Personal Data Protection
Events
Before the event
| Points to Consider | Please Ensure | Examples | Reference | |
|---|---|---|---|---|
| 1 | How will the information be collected? | To only use NUS approved platforms for data collection. These include:
|
Sandy, a NUS staff member, was planning a NUS Personal Data Protection Awareness workshop for NUS staff,
NUS
students and members of the public.
She contacted NUS IT Care to obtain access to use two NUS applications, “Calendar of Events” and “eSurvey”. Since both applications do not suit her needs, she decided to look for other third party event management cloud services. Sandy went through the list of the NUS approved event management cloud services and did not find one that matched her needs. She contacted Ozzy, her NUS IT Support to help her to obtain NUS approval for “XYZ booking”, the new event management cloud service that she found. Knowing that Sandy had a tight timeline to launch the registration, Ozzy suggested she consider the list of NUS pre-qualified event management cloud services which will speed up the approval process. |
|
| 2 | What is purpose of the registration? | To minimise the personal data collected to those that are required and state the purpose of the use and
disclosure of collected personal data.
In the disclaimer statement, it should clearly state the: 1. Name of the event. 2. Participant’s consent is given to National Univeristy of Singapore (NUS) where NUS is the legal entity. 3. NUS’ action to the given personal data is to “collect, use and/or disclose personal data to third parties”. 4. Third parties should include any third party located outside of Singapore. 5. The purpose of the collection. Example: By submitting this form, I, as a participant of the [NAME OF EVENT] consent to National University of Singapore (NUS) collecting, using and/or disclosing my personal data to third parties (including any third party located outside of Singapore) for the purpose of [STATE ALL PURPOSE], stated herein. |
Sandy, an NUS staff member, was planning an NUS Personal Data Protection Awareness Workshop. The
workshop fee
was $200 per pax but discounts were available for NUS staff and NUS students. She would like to collect
the age
demographics of the participants for future workshop planning.
Here is the list of information that she would like to collect from the participants. Required fields are marked with an asterisk (*): * Name * Contact Email address & Phone number (to send reminders and notifications relating to the workshop) * NUSNET ID, if participant is an NUS staff or NUS student (to use the NUSNET ID to verify eligibility for the discount [note: only needed if high fidelity of verification is required]) * Payment Information (work with the NUS Office of Finance (OFN) on electronic payment process) Age Group (optional) Here is the consent statement for the workshop: By submitting this form, I, as a participant of the NUS Data Protection Awareness Workshop consent to National University of Singapore (NUS) through the Office of Risk Management and Compliance (ORMC) collecting, using and/or disclosing my personal data to third parties (including any third party located outside of Singapore) for the purpose of administering and managing the workshop, stated herein. |
Sample of Event Registration Form |
| 3 | Who will the personal data be shared with? | Always obtain consent from the participants for disclosing the collected personal data to third parties,
e.g
including the phrase “disclosing my personal data to third parties (including any third party located
outside of
Singapore)” in the disclaimer statement.
When a third party is involved, transfer/sharing of personal data must be done according to the Data Management Policy (DMP) and the DMP Guidelines on Use, Classification and Protection of University Data. Highlights from the guidelines: 1. Contractual agreement with the third party should include clauses that cover confidentiality and personal data protection or a Non-disclosure Agreement (NDA) should be signed with the third party. 2. On an exceptional basis (i.e. when there is an absence of a contractual agreement and NDA), the confidentiality undertaking should be given to the third party when disclosing the personal data. 3. Obtain support from the Personal Data Protection Unit (PDP Unit) before sharing of personal data with any third parties. The PDP Unit is part of the Office of Risk Management and Compliance. 4. To share personal data with a third party electronically, encrypt the data before sending it out. |
Sandy, an NUS staff member was planning an NUS Personal Data Protection Awareness workshop for NUS
staff, NUS
students and members of the public.
To invite guest speakers who are experts in the data protection field, she partnered with a registered not-for-profit organisation, “Singapore XYZ Group” in this workshop. Sandy had the “Singapore XYZ Group” sign a Non-disclosure Agreement before sharing a password-protected participants list through email for planning the workshop activities. The online registration form was launched using “AAA booking”, an NUS approved third-party event management cloud service in Australia, which has a data encryption feature. Before providing the service, AAA booking accepted the “NUS Conditions of Contract” which includes confidentiality and personal data protection clauses. Sandy discussed the data sharing matter with Madam Wong from Personal Data Protection Unit (PDP Unit) and obtained their support for data sharing with “Singapore XYZ Group” and “AAA booking”. Here is the Consent Statement of the workshop: By submitting this form, I, as a participant of the NUS Data Protection Awareness Workshop consent to National University of Singapore (NUS) through the Office of Risk Management and Compliance (ORMC) collecting, using and/or disclosing my personal data to Singapore XYZ Group and other third parties (including any third party located outside of Singapore) for the purpose of administering and managing the workshop, stated herein. |
|
| 4 | Who are the people expected to register for the event? | If the registrants are under 21 years old, consent from their parent or legal guardian is required. | Consent Statement:
I, ________ (name of applicant) am the parent/guardian of the above named child participant. I hereby consent to National University of Singapore (NUS) collecting, using and/or disclosing my personal data and that of my child(ren)/ward(s) and to disclose the same to third parties (including any third party located outside of Singapore) for the purpose of [STATE ALL PURPOSE], stated herein. |
Sample of Event Registration Form for Children | 5 | Will pictures and videos be taken of the event participants? | To state the purpose of the photography and videography. There is a template available for contracting photographers and videographers. | Consent Statement:
I understand that photography and videography may be conducted during event, and I consent to NUS taking photographs and videos of myself and using the same for the purposes of event reporting, marketing, publicity, and media/social media. |
Photo Commission Agreement Template Video Commission Agreement Template | 6 | Will the pictures and videos be shared? | If a third party is involved, the purpose must be stated and data transfer/sharing must be secure. | Consent Statement:
I understand that photography and videography may be conducted during event, and I consent to NUS taking photographs and videos of myself and using the same for the purposes of event reporting, marketing, publicity, and media/social media. I further consent to NUS disclosing such photographs and videos to third party media entities (whether in Singapore or otherwise) for publicity purposes and NUS may identify me by name. |
7 | Will the registrants be informed of future events? | Opting in must be an optional field. There should be an opt-out field for future notification where participants have previously opted in. | Opt-In Statement :
Please tick the box below if you wish to receive information of our future [EVENTS AND UPDATES]: [ ] Yes, add me to your mailing list. |
8 | How long will the personal data be kept? | All personal data should be discarded or anonymised within a reasonable time frame. |
During the Event
Q.
I am hiring a photography and videography team to cover the event. What must I
ensure?
The following points must be considered:
| Points to Consider | Please Ensure | Examples | Reference | |
|---|---|---|---|---|
| 1 | Was prior consent of the event participants sought for their photographs and video to be taken? | If it is a private event, prior consent should be obtained at the point of event registration. If it is an open to public event (i.e. with little to no restrictions to entry), notification must be displayed at points of entry. | Private event – e.g. President and Senior Management (PSM) meeting Open to public event – e.g. NUS Commencement, NUS Open Day | |
| 2 | Is the venue suitable for placement of signages? | To inform participants of the presence of official event photographers and/or videographers and their purpose, such as: – Putting up signages around the venue; or – Having the host make an announcement to the participants. | “Please be aware that NUS authorised personnel may take photographs and videos of you during this event. Such photographs and videos may be used by NUS for their respective marketing and publicity purposes in print, electronic and social media. Additionally, NUS may identify attendees by name in such media. Should you have any questions, please contact our staff at the reception area.” | Office of Student Affairs Event notification poster |
After the Event
Q.
Is it okay for faculty to take photos of their class and post them on social media? What if the photos are posted on the faculty’s personal social media? Furthermore, what if it is an adjunct faculty and a “celebrity” student.
As there is a “celebrity” student and an adjunct faculty, we will need to get into the details of the circumstances under which the photo(s) was taken.
This is so that we can ascertain the:
- intended purpose of the photo,
- how the student would perceive it.
- Who took the photo (adjunct, an NUS staff or another student)
- Why the photo was taken (to celebrate the end of course?)
- When was the photo taken (during the lesson, or outdoors, etc)
- Whether anything was said when the photo was taken (for example, someone saying, “Let’s take a photo to remember this class!”)
- How it was taken (a formal photo where everyone had to stand formally or some ad-hoc we-fie)
Promotion of Event
Q.
I am hiring a photography and videography team to cover the event. What must I
ensure?
The following points must be considered:
| Points to Consider | Please Ensure | Examples | Reference | |
|---|---|---|---|---|
| 1 | Is this an NUS event or a non-NUS event that NUS is promoting? | The entity responsible for the event must be made clear to the recipient prior to them clicking on the link. The entity who owns the event registration portal should also be made clear to the receipient. | NOTICE: Please note that by clicking on the link, you will be directly forwarded to a third party independent site, which is not developed nor maintained by Yale-NUS College (an autonomous college within National University of Singapore). The website could be subject to data protection and privacy practices and you are encouraged to examine them before proceeding to share your personal data. NOTICE: Please note that by clicking on the link, you will be directly forwarded to a third party independent site, which is not developed nor maintained by Yale-NUS College (an autonomous college within National University of Singapore). The website could be subject to data protection and privacy practices and you are encouraged to examine them before proceeding to share your personal data. NUS will collect, use and/or disclose the personal data submitted through this third party independent site for the purpose of scheduling, processing, administration and/or management of the event. |
E-Platforms
Consent & Notification for use of E-Platforms
Be clear if you are seeking consent or only notifying.
If you are seeking consent, you have to state the:
(a) overall purpose of the personal data
(b) personal data that will be collected (including video recordings)
(c) use of the personal data (including non-NUS 3rd parties that will make use of the data)
It is best practice to include a contact email for any enquiries.
If you are notifying only – and there is a legitimate person to why personal data is required- e.g. Proctoring of Exams:
Adequate notification must be given as to why personal data/video’s must be collected/taken. An email/contact number should be made readily available for clarification.
If you are notifying only – but personal data is not required -e.g. recording of live sessions – with no audience interaction
Please state why recording(s) of the session(s) is required. You must also state what the participants can do if they do not consent to their personal data/ videos taken together with the recording.
If personal data is captured during the recording. You will have to inform the individual of its purpose, and also inform the individual not to do any screen captures of their own.
For example:
Recording and Photography Disclaimer
Do note that the 1st line is the notification, and the 2nd line is the disclaimer.
___________
There may be screen captures or recordings of this event. ZZ Department may use these screen captures for XXX purposes and use recordings for YYY purposes only.
ZZ Department will not be responsible for the actions of third parties’ capture and use of images taken at the event without the approval of ZZ Department. Recordings made with the permission of ZZ Department should not be edited or distributed without the prior consent of ZZ Department.
Please contact ZZ Department at (email of ZZ Department) for more information.
IT Related Solutions
Cloud Solution
Q.
I am looking for a cloud solution to assist in carrying out a task for my
department.
The following points must be considered.
| Points to Consider | Please Ensure | Examples | Reference | |
|---|---|---|---|---|
| 1 | Is the cloud solution an existing assessed cloud service provider? | Check the IT Cloud Policy Sharepoint site on existing assessed cloud service providers. If the department is not sourcing from an existing assessed cloud service provider, check the NUS IT Cloud Policy Sharepoint for more details on what you need to do to complete a Cloud Service Provider (CSP) assessment on the cloud service that you have in mind before subscription. NUS IT will advise on the necessary steps to take before the form gets passed to ORMC for our support on the portions dealing with personal data. | NUS Cloud Policy – look under “assessed cloud services” | – |
| 2 | What personal data is going to be collected/ processed/ transferred out by the system? | To list out personal data that will be collected by the system. Personal data is not limited to “basic” fields such as name/gender/email address but should also include other forms of personally identifying information. i.e. information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. | Name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. | – |
| 3 | Where is the personal data stored in the Cloud? | PDPA transfer limitation obligation: Do ensure the server is located in countries where data protection standards are comparable to Singapore’s. | US, Canada, EU Member States, Japan or Australia and Singapore. | – |
Examples of Details asked by ORMC during Cloud Assessment when Personal Data is involved
| Personal Data Obligations | Public Information | NUS Student Information |
|---|---|---|
|
Is consent sought from the public prior to any personal data being downloaded into the cloud system? | To not have duplicate information that exists in current NUS systems Consent, purpose and notification should be limited to those critical data fields. Otherwise, existing NUS Data Owners must be aware of a possible duplicate of the student data. |
|
Is the public aware of the purpose of the collection of the listed personal data? Is the business owner limiting the data collected to only what is needed to fulfill the purpose of the collection? | |
|
How is the customer informed of the above 2 obligations? |
| Personal Data Obligations | Public Information | NUS Student Information |
|---|---|---|
|
Is the system designed to ensure data is accurately collected? | How is the System administrator/User going to resolve differences between the personal data provided via the System vs existing student database, e.g. if the name is different? |
|
Access: How is the system administrator/user going to be aware (or verify) if it’s the same person who asked for/provided information previously? Correction: How are you going to change the information if the person claimed they provided information wrongly previously? | Access: How is the System Administrator/User going to verify (without 2FA) that the student is indeed our student before we give out further information. e.g. like how banks, telcos, etc ask various questions for authentication. Correction: If there is difference between what the system has collected and the existing student database, how do you go about making the correction? |
|
How long are you going to store the various data provided? – It has to be reasonable to a typical person – If it is provided by a member of public from the EU, how are you going to delete the information even before the retention period; assuming it’s a reasonable request? (Note: GDPR – Right to Forget) | If the system is storing personal data, what is the practice for deletion of the data? The data can only be retained for a reasonable period of time – i.e. deleted when it no longer serves a purpose. |
| Personal Data Obligations | Public Information | NUS Student Information |
|---|---|---|
|
Ensure the personal information is not passed to any 3rd party unless prior consent is given. | Ensure the personal information is not passed to any 3rd party unless prior consent is given. |
|
NUS IT Security assesses this part to ensure security standards are sufficient. | NUS IT Security assesses this part to ensure security standards are sufficient. |
|
The business owner is accountable for all processes mentioned above, and is accountable for reporting if there is a data breach incident or when queried by a member of public. | The business owner is accountable for all processes mentioned above, and is accountable for reporting if there is a data breach incident. |
Data Sharing with External Party
Request for Data
Q.
If an external party requests for personal data which NUS is responsible for as a
data steward. What must we watch out for?
The following points must be considered.
| Points to Consider | Please Ensure | Examples | |
|---|---|---|---|
| 1 | Is the request part of the existing relationship with a vendor / third party? i.e. is the request valid? | Existing contract with vendor contains clauses clearly describing the responsibilities of the vendor on the use and protection of the requested personal data. Otherwise, a separate Non Disclosure Agreement should be signed with the vendor. Only in exceptional cases will it be allowable for a confidentiality undertaking be given to the vendor. Visit the NUS IT Data Management Policy (para 4.4.5 on page 16-17) and Guidelines on Use, Classification and Protection of University Data (para D page 6-13) for more details. | – |
| 2 | How should the personal data be protected when transferring to the vendor/third party? | All personal data are classified as NUS Confidential. Visit the Guidelines on Use, Classification and Protection of University Data (para E) for more details on what you need to do in order to protect the personal data shared with a third party. | – |
| 3 | Are photos and videos part of the request? | Ensure that identifiable subjects in the photos/videos have given their consent for the photos/videos to be shared. Ensure the external party has an existing contract or agreement with NUS that clearly describes NUS’ rights to the photos/videos and the duties and responsibilities of the external party in handling the photos/videos. | – |
Data Leakage
Q.
If an external party requests for personal data which NUS is responsible for as a
data steward. What must we watch out for?
The following points must be considered.
| Points to Consider | Please Ensure | Examples | |
|---|---|---|---|
| 1 | Is there personal data involved? | If personal data is involved, pleased contact NUS IT Care and follow the NUS IT Security Incidents Reporting Process. At the same time, please contact the Personal Data Protection Unit. We will help to assess the impact of the incident and advise on the immediate actions to be taken as well as further actions. The principle to abide by is to limit the harm (if any) brought about by the wrongly shared data. | – |
Research and Surveys
Start a Research Project
Q.
I am a staff of NUS. I want to start a research project, how do I go about it?
The following points must be considered.
| Points to Consider | Please Ensure | Examples | |
|---|---|---|---|
| 1 | Is this formal research that will be published or a simple survey to gather data? | If it is a simple survey, collect only personal data that is necessary for the purposes of the survey. The principle of data minimisation applies. If it is a formal research, a separate process must be to be followed. Please read more at http://nus.edu.sg/research/rcio. | – |
| 2 | Has the research project proposal been reviewed by any ethics research body? | The research project must initially be reviewed by the NUS-IRB or DSRB. Once approved, you may approach us for your personal data related queries. | – |
Appropriate Disclaimer
Q.
If I want to provide a disclaimer informing our students/staff that they will be visiting a non-NUS governed third party site to do a survey or to submit other forms of personal data, and the results will be sent back to NUS, what should an appropriate disclaimer be?
Please understand the basis behind the following template and adapt it accordingly.
“Please note that the survey will be conducted by a third party service provider and by clicking on the registration link, you will be directed to a third party independent site which is neither developed nor maintained by XXX Department/NUS. The third party service provider conducting and facilitating the survey will be compiling the survey results for NUS. All personal data that you provide to the third party service provider would be treated in accordance with their data protection and privacy policy and practices and you are encouraged to examine them before proceeding to share your personal data. If you have any concerns regarding such third party site, please direct your enquires to the administrator of the site.”