The Data Protection Act (DPA) seems to affect every walk of life. As soon as you store information about someone else you become responsible for ensuring that their information is kept securely and used appropriately.
So how does that change the way in which you have to think about event data you ask? By running events and taking registration information about your delegates and more often than not offering catering you become party to what is classed as highly sensitive information in terms of the DPA. Someone’s dietary requirements or requirement for disabled access/parking may seem trivial to you, but to the individual it could well be something far more personal.
Delegate lists are hot property to certain people that attend events; in fact for some people the delegate list is as important as the event itself. If you plan to issue a delegate list with contact information for all those attending then you need to have everyone’s permission to do so (it’s the same with taking photos at an event). A delegate’s name, job title and organisation are the only details that you can really share without asking for permission as they are essentially in the public domain anyway. If you want people to network either ensure that they know that they need to bring business cards with them or leave a pile of blank business cards on the tables so that delegates can use them to exchange details during the event.
If you use a web based event management/registration system you can quickly and easily ensure you meet DPA guidelines by offering an opt in / opt out marketing section within the user registation profile. EventManager has this functionality already included as standard, as a high percentage of our clients work in the Public Sector. You can even market delegates direct from the application, advising them of future events that they might be interested in all within DPA guidelines as anyone that has opted out is not included within the copy list and those that are, are BCC’d so that delegates information is kept private and secure.
Here’s a sample DPA statement that I wrote a few years ago in conjunction with a DPA / FOI lawyer:
Delegate lists and Data Protection
Under the Data Protection Act delegates need to be given the opportunity to opt in/out of a list of delegates, if it is to be issued to a third party. If participants are not given the chance to opt in/out you cannot assume that it’s OK to disseminate their information.
If a delegate list is to be produced, an opt in/out tick box needs to be incorporated into the booking form, with words similar to:
‘I agree that the event organisers may pass on my details to other registered delegates for this event and am aware that I may be contacted about future [your organisation name] events. I agree that the organisers may pass on my details to any third party.’
If all Data Protection requirements are met (i.e. delegates are made aware that their information may be shared with third parties and they are given the opportunity to opt in/opt out of this) it is simply a matter for [your organisation name] to decide whether we share the information with others.
If Data Protection requirements are not met The Freedom of Information Act (FOI) should not override a delegates’ right to privacy.
Section 40 of FOI states: http://www.ico.gov.uk/documentUploads/AG%201%20personal%20info.pdf
“If the personal data is about someone other than the applicant, there is an exemption if disclosure would breach any of the Data Protection Principles. (This is the main issue explored in this guidance.) There are also some special rules to be applied in cases where the personal data is about someone who has formally objected to their disclosure. The term, “third party data,” is used to describe personal information about someone other than the applicant. “
“The term “personal data” is defined in the Data Protection Act, as amended by the Freedom of Information Act. “Personal data” is information about a living individual from which that individual can be identified. It may take any of the following forms:
• Computer input documents;
• Information processed by computer or other equipment (e.g. CCTV);
• Information in medical, social work, local authority housing or school pupil records;
• Information in some sorts of structured manual records;
• Unstructured personal information held in manual form by a public authority. “
If however Data Protection requirements have been met and necessary consent has been given then we have an obligation under FOI to provide these details to a third party if they are requested.
As a rule of thumb, [your organisation name] Events Team will not include an opt in/out option on bookings forms, unless otherwise requested by Event Commissioners. This will allow us to ensure that delegates’ details remain protected in the vast majority of cases. In the unlikely event that a request is received under FOI where Data Protection requirements have been adhered to, the Events Team will seek the appropriate advice from the [your organisation name] Legal Team.
All of the systems and processes used, designed and created by Kent House for our clients are designed to store and manage the information that cleints need to keep on their users securely, whether it be for event management or as part of a database.
If you have any queries regarding our Products and Services and how they can help you to be DPA compliant for your events delivery, please feel free to contact us at firstname.lastname@example.org or 0845 638 0700.