We’ve all heard about the Personal Data Protection Act (PDPA) and the importance of keeping personal data secure, especially in this digital age where registration forms fly around like Aladdin’s magic carpet. As a groundup, it’s pertinent to note that adherence to the PDPA applies to you too, regardless of whether you are a registered entity or not.
Some examples of personal data (list is non-exhaustive):
· Full name
· NRIC number or FIN
· Passport number
· Personal mobile number
· Personal email address
· Facial image of an individual (eg. in a photograph or video)
· Voice of an individual (eg. in a voice recording)
· A combination of “innocent data” like first name + age + height + place of work
(Note: Business contact information is not considered personal data and is not subject to the laws of PDPA)
The Personal Data Protection Commission offers some suggestions on what organisations can do to manage personal data, but most of it is catered towards larger organisations and it could be hard to see the relevance and application for smaller organisations like groundups. In this article, we identify a few simple actions that groundups can take to minimise their exposure to PDPA breaches.
1. Always obtain consent
This is the golden rule of PDPA, and you’d do well to remember it. Want to collect phone numbers to set up a WhatsApp group with your volunteers? Want to collect email addresses for a mailing list? You can use the data you collect for whatever (reasonable) reasons you want, as long you’ve obtained consent to use it for that particular purpose. Written consent is always best (through sign up forms, email, text, etc.), but in scenarios where it’s not feasible or not meaningful to (eg. getting written consent from someone who is not able to read), then at least obtain verbal consent.
2. Inform purpose of collection
When collecting information, state the purpose you’re collecting the information for. If you’re collecting personal details to communicate with participants on an event they signed up for, or if you’re recording an interview for research purposes, say so. Informed consent is not obtained if the purpose is not revealed to the individual, so it doesn’t count if you collect information without telling them why.
3. Collect only what you need
Have a long, hard think before you decide to collect any piece of information. Do you really need your participant’s NRIC number to carry out your programme? Is collecting your registrant’s exact age crucial or would an age range suffice? Review your forms and collect only what you will need to use so that you have less data to deal with.
4. Opt-in rather than opt-out
In the example above, note how both boxes are unchecked – anyone providing consent should be doing it on an opt-in basis rather than an opt-out basis. This means that acknowledgement for consent should be actively given (by ticking the checkbox) instead of passively or unknowingly (by leaving the checkbox pre-ticked).
For information that is collected for the purpose of conducting your activity (and the activity cannot be carried out without that consent), what you can do is separate the acknowledgements and make the acknowledgement of this one compulsory such that every form that is submitted comes with the consent you require. For those who do not agree to providing the information for the said purpose, they have the option of not submitting the form and by extension, not attending.
For other non-crucial use of the information like marketing emails and updates on future events, leave it as an optional opt-in so that people can choose whether they want to continue receiving future communications from you.
5. Allow consent to be revoked any time
You may have previously gotten consent to use some areas of personal data, but you need to provide an option to withdraw that consent as well. If you’re using marketing platforms like Mailchimp for emailers, they usually provide an option to unsubscribe from future communications. But if you’re not, you can always add in a line at the end of your communications to let them know that they can write to you if they would like to stop receiving updates or messages from you.
6. Bcc for mass emails
Unless you’ve gotten consent to share email addresses amongst participants or volunteers, any mass emails that you send out (or WhatsApp groups that you create, for that matter) should not contain the personal information of others. If you have to send out mass emails, make sure to use the bcc field so that the recipient information is not divulged to others. This may sound really simple and duh, but you can never get too complacent – as IKEA Singapore had learnt.
7. Notify event attendees of photo taking
It’s common to have photographers at your events to take photos or videos for documentation and marketing purposes, but because facial images constitute as personal data, you will need to obtain consent for this as well. Make sure your participants acknowledge this during the registration process, and follow up by notifying them at all points of contact – when sending them the confirmation email, placing a notice at the registration counter and showing it as one of the first few slides if a presentation is involved. If your event happens to be in a public space where there are few or no restrictions to access, then you don’t have to worry so much about accidentally capturing the faces of passers-by as then these facial images will be considered “publicly available” and not personal data.
8. Destroy the information
Just because your activity or event is over doesn’t mean that your PDPA duties are done and dusted. Remember the data you’ve collected that’s still in your Google Drive? If you didn’t obtain consent to keep it for future purposes beyond the activity or event, then you need to have in place processes to ensure that the information gets deleted or destroyed.
9. Be selective about who you share data with
Consider what information your volunteers have access to – do they have a need to know it? The more people who have access to personal data, the higher the chance of inadvertent disclosure. For example, if you’re organising an event and need to inform volunteers in charge of registration about the contact numbers of participants, consider sharing the information with them personally rather than in the volunteer WhatsApp chat. Take the opportunity to also review your processes such that the people you share personal data with only have it for the time they need to get the job done.
Complying with the PDPA might mean a little more time spent on admin processes (and a little less time for the real work your groundup does!), but it’s an important process to ensure the data that others have entrusted you with are kept secure. It only takes a moment’s folly to lose all the trust that your groundup has painstakingly built up, so don’t let PDPA be that slip-up.