PDPC issues advisories on collection of personal data for Covid-19 contact tracing and use of SafeEntry

10 June 2020

The Personal Data Protection Commission (“PDPC”) has issued advisories on the collection of personal data for Covid-19 contact tracing and use of the Government-developed SafeEntry system:

  1. Advisory on Collection of Personal Data for Covid-19 Contact Tracing 
  2. Advisory for Premise Owners
  3. Advisory for Employers

The advisories provide organisations, owners of premises (“owners”) and employers with information on implementing the SafeEntry system and safe management measures at premises/workplaces, including details on collecting personal data with devices in a safe and secure manner, implementing administrative processes and controls, minimising the type/amount of personal data collected, protecting collected personal data and using personal data received from the Government.

This article discusses the second and third advisories for owners and employers together as they cover some common areas.

1.  Advisory on Collection of Personal Data for Covid-19 Contact Tracing

The first PDPC advisory provides that organisations may collect personal data of visitors to premises for purposes of contact tracing and other response measures in the event of an emergency, such as the Covid-19 outbreak.

To accurately identify individuals in the event of a Covid-19 case, organisations may collect visitors' National Registration Identity Card (“NRIC”) numbers, Foreign Identity Numbers (“FIN”) or passport numbers.

In the event of a Covid-19 case, such personal data collected can be used and disclosed without consent during this period to carry out contact tracing and other response measures. This is necessary to respond to an emergency that threatens the life, health or safety of other individuals.

Organisations that collect such personal data must comply with the data protection provisions of the Personal Data Protection Act 2012 (“PDPA”), such as making reasonable security arrangements to protect the personal data in their possession from unauthorised access or disclosure, and ensuring that the personal data is not used for other purposes without consent or authorisation under the law.

PDPC has developed notice templates that organisations may use to inform visitors that personal data would be collected during the outbreak of Covid-19 for contact tracing purposes. These notice templates are available at the PDPC webpage on the advisories.

2.  Advisories for premise owners and employers

The second and third PDPC advisories set out information on the setting up of SafeEntry and other safe management measures for owners and for employers to implement at premises/workplaces for the Government’s contact tracing purposes.

Owners may be required to implement the SafeEntry system for visitors entering their premises (e.g. malls, supermarkets, wet markets, healthcare facilities, nursing homes, schools and educational institutes). The list of venues and facilities which must adopt the use of SafeEntry can be found at the SafeEntry webpage.

Employers may be required to implement the SafeEntry system for employees entering their workplace (e.g. offices, factories and educational institutes).

Safe management measures such as temperature screening, crowd management and safe distancing may also be deployed at the premises or workplaces. Information on pre-approved solutions can be found at the Infocomm Media Development Authority’s SME Go Digital Programme webpage.

The second and third PDPC advisories state that under the PDPA, owners and employers may collect personal data (including NRIC, FIN or passport numbers) of individuals for the purposes of Covid-19 response measures, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.

For employers, the Advisory for Employers states that an employer may collect the personal data of employees when implementing safe management measures at the workplace, as this is reasonable for managing the employment relationship. Personal data collected for these purposes should not be used or disclosed for any other purpose, unless consent is obtained for any such purpose or if the employer is authorised under the law to do so. Security and access controls to protect the personal data should be put in place by employers.

a.  Implementing SafeEntry at premises/workplaces

Owners and employers should only use SafeEntry to collect personal data for the Government’s contact tracing purposes. Data collected will only be stored in the Government’s servers and used for contact tracing purposes by the Government. When implementing SafeEntry, measures should be put in place to ensure the safe and secure collection of personal data.

Secure deployed devices 

Under the second and third PDPC advisories, owners and employers should consider the following when deploying devices (e.g. smartphones, tablets) for SafeEntry:

  • As far as possible, use dedicated devices to collect the personal data. The devices should not be used for any other purposes, including accessing other websites. If possible, do a factory reset before using the devices for the collection of data, which the advisories highlight will delete all data in the device. If using a dedicated device is not possible, the device used must be secure and capable of safeguarding the personal data adequately.
  • Do not install unnecessary applications on the devices. Ensure that there are no applications that can perform screen recording on the devices. 
  • Turn off the autocomplete/autofill function on internet browsers so that users cannot see information typed into the form by previous users. 
  • Regularly check the devices to ensure it is scanned for viruses and malware, and has not been jailbroken. Ensure that the device operating software (OS) is updated regularly. 
  • Only allow authorised personnel access to the devices. The lock screen should be enabled when the devices are not in use. Use password or biometric protection for device login. 

Owners should implement processes and controls for data collection  

The Advisory for Owners sets out administrative processes and controls that owners should put in place to ensure the proper collection of visitors’ personal data for SafeEntry, including:

  • Verify that the QR codes placed along queues are accurate before allowing visitors to scan them (e.g. test the QR code to confirm that it leads to a *.gov.sg webpage). Check periodically to ensure that the QR codes have not been tampered with. 
  • Ensure the personal data collected is not exposed to other visitors. Personal data should not be projected on screens or read aloud by staff assisting visitors with data entry. 
  • Ensure the relevant personnel are briefed on the proper procedures for collecting personal data. 

b.  Implementing other safe management measures at premises/workplaces 

Besides SafeEntry, owners and employers may deploy safe management solutions, such as temperature screening/recording systems, crowd counting/management solutions and safe distancing technologies at its premises.

The Advisory for Employers states that employers may encourage employees to download and use the Government-developed TraceTogether application to support the Government’s contact tracing efforts. Data recorded by TraceTogether is stored on the user’s device, and is only uploaded to the Ministry of Health when it requires the data.

Minimise collection of and protect personal data

Owners and employers should deploy solutions that, where possible, do not collect personal data, e.g. check the temperature of visitors without recording the temperature readings, or employ crowd management solutions that only detect or measure distances between human figures without collecting facial images. The PDPA’s data protection provisions do not apply if no personal data is collected.

Where personal data such as facial images are captured via security camera systems, owners and employers should minimise the type and amount of personal data collected and implement measures to protect such data. Some measures include the following:

  • Update policies so that CCTV and video footage continue to be protected. 
  • Ensure that only authorised persons can access the personal data for purposes of contact tracing or safe management of premises. Provide clear instructions on who can approve the disclosure of such data. 
  • Provide training to all personnel to familiarise them with the policies relevant to their roles.

Precautions for employers when deploying devices to employees to use safe management applications  

Employers should implement the following when permitting employees to use contact tracing or safe management applications on organisation-issued devices:

  • Update their organisation’s IT policy to include the installation and use of the applications on organisation-issued devices.
  • Remind employees regularly to ensure that the most updated version of the applications is installed. 
  • Ensure that organisation-issued devices are updated with the latest security patches, and that security software is used to complement the use of the applications. 

If the employer is permitting employees to install and run organisation-supplied applications on their own personal devices, the employer should implement bring-your-own-device policies to govern the installation and use of organisation-supplied applications on employees’ personal devices.

Precautions for owners when manually recording personal data 

Owners should take note of the following when manually recording personal data of visitors or contractors at premises to supplement the use of digital solutions:

  • Ensure the personal data collected is not exposed to other visitors, e.g. physical logbooks or forms containing visitors’ personal data should not be left around registration areas.
  • Ensure the personal data collected is protected. Any device or item containing personal data should be under supervision or under lock and key. 

Only use personal data received to facilitate Government’s contact tracing efforts 

In the event of a Covid-19 case, the Government may disclose personal data to an owner or employer to assist in its contact tracing efforts. Owners and employers must ensure that such personal data is used only to facilitate the Government’s contact tracing efforts, and that there is no improper use or disclosure of the personal data. Personal data of confirmed Covid-19 cases should not be divulged to employees, tenants or members of public.

An owner or employer may also provide personal data collected of individuals at their premises to the Government when required for contact tracing purposes.

Reference materials

The advisories are available on the PDPC website www.pdpc.gov.sg by clicking here.

Further information

Allen & Gledhill has a Covid-19 Resource Centre on our website www.allenandgledhill.com that contains knowhow and materials on legal and regulatory aspects of the Covid-19 crisis.

In addition, we have a cross-disciplinary Covid-19 Legal Task Force consisting of Partners across various practice areas to provide rapid assistance. Should you have any queries, please do not hesitate to get in touch with us at covid19taskforce@allenandgledhill.com.