation may not require.
Please note: this feature is not enabled by default. To enable it please go to Settings > Contacts and tick the checkbox at the bottom of the page labelled ‘Restrict access to your contacts further information pages’. You will need to be an Admin user to access this.
External Users
External users can only ever see those Bookings and Events which they are associated with, so there is less to consider from a data protection standpoint, but it is worth outlining the options available.
There are three main settings relating to External users on all Overture accounts and these are accessed via Settings > Users in the same way as those appertaining to Internal users, they are as follows:
- Can see financial info on Bookings
- Can see contact details for Contacts on Bookings
- Can see contact details for Agent and Assistant on Bookings
By default, these are all set to ‘No’ allowing you to adjust as per your requirements.
Overall, we would also suggest the usage of ‘Group’ (sometimes referred to as ‘Act’) records to enable multiple people to be associated with any given Artist which in turn allows you control who is notified of any Bookings as well as making it easier to remove individual Group members.
If you don’t currently use these ‘Group’ records then please contact us for more information.
Notifications
When using Group records, you have the ability to both add or remove individual contacts associated with that Group to or from, not only all Bookings the Group is involved with, but also individual engagements. Perhaps because they are not included in the line-up on that occasion.
More information on this is included in these helpdesk articles:
Add New Act Member To Bookings
https://docs.overturehq.com/knowledge-base/add-new-act-member-to-bookings/
Contact Notifications
https://docs.overturehq.com/knowledge-base/contact-notifications/
Documents
Internal users can always view any document produced within (or uploaded) to the system that is associated with any Booking that they have access to.
It is possible, however, to control External user access to documents.
By default, the system is configured so that an External user is able to see those documents associated with a Booking on which they are named as the Main Contact of the Artist and which they are directly involved in. For example the Main Contact could see a Contract issued by the agency to the Artist or one between the Artist and the Promoter but not one between the Agency and the Promoter.
Note: Documents relating to Bookings on which no Main Contact is listed cannot be viewed by any External user.
There is an alternative, which enables account Admin users to choose whether individual External users can see documents associated with their Bookings or not but in such cases the following applies:
- A fourth editable category will be added to your account External user Settings, namely ‘Can see Documents on Bookings’ and this is either on or off (default: off) for all Bookings the
- External user in question is associated with.
- If ‘on’, that External user will be able to see all documents associated with any Booking that they are listed on as either the Main Contact or as a ‘notification’.
- Additionally, this includes all ‘deal types’ so in this case, the External user can see all documents, such as Contracts which are technically between the agency and the Promoter so it may not be suitable for everyone.
Calendar Feeds
While the previous sections have detailed how you can restrict access to the data you hold to those Users that require it, it is also worth noting that all system Users can ‘subscribe’ to a calendar data feed, the maximum content of which is limited only by their level of access/permissions.
A feed taken from an Admin user’s calendar when ‘Show all’ is selected in the main Search Bar and on which all Booking Statuses and Calendar Event Types are ‘ticked’ will potentially contain all of the data relating to all of the Bookings held on your account.
Feeds taken from the Calendars of Users without Admin access will, of course, contain less data but even so, it is important that all Users are aware that these feeds are only for their own, individual use, in carrying out the business of your organisation and should not be shared with anyone else.
Consent
Aside from controlling the data that system users, be they Internal or External, can access you may also wish to consider how you obtain consent from everyone your organisation collects, stores and processes data about, be they Artists, Promoters or other parties involved in the engagement, such as Venues.
To this end, you may wish to include a paragraph requesting such consent and outlining the reason for doing so as well as the purposes to which the collected data will be used in your communications with them.
In particular, such a statement may be worth including in automated email messages generated within Overture which contain ‘links’ such as:
- Promoter Information Requests
- Contact Update Requests
- Feedback Requests
Your account Admin users can control the body text of such emails in Settings > Messages (and, in some cases, Custom Messages).
Terms and Conditions
You may also wish to consider adding a set of your Terms and Conditions to your Overture account. These can be attached to both the Promoter Information and Contact Update Requests and so you should consider either uploading your:
- Standard Terms and Conditions and, if you’ve not already done so, revising these to contain a section on data protection including details of what agreeing to your Terms and Conditions includes in terms of giving consent for you to process and hold that contact’s personal data and how you may use this data, or
- Privacy policy or a general statement on data protection and the GDPR which includes details of the consent that agreement includes
This can be done by an Admin User in Settings > Terms and Conditions.
Removing Users
When considering how to control the data you hold, it is appropriate to be aware of the actions you can take when a system user either leaves your employment or is no longer represented by you.
To this end, this section outlines how you can both remove their access to the system (which is sometimes overlooked) and how, if necessary, you can also delete that element of the data you hold on them which is no longer required.
Access Rights / User Licence
If you need to delete an Internal or External user, simply go to Settings > Users then find their record and click ‘Delete’. This will automatically remove not only their access to the system itself but also ‘kill’ any Calendar feeds they took from their account. It will not, however, delete any data held within the system so you’ll still have a record of which Bookings that individual was involved in whilst working for your organisation.
Deleting Data
If you hold personal data (such as Bank Account details or home or business addresses) that you no longer require for inclusion on new documents or correspondence that you were previously issuing on behalf of, say an Artist then you can delete this from the relevant Contact Record(s).
Provision of data
The system allows you to provide details of both the key data you hold relating to both people and organisations as well as about the Bookings they’ve been involved with.
To export such data, in the case of personal data relating to one or more Contacts, go to the Contacts Tab > select the Contact(s) you wish to export data about and then click ‘Export current search to csv’.
In the case of Booking data, go to Reports > Bookings Details > use the Search Bar, date filter and Calendar Key to choose the appropriate data and again click ‘Export current search’.
Additional Information
Please contact us at: support@curiousferret.com