Advisories on Collection of Personal Data for COVID-19 Contact Tracing and Use of SafeEntry

Quicklinks:

i. Advisory on Collection of Personal Data for COVID-19 Contact Tracing
ii. Advisory for Premise Owners
iii. Advisory for Employers


i. Advisory on Collection of Personal Data for COVID-19 Contact Tracing

Organisations may collect personal data of visitors to premises for purposes of contact tracing and other response measures in the event of an emergency, such as during the outbreak of the coronavirus disease 2019 (COVID-19).

In the event of a COVID-19 case, relevant personal data can be collected, used and disclosed without consent during this period to carry out contact tracing and other response measures, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.

As organisations may require national identification numbers to accurately identify individuals in the event of a COVID-19 case, organisations may collect visitors' NRIC, FIN or passport numbers for this purpose. 

Organisations that collect such personal data must comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession from unauthorised access or disclosure, and ensuring that the personal data is not used for other purposes without consent or authorisation under the law.

The PDPC has developed a notice to inform visitors that personal data would be collected during the outbreak of COVID-19 for contact tracing purposes. Organisations that would like to make use of the notice may access to the following:

Notice for Collection of Personal Data for Contact Tracing

The PDPC would also like to highlight that there have been reports of scammers impersonating MOH contact tracing officers and requesting financial information from individuals. Members of the public are advised to verify the authenticity of the phone calls with the MOH hotline (6325 9220) if they have doubts about the caller's identity.

 

ii. Advisory for Premise Owners

Your organisation may be required to implement the Government-developed SafeEntry system for visitors entering your premises (e.g. malls, supermarkets, wet markets, healthcare facilities, nursing homes, schools and educational institutes) for Government’s contact tracing purposes [1]. You may also deploy safe management measures such as temperature screening, crowd management and safe distancing at your premises.

Can I collect personal data?

Under the PDPA, your organisation may collect the personal data (including NRIC, FIN or passport numbers) of individuals for purposes of COVID-19 response measures, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.

a. Implementing SafeEntry at Premises

Collection of personal data for Government’s contact tracing purposes should only be done through the use of SafeEntry. The data collected will only be stored in Government’s servers and used for contact tracing purposes by the Government. When implementing SafeEntry, you should put in place measures to ensure the safe and secure collection of personal data.

Are devices deployed secure?

If you are deploying devices (e.g. smartphones, tablets, etc.) for SafeEntry [2], you should consider the following:.

  • As far as possible, use a dedicated device to collect the personal data [3]. The device should not be used for any other purposes, including accessing other websites. If possible, do a factory reset before using the device for the collection of data (note: this will delete all data in the device). 
  • Do not install unnecessary apps on the device. Ensure that there are no apps that can perform screen recording on the devices.
  • Turn off the web browser’s autocomplete/autofill function so that users cannot see what others have typed into the form previously.
  • Regularly check the device to ensure that it is scanned for viruses and malware, and that it has not been jailbroken. Ensure that the device operating software (OS) is updated regularly.
  • Only allow authorised personnel to have access to the device. Enable lock screen when the device is not in use, and use password or biometric protection for device login.

Are there processes for data collection?

You should also put in place administrative processes and controls to ensure the proper collection of visitors’ personal data for SafeEntry. These include:

  • Verifying that the QR codes placed along the queue are accurate before making it available for use by visitors (e.g. test the QR code to confirm that it leads to a *.gov.sg webpage). Check periodically that they have not been tampered with. 
  • Ensuring the personal data collected is not exposed to other visitors (e.g. projected on screens or read aloud by personnel assisting visitors with data entry).
  • Ensuring the relevant personnel are briefed on the proper procedures for collecting personal data.

b. Implementing Other Safe Management Measures at Premises

Besides SafeEntry, you may deploy safe management solutions, such as temperature screening/recording systems, crowd counting/management solutions and safe distancing technologies [4] at your premises. 

Is personal data collected?

Where possible, deploy solutions that do not collect personal data. For instance, your organisation may deploy temperature scanners to check visitors’ temperature without recording their temperature readings, or crowd management solutions that only detect or measure distances between human figures without collecting facial images. Where no personal data is collected, the PDPA’s Data Protection Provisions do not apply. 

Where personal data is collected (e.g. facial images are captured using security camera systems), you should put in place measures to minimise the type/amount of personal data collected and to protect it, including:

  • Update your policies so that CCTV/video footage continue to be protected.
  • Ensure that only authorised personnel can access the personal data for purposes of contact tracing or safe management of premises. Provide clear instructions on who can approve the disclosure of such data. 
  • Provide training to all personnel so that they are familiar with the policies relevant to their roles. 

Can I manually record personal data?

Should you wish to manually record the personal data of visitors or contractors at your premises to supplement the use of digital solutions, you should take note of the following:

  • Ensure the personal data collected is not exposed to other visitors (e.g. leaving physical logbooks or forms containing visitors’ personal data exposed at registration areas). 
  • Ensure the personal data collected is protected (e.g. under supervision by staff on duty, or under lock and key when no one is watching over it).

What happens if there is a COVID-19 case? 

In the event of a COVID-19 case, the Government may disclose personal data to your organisation to assist in its contact tracing efforts. You must ensure such personal data is used only to facilitate Government’s contact tracing efforts, and there is no improper use or disclosure of the personal data (e.g. divulging personal data of confirmed COVID-19 cases to employees, tenants or members of public).

Your organisation may also provide personal data collected of individuals at your premises to the Government when required for contact tracing purposes.

[1] The list of venues/facilities which must adopt the use of SafeEntry can be found at www.safeentry.gov.sg/deployment.

[2] You will need to use a device for SafeEntry NRIC. A device may also be needed for visitors or contractors without their own devices to use SafeEntry QR.

[3] If this is not possible, organisations should ensure that the device used is secure and capable of safeguarding the personal data adequately.

[4] For example, pre-approved solutions under IMDA’s SME Go Digital Programme. More information can be found at www.imda.gov.sg/bizgodigital.

 

iii. Advisory for Employers

As an employer, you may be required to implement the Government-developed SafeEntry system for employees entering your workplace (e.g. offices, factories and educational institutes) for Government’s contact tracing purposes. You may also deploy safe management measures such as temperature screening, crowd management and safe distancing at your workplace.

Can I collect personal data?

Under the PDPA, your organisation may collect personal data of individuals for purposes of COVID-19 response measures, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals. 

As an employer, you may also collect personal data of employees when implementing safe management measures at the workplace, as this is reasonable for managing the employment relationship.

Personal data collected for these purposes should not be used or disclosed for any other purposes, unless consent is obtained for such purposes or it is authorised under the law. You should also put in place security and access controls to protect the personal data.

a. Implementing SafeEntry at Workplaces

Collection of personal data for Government’s contact tracing purposes should only be done through the use of SafeEntry. The data collected will only be stored in Government’s servers and used for contact tracing purposes by the Government. When implementing SafeEntry, you should put in place measures to ensure the safe and secure collection of personal data.

Are devices deployed secure?

If you are deploying devices (e.g. smartphones, tablets, etc.) for SafeEntry [1], you should consider the following to ensure the safe and secure collection of personal data:

  • As far as possible, use a dedicated device to collect the personal data [2]. The device should not be used for any other purposes, including accessing other websites. If possible, do a factory reset before using the device for the collection of data (note: this will delete all data in the device). 
  • Do not install unnecessary apps on the device. Ensure that there are no apps that can perform screen recording on the devices.
  • Turn off the web browser’s autocomplete/autofill function so that users cannot see what others have typed into the form previously.
  • Regularly check the device to ensure that it is scanned for viruses and malware, and that it has not been jailbroken. Ensure that the device operating software (OS) is updated regularly.
  • Only allow authorised personnel to have access to the device. Enable lock screen when the device is not in use, and use password or biometric protection for device login.

b. Implementing Safe Management Measures at Workplaces

Besides SafeEntry, you may deploy safe management solutions, such as temperature screening/recording systems, crowd counting/management solutions and safe distancing technologies [3] at the workplace. Some of these may be in the form of mobile applications. 

You may encourage your employees to download and use the Government-developed TraceTogether app to support the Government’s contact tracing efforts. Data recorded by TraceTogether is stored on the user’s device, and is only uploaded to MOH when it requires the data.

Can I deploy devices for the use of apps by employees?

If you are permitting employees to use contact tracing or safe management apps on organisation-issued devices, you should:

  • Update your organisation’s IT policy to include the installation and use of the apps on organisation-issued devices. 
  • Regularly remind employees to ensure that the most updated version of the apps is installed.
  • Ensure that organisation-issued devices are updated with the latest security patches, and that security software is used to complement the use of the apps.
If you are permitting employees to install and run organisation-supplied apps in their own personal devices, you should:
  • Implement BYOD policies to govern the installation and use of organisation-supplied apps on employees’ personal devices.

Is personal data collected?

Where possible, deploy solutions that do not collect personal data. For instance, your organisation may deploy crowd counting or safe distancing solutions on top of your security camera system that only detect or measure distances between human figures without collecting facial images. Where no personal data is collected, the PDPA’s Data Protection Provisions do not apply. 

Where personal data is collected (e.g. temperature readings with facial images of employees), you should put in place measures to minimise the type/amount of personal data collected and to protect it, including:

  • Update your policies so that CCTV/video footage continue to be protected.
  • Ensure that only authorised personnel can access the personal data for contact tracing or safe workplace management. Provide clear instructions on who can approve the disclosure of such data. 
  • Provide training to all personnel so that they are familiar with the policies relevant to their roles. 

What happens if there is a COVID-19 case? 

In the event of a COVID-19 case, the Government may disclose personal data to your organisation to assist in its contact tracing efforts. You must ensure such personal data is used only to facilitate Government’s contact tracing efforts, and there is no improper use or disclosure of the personal data (e.g. divulging personal data of confirmed COVID-19 cases to other employees or members of public).

Your organisation may also provide personal data of employees to the Government when required for contact tracing purposes.

[1] Your organisation will need to use a device for SafeEntry NRIC. A device may also be needed for employees without their own devices to use SafeEntry QR.

[2] If this is not possible, organisations shall ensure that the device used is secure and capable of safeguarding the personal data adequately.

[3] For example, pre-approved solutions under IMDA’s SME Go Digital Programme. More information can be found at www.imda.gov.sg/bizgodigital.