Advisories on Collection of Personal Data for COVID-19 Contact Tracing and Use of SafeEntry
Quicklinks:
i. Advisory on Collection of Personal Data for COVID-19 Contact Tracing
ii. Advisory for Premise Owners
iii. Advisory for Employers
iv. FAQs
Information correct as at 24 Apr 2020.
The latest advisories can be found here.
i. Advisory on Collection of Personal Data for COVID-19 Contact Tracing
In the event of a COVID-19 case, relevant personal data can be collected, used and disclosed without consent during this period to carry out contact tracing and other response measures, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.
As organisations may require national identification numbers to accurately identify individuals in the event of a COVID-19 case, organisations may collect visitors' NRIC, FIN or passport numbers for this purpose.
Organisations that collect such personal data must comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession from unauthorised access or disclosure, and ensuring that the personal data is not used for other purposes without consent or authorisation under the law.
The PDPC has developed a notice to inform visitors that personal data would be collected during the outbreak of COVID-19 for contact tracing purposes. Organisations that would like to make use of the notice may access to the following:
Notice for Collection of Personal Data for Contact Tracing
The PDPC would also like to highlight that there have been reports of scammers impersonating MOH contact tracing officers and requesting financial information from individuals. Members of the public are advised to verify the authenticity of the phone calls with the MOH hotline (6325 9220) if they have doubts about the caller's identity.
ii. Advisory for Premise Owners
Your organisation may be required to implement the Government-developed SafeEntry system for visitors entering your premises (e.g. malls, supermarkets, wet markets, healthcare facilities, nursing homes, schools and educational institutes) for Government’s contact tracing purposes [1]. You may also deploy safe management measures such as temperature screening, crowd management and safe distancing at your premises.Can I collect personal data?
Under the PDPA, your organisation may collect the personal data (including NRIC, FIN or passport numbers) of individuals for purposes of COVID-19 response measures, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.
a. Implementing SafeEntry at Premises
Collection of personal data for Government’s contact tracing purposes should only be done through the use of SafeEntry. The data collected will only be stored in Government’s servers and used for contact tracing purposes by the Government. When implementing SafeEntry, you should put in place measures to ensure the safe and secure collection of personal data.
Are devices deployed secure?
If you are deploying devices (e.g. smartphones, tablets, etc.) for SafeEntry [2], you should consider the following:.
- As far as possible, use a dedicated device to collect the personal data [3]. The device should not be used for any other purposes, including accessing other websites. If possible, do a factory reset before using the device for the collection of data (note: this will delete all data in the device).
- Do not install unnecessary apps on the device. Ensure that there are no apps that can perform screen recording on the devices.
- Turn off the web browser’s autocomplete/autofill function so that users cannot see what others have typed into the form previously.
- Regularly check the device to ensure that it is scanned for viruses and malware, and that it has not been jailbroken. Ensure that the device operating software (OS) is updated regularly.
- Only allow authorised personnel to have access to the device. Enable lock screen when the device is not in use, and use password or biometric protection for device login.
Are there processes for data collection?
You should also put in place administrative processes and controls to ensure the proper collection of visitors’ personal data for SafeEntry. These include:
- Verifying that the QR codes placed along the queue are accurate before making it available for use by visitors (e.g. test the QR code to confirm that it leads to a *.gov.sg webpage). Check periodically that they have not been tampered with.
- Ensuring the personal data collected is not exposed to other visitors (e.g. projected on screens or read aloud by personnel assisting visitors with data entry).
- Ensuring the relevant personnel are briefed on the proper procedures for collecting personal data.
b. Implementing Other Safe Management Measures at Premises
Besides SafeEntry, you may deploy safe management solutions, such as temperature screening/recording systems, crowd counting/management solutions and safe distancing technologies [4] at your premises.Is personal data collected?
Where possible, deploy solutions that do not collect personal data. For instance, your organisation may deploy temperature scanners to check visitors’ temperature without recording their temperature readings, or crowd management solutions that only detect or measure distances between human figures without collecting facial images. Where no personal data is collected, the PDPA’s Data Protection Provisions do not apply.
Where personal data is collected (e.g. facial images are captured using security camera systems), you should put in place measures to minimise the type/amount of personal data collected and to protect it, including:
- Update your policies so that CCTV/video footage continue to be protected.
- Ensure that only authorised personnel can access the personal data for purposes of contact tracing or safe management of premises. Provide clear instructions on who can approve the disclosure of such data.
- Provide training to all personnel so that they are familiar with the policies relevant to their roles.
Can I manually record personal data?
Should you wish to manually record the personal data of visitors or contractors at your premises to supplement the use of digital solutions, you should take note of the following:
- Ensure the personal data collected is not exposed to other visitors (e.g. leaving physical logbooks or forms containing visitors’ personal data exposed at registration areas).
- Ensure the personal data collected is protected (e.g. under supervision by staff on duty, or under lock and key when no one is watching over it).
What happens if there is a COVID-19 case?
In the event of a COVID-19 case, the Government may disclose personal data to your organisation to assist in its contact tracing efforts. You must ensure such personal data is used only to facilitate Government’s contact tracing efforts, and there is no improper use or disclosure of the personal data (e.g. divulging personal data of confirmed COVID-19 cases to employees, tenants or members of public).
Your organisation may also provide personal data collected of individuals at your premises to the Government when required for contact tracing purposes.
[1] The list of venues/facilities which must adopt the use of SafeEntry can be found at www.safeentry.gov.sg/deployment.
[2] You will need to use a device for SafeEntry NRIC. A device may also be needed for visitors or contractors without their own devices to use SafeEntry QR.
[3] If this is not possible, organisations should ensure that the device used is secure and capable of safeguarding the personal data adequately.
iii. Advisory for Employers
As an employer, you may be required to implement the Government-developed SafeEntry system for employees entering your workplace (e.g. offices, factories and educational institutes) for Government’s contact tracing purposes. You may also deploy safe management measures such as temperature screening, crowd management and safe distancing at your workplace.
Can I collect personal data?
Under the PDPA, your organisation may collect personal data of individuals for purposes of COVID-19 response measures, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.
As an employer, you may also collect personal data of employees when implementing safe management measures at the workplace, as this is reasonable for managing the employment relationship.
Personal data collected for these purposes should not be used or disclosed for any other purposes, unless consent is obtained for such purposes or it is authorised under the law. You should also put in place security and access controls to protect the personal data.
a. Implementing SafeEntry at Workplaces
Collection of personal data for Government’s contact tracing purposes should only be done through the use of SafeEntry. The data collected will only be stored in Government’s servers and used for contact tracing purposes by the Government. When implementing SafeEntry, you should put in place measures to ensure the safe and secure collection of personal data.
Are devices deployed secure?
If you are deploying devices (e.g. smartphones, tablets, etc.) for SafeEntry [1], you should consider the following to ensure the safe and secure collection of personal data:
- As far as possible, use a dedicated device to collect the personal data [2]. The device should not be used for any other purposes, including accessing other websites. If possible, do a factory reset before using the device for the collection of data (note: this will delete all data in the device).
- Do not install unnecessary apps on the device. Ensure that there are no apps that can perform screen recording on the devices.
- Turn off the web browser’s autocomplete/autofill function so that users cannot see what others have typed into the form previously.
- Regularly check the device to ensure that it is scanned for viruses and malware, and that it has not been jailbroken. Ensure that the device operating software (OS) is updated regularly.
- Only allow authorised personnel to have access to the device. Enable lock screen when the device is not in use, and use password or biometric protection for device login.
b. Implementing Safe Management Measures at Workplaces
Besides SafeEntry, you may deploy safe management solutions, such as temperature screening/recording systems, crowd counting/management solutions and safe distancing technologies [3] at the workplace. Some of these may be in the form of mobile applications.
You may encourage your employees to download and use the Government-developed TraceTogether app to support the Government’s contact tracing efforts. Data recorded by TraceTogether is stored on the user’s device, and is only uploaded to MOH when it requires the data.
Can I deploy devices for the use of apps by employees?
If you are permitting employees to use contact tracing or safe management apps on organisation-issued devices, you should:
- Update your organisation’s IT policy to include the installation and use of the apps on organisation-issued devices.
- Regularly remind employees to ensure that the most updated version of the apps is installed.
- Ensure that organisation-issued devices are updated with the latest security patches, and that security software is used to complement the use of the apps.
- Implement BYOD policies to govern the installation and use of organisation-supplied apps on employees’ personal devices.
Is personal data collected?
Where possible, deploy solutions that do not collect personal data. For instance, your organisation may deploy crowd counting or safe distancing solutions on top of your security camera system that only detect or measure distances between human figures without collecting facial images. Where no personal data is collected, the PDPA’s Data Protection Provisions do not apply.
Where personal data is collected (e.g. temperature readings with facial images of employees), you should put in place measures to minimise the type/amount of personal data collected and to protect it, including:
- Update your policies so that CCTV/video footage continue to be protected.
- Ensure that only authorised personnel can access the personal data for contact tracing or safe workplace management. Provide clear instructions on who can approve the disclosure of such data.
- Provide training to all personnel so that they are familiar with the policies relevant to their roles.
What happens if there is a COVID-19 case?
In the event of a COVID-19 case, the Government may disclose personal data to your organisation to assist in its contact tracing efforts. You must ensure such personal data is used only to facilitate Government’s contact tracing efforts, and there is no improper use or disclosure of the personal data (e.g. divulging personal data of confirmed COVID-19 cases to other employees or members of public).
Your organisation may also provide personal data of employees to the Government when required for contact tracing purposes.
[1] Your organisation will need to use a device for SafeEntry NRIC. A device may also be needed for employees without their own devices to use SafeEntry QR.
[2] If this is not possible, organisations shall ensure that the device used is secure and capable of safeguarding the personal data adequately.
iv. FAQs
1. Can personal data collected by organisations for COVID-19 response measures be used for any other purposes?
Personal data that is collected for COVID-19 response measures should not be used or disclosed for any other purposes, unless consent is obtained or it is authorised under the law. In general, organisations should expunge the data when it is no longer needed for the purpose it was collected or any legal or business purposes.
2. What can organisations implementing COVID-19 safe management measures do to protect the personal data collected?
Organisations should refer to our advisories when using SafeEntry to collect personal data of visitors at premises.
Other than SafeEntry, organisations may deploy other safe management measures such as temperature screening/recording systems, crowd counting/management solutions and safe distancing technologies.
Where possible, organisations should deploy solutions that do not collect personal data, for example, temperature scanners to check individuals’ temperature without recording their temperature readings, or crowd management solutions that only detect or measure distances between human figures without collecting facial images.
Where personal data is collected, organisations should put in place measures to minimise the type/amount of personal data collected and protect it. Organisations should also ensure personnel handling the personal data are briefed on the proper procedures; restrict access to the personal data only to authorised personnel for safe management purposes; and ensure the personal data collected is securely stored.
When using devices or apps to collect personal data, organisations should ensure the security of personal data by using dedicated devices, and conduct regular checks to scan for viruses or malware and ensure device operating software (OS) are updated regularly.
If manually collecting personal data, physical logbooks or declaration forms containing personal data should be securely kept and not left unattended or exposed to other individuals.
3. What can organisations implementing SafeEntry at premises do to help ensure the safe collection of personal data?
Organisations should, as far as possible, use a dedicated device to collect the personal data, and ensure that there are no unnecessary apps or apps that can perform screen recording installed on the device. Conduct regular checks to ensure that the device used is scanned for viruses or malware, and the device operating software (OS) is updated regularly.
The web browser’s autocomplete/autofill function should also be turned off to ensure that users cannot see what have been typed into the form previously. Organisations should only allow authorised personnel to have access to the device, and enable lock screen when device is not in use. Password or biometric protection can be used to prevent unauthorised device login.
When implementing SafeEntry, organisations should also verify that the QR codes are accurate before making it available for use by visitors, and check periodically that the QR codes have not been tampered with (e.g., test the QR code to confirm that it leads to a *gov.sg webpage).
4. In view of the coronavirus disease 2019 (COVID-19) situation, can organisations collect, use and disclose personal data (including NRIC/FIN/passport numbers) of visitors to premises for the purposes of contact tracing and other response measures in the event of a COVID-19 case?
Organisations may collect relevant personal data of visitors to premises, such as where it is necessary for purposes of contact tracing and other response measures in the event of an emergency. For instance, organisations may collect personal data for Government’s contact tracing purposes during the COVID-19 outbreak through the use of SafeEntry system.
This includes NRIC, FIN or passport numbers, as they provide the unique identifiers required for contact tracers to reach suspected close contacts quickly. This will help the authorities expedite contact tracing processes and prevent new waves of transmission as we gradually relax circuit breaker measures.
In the event of a COVID-19 case, personal data can be collected, used and disclosed without consent to carry out contact tracing and other response measures, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.
Organisations must comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession from unauthorised access or disclosure, and expunging the personal data when it is no longer needed for the purpose it was collected or any legal or business purposes.