Personal Data Protection requirements: events organisers receiving personal information of participants
As an event organiser, you likely act as a data intermediary in collecting and processing personal information of event participants on behalf of your client. For example, you act as a data intermediary when providing event RSVP and registration services, such as recording and organising personal information of the event attendees on behalf of your clients.
Your client is considered the data controller and remains liable under the PDPA for personal information which you process on their behalf as a data intermediary. However, the PDPA imposes three obligations on data intermediaries acting on behalf of another organisation.
- Reasonable Security Arrangements: Firstly, a data intermediary must make reasonable security arrangements to protect personal information from unauthorised access, collection, use, disclosure or any similar risks, even though it is processing the personal information on behalf of another organisation. The nature of the personal information will determine the level of 'reasonable' security arrangements in the circumstances. For example, financial information may require more stringent security arrangements compared to information on employment or educational background.
- Retention Limitation Obligation: Secondly, data intermediaries must adhere to the retention limitation obligation under the PDPA. This means that you must cease retention of documents containing personal information of event participants or remove the means by which the personal information can be associated to specific individuals, as soon as the retention no longer serves the purpose the personal information was collected for and is no longer necessary for legal or business purposes (usually after the end of the event).
- Data Breach Notification Obligation: Finally, data intermediaries must notify the controller of data breaches. If you discover a data breach which affects personal information which you are processing on behalf of and for the purposes of a client, you must notify the client without undue delay from time you have credible grounds to believe that the data breach has occurred.
Even though the PDPA imposes a limited set of obligations on data intermediaries, please note the following:
- It is common for clients to impose additional data protection obligations in their contracts with data intermediaries. As such, you should ensure that you comply with all data protection requirements and obligations set out in the written contract with your client.
- You will be considered a controller who is responsible for complying with all data protection obligations in the PDPA in respect of activities which do not constitute processing of participant information on behalf of your client pursuant to your contract with them
Event organisers may be required, as part of their engagement, to take photographs or videos of event participants (whether at online or offline events) which are subsequently used for publicity or other purposes of the client. In doing so:
- You must notify event participants, before photography or filming takes place, that their photographs or videos will be taken at the event and the purposes for which such photographs and videos would be used. Such notices can be provided at the time a person registers for event or in the alternative, by posting obvious notices at the start of the event or at event entrances.
- it is advisable to obtain the express consent of event participants for such photography / filming and the use of the photographs / videos. This could be done is by providing a check box at the time of event registration for the participant to acknowledge and agree that there will be photography / filming at the event and that their photographs / videos may be used for the stated purposes. Consent may also be deemed if a participant voluntarily permits a photograph or video to be taken at the event for the intended purposes, and it is reasonable for the participant would do so.