Advisories on Collection of Personal Data for COVID-19 Contact Tracing and Use of SafeEntry

Quicklinks:

i. General Advisory
ii. Advisory for Premise Owners
iii. Advisory for Employers


Information correct as at 21 July 2021.

Past advisories can be found here.

i. General Advisory

Organisations may collect personal data of visitors to premises for purposes of contact tracing and other response measures in the event of an emergency, such as during the outbreak of the coronavirus disease 2019 (COVID-19).

In the event of a COVID-19 case, relevant personal data, including NRIC can be collected, used and disclosed without consent during this period to carry out contact tracing and other response measures, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.

Organisations that collect such personal data must comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession from unauthorised access or disclosure, and ensuring that the personal data is not used for other purposes without consent or authorisation under the law.

The PDPC has developed a notice to inform visitors that personal data would be collected during the outbreak of COVID-19 for contact tracing purposes. Organisations that would like to make use of the notice may access the following:

Notice for Collection of Personal Data for Contact Tracing

The PDPC would also like to highlight that there have been reports of scammers impersonating MOH contact tracing officers and requesting financial information from individuals. Members of the public are advised to verify the authenticity of the phone calls with the MOH hotline (6325 9220) if they have doubts about the caller's identity.

ii. Advisory for Premise Owners

a. Implementing TraceTogether-only SafeEntry at Premises

From 17 May 2021, contact tracing purposes will be further strengthened through the implementation of TraceTogether-only SafeEntry check-in (i.e., either via the TraceTogether App or token) [1], which replaces the previous SafeEntry check-in. The data collected will only be stored in the Government’s servers. In such instances, venue operators will be able to collect personal data without consent as the vital interests exception will apply. 

The collection of NRIC numbers for checking into venues will be accepted until 31 May 2021. Starting from 1 June 2021, venue operators may still manually key in visitors' NRIC, FIN or passport numbers into or scan the barcode of the national identification cards against the SafeEntry (Business) App/web version under the following extenuating circumstances at their discretion: 

  1. Short-term visitors to Singapore who are unable to register or use the TraceTogether App
  2. TraceTogether App users unable to check in with venue’s SE QR
  3. TraceTogether App users with a mobile phone that is out of battery
  4. Users causing significant inconvenience to rest of the patrons while attempting to check-in

Viewing the SafeEntry Check-in Pass in order to meet organisations’ safe management obligations under the COVID-19 (Temporary Measures) (Control Orders) Regulations 2020 is a reasonable and appropriate purpose permitted under the Personal Data Protection Act. Organisations cannot demand that visitors disclose other information from the TraceTogether App as a condition for entry.

How to secure devices deployed?

Premise owners/venue operators can either download the SafeEntry (Business) App to use the SEGW function, or set up the SEGW Box. If you are deploying devices (e.g. smartphones, tablets, etc.) for the SafeEntry (Business) App, you should consider the following:

  • As far as possible, use a dedicated device to collect the personal data. The device should not be used for any other purposes, including accessing other websites. If possible, do a factory reset before using the device for the collection of data (note: this will delete all data in the device). 
  • Do not install unnecessary apps on the device. Ensure that there are no apps that can perform screen recording on the devices.
  • Turn off the web browser’s autocomplete/autofill function so that users cannot see what others have typed into the form previously.
  • Regularly check the device to ensure that it is scanned for viruses and malware, and that it has not been jailbroken. Ensure that the device operating software (OS) is updated regularly.
  • Only allow authorised personnel to have access to the device. Enable lock screen when the device is not in use, and use password or biometric protection for device login.

What processes should be in place for responsible data collection?

Premise owners/venue operators should put in place administrative processes and controls to ensure the proper collection of visitors’ personal data for TraceTogether-only SafeEntry. These include:

  • Verifying that the QR codes placed along the queue are accurate before making it available for use by visitors (e.g. test the QR code to confirm that it leads to the TraceTogether app). Check periodically that they have not been tampered with. 
  • Ensuring the personal data collected is not exposed to other visitors (e.g. projected on screens or read aloud by personnel assisting visitors with data entry).
  • Ensuring the relevant personnel are briefed on the proper procedures for collecting personal data 

b. Implementing Other Safe Management Measures at Premises

Besides the TraceTogether token or App, you may deploy safe management measures, such as temperature screening systems, crowd counting/management measures and safe distancing technologies at your premises. 

However, deploy measures that do not collect personal data. For instance, your organisation may deploy temperature scanners to check visitors’ temperature without recording their temperature readings, or crowd management solutions that only detect or measure distances between human figures without collecting facial images. Where no personal data is collected, the PDPA’s Data Protection Provisions do not apply. 

Can I manually record personal data? 

Premise owners/venue operators can manually enter the national identification numbers into the SafeEntry (Business) App/web version. There is no need for venue operators to separately record the personal data of visitors or contractors at your premises to supplement the use of the SafeEntry (Business) App/web version.

What happens if there is a COVID-19 case? 

In the event of a COVID-19 case, the Government may disclose personal data to your organisation to assist in its contact tracing efforts. You must ensure such personal data are used only to facilitate Government’s contact tracing efforts, and there is no improper use or disclosure of the personal data (e.g. divulging personal data of confirmed COVID-19 cases to employees, tenants or members of public).

Your organisation may also provide personal data collected of individuals at your premises to the Government when required for contact tracing purposes.

[1] The list of venues/facilities which must adopt the use of TraceTogether-only SafeEntry can be found at www.safeentry.gov.sg/deployment.

iii. Advisory for Employers

a. Implementing TraceTogether-only SafeEntry at Workplace

From 17 May 2021, contact tracing purposes will be further strengthened through the implementation of TraceTogether-only SafeEntry check-in (i.e., either via the TraceTogether App or token) [1], which replaces the previous SafeEntry check-in. As an employer, you are required to implement the Government-developed TraceTogether-only SafeEntry for employees entering your workplace (e.g. offices, factories and educational institutes). The data collected will only be stored in the Government’s servers.

The collection of national identification cards for checking into workplaces will be accepted until 31 May 2021. Starting from 1 June 2021, venue operators may still manually key in visitors' NRIC, FIN or passport numbers into or scan the barcode of the national identification cards against the SafeEntry (Business) App/web version under the following extenuating circumstances at their discretion:

  1. Short-term visitors to Singapore who are unable to register or use the TraceTogether App
  2. TraceTogether App users unable to check in with venue’s SE QR
  3. TraceTogether App users with a mobile phone that is out of battery
  4. Users causing significant inconvenience to rest of the patrons while attempting to check-in

Can employers conduct audits/checks on the information displayed within the TraceTogether App?  

The features of the TT App are intended for the user’s own reference or for the Government’s contact tracing purposes. 

Employers can view the SafeEntry Check-in Pass on the App to verify that staff have checked-in to SafeEntry when entering the workplace. For all other information on the App, employers should seek the consent of their staff to give the additional information. Employers should communicate the reasons for seeking the additional information and what they will be using the information for. Moreover, employers should not conduct intrusive checks of employees’ personal devices to obtain such personal information. 

How to secure devices deployed?

Employers can either download the SafeEntry (Business) App to use the SEGW function, or set up the SEGW Box for employees’ entry into workplaces. If you are deploying devices (e.g. smartphones, tablets, etc.) or the SafeEntry (Business) App, you should consider the following to ensure the safe and secure collection of personal data:

  • As far as possible, use a dedicated device to collect the personal data. The device should not be used for any other purposes, including accessing other websites. If possible, do a factory reset before using the device for the collection of data (note: this will delete all data in the device). 
  • Do not install unnecessary apps on the device. Ensure that there are no apps that can perform screen recording on the devices.
  • Turn off the web browser’s autocomplete/autofill function so that users cannot see what others have typed into the form previously.
  • Regularly check the device to ensure that it is scanned for viruses and malware, and that it has not been jailbroken. Ensure that the device operating software (OS) is updated regularly.
  • Only allow authorised personnel to have access to the device. Enable lock screen when the device is not in use, and use password or biometric protection for device login.

b. Implementing Safe Management Measures at Workplaces

Besides the TraceTogether token or App, you may deploy safe management measures, such as temperature screening systems, crowd counting/management measures and safe distancing technologies at your premises. 

However, deploy measures that do not collect personal data. For instance, your organisation may deploy temperature scanners to check visitors’ temperature without recording their temperature readings, or crowd management solutions that only detect or measure distances between human figures without collecting facial images. Where no personal data is collected, the PDPA’s Data Protection Provisions do not apply. 

Can I deploy my own devices for the use of apps by employees?

If you require employees to use other contact tracing or safe management apps on organisation-issued devices, on top of the TraceTogether-only SafeEntry, you should:

  • Update your organisation’s IT policy to include the installation and use of the apps on organisation-issued devices. 
  • Regularly remind employees to ensure that the most updated version of the apps is installed.
  • Ensure that organisation-issued devices are updated with the latest security patches, and that security software is used to complement the use of the apps.

If you are permitting employees to install and run organisation-supplied apps in their own personal devices, you should:

  • Implement BYOD policies to govern the installation and use of organisation-supplied apps on employees’ personal devices.

What happens if there is a COVID-19 case? 

In the event of a COVID-19 case, the Government may disclose personal data to your organisation to assist in its contact tracing efforts. You must ensure such personal data is used only to facilitate Government’s contact tracing efforts, and there is no improper use or disclosure of the personal data (e.g. divulging personal data of confirmed COVID-19 cases to other employees or members of public).

Your organisation may also provide personal data of employees to the Government when required for contact tracing purposes.

[1] The list of venues/facilities which must adopt the use of TraceTogether-only SafeEntry can be found at www.safeentry.gov.sg/deployment.