Introduction

As Singapore embarks on the safe re-opening of its economy, the Government has introduced several measures to stem the risk of transmission and further outbreaks of the coronavirus disease 2019 (“COVID-19”) in the local community.[1] In particular, the Government requires businesses and services that are in operation to:

• utilise the Government-developed SafeEntry system to log the check-in of employees and visitors. This supports and quickens efforts to prevent and control the transmission of COVID-19 by providing authorities with a record of individuals who enter and exit such places;[2]
• take the temperatures of their employees twice daily; and
• obtain declarations of travel history from their employees before allowing them to enter the offices and worksites.

Businesses and services should note that when implementing the above measures, they will be collecting, using and disclosing personal data. As such, they should be mindful of their obligations under the Personal Data Protection Act 2012 (the “PDPA”).

The Personal Data Protection Commission (“PDPC”) has issued three advisories on the collection of personal data and the use of SafeEntry:

• Advisory on Collection of Personal Data for COVID-19 Contact Tracing;
• Advisory for Premise Owners; and
• Advisory for Employers,

(collectively, the “Advisories” and each an “Advisory”).

The PDPC’s Advisories can be found here.

This article highlights the key aspects of the Advisories and sets out the measures to properly ensure the safe and secure collection of personal data.

A. Advisory on Collection of Personal Data for COVID-19 Contact Tracing

This Advisory provides that organisations may collect the personal data of visitors to its premises for the purposes of contact tracing and other response measures in the event of an emergency, such as during the outbreak of COVID-19.

As organisations may require national identification numbers to accurately identify individuals in the event of a COVID-19 case, organisations may collect visitors’ NRIC, FIN or passport numbers for this purpose. In the event of a COVID-19 case, relevant personal data can be collected, used and disclosed without consent during this period to carry out contact tracing and other response measures, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.

Organisations that collect such personal data must comply with the data protection provisions in the PDPA, such as making reasonable security arrangements to protect the personal data in their possession from unauthorised access or disclosure, and ensuring that the personal data is not used for other purposes without consent or authorisation under the law.

The PDPC has developed two template notices to inform visitors that personal data would be collected for contact tracing purposes, which may be accessed on the PDPC’s website:

• Tent card version; and:
• A5 version.

B. Advisory for Premise Owners and Advisory for Employers

Premise owners may be required to implement the SafeEntry system for visitors entering their premises (e.g. malls, supermarkets, wet markets, healthcare facilities, nursing homes, schools and educational institutes) for the Government’s contact tracing purposes. Premise owners may also deploy safe management solutions, such as temperature screening/recording systems, crowd counting/management solutions and safe distancing technologies at their premises.[3]

In a similar vein, employers may be required to implement the SafeEntry system for employees entering its workplace (e.g. offices, factories and educational institutes) for the Government’s contact tracing purposes, and may also deploy safe management solutions (such as temperature screening/recording systems, crowd counting/management solutions and safe distancing technologies) at their workplace.

The PDPC’s Advisory for Premise Owners and the Advisory for Employers both concern the implementation of the above measures by Premise Owners and Employers respectively. As the measures under both Advisories are quite similar, they will be covered together under this section.

Collection of personal data

Both Advisories clarify that premise owners and employers may collect personal data (including NRIC, FIN or passport numbers) for the purpose of COVID-19 response measures. This is necessary to respond to an emergency that threatens the life, health or safety of individuals.

Nonetheless, the collection of personal data for the Government’s contact tracing purposes should only be done through the use of SafeEntry. The data collected will only be stored in the Government’s servers and used for contact tracing purposes by the Government. When implementing SafeEntry, premise owners should put in place measures to ensure the safe and secure collection of personal data.

Employers may also collect the personal data of employees when implementing safe management measures at their workplaces – the PDPC acknowledges that doing so is reasonable for managing the employment relationship. Personal data collected for these purposes should not be used or disclosed for any other purpose, unless consent is obtained for such purpose or it is authorised under the law. Employers should also put in place security and access controls to protect the personal data collected.

Implementation of SafeEntry at premises and workplaces

SafeEntry is a digital check-in system that logs the NRIC/FINs and mobile numbers of individuals. Individuals check in/out from SafeEntry at entry/exit points through:

• using the SingPass Mobile app to scan a QR code or choose from a list of nearby locations using the ‘SafeEntry Check-In’ function;
• having an identification card with a barcode (e.g. NRIC, Passion card, Pioneer Generation card, Merdeka Generation card, driver’s licence, Transitlink concession card, student pass and work permit) scanned by staff; or
• scanning of a QR code displayed at the venue and submitting one’s personal particulars.[4]

If premise owners/employers are deploying devices (e.g. smartphones, tablets, etc.) for SafeEntry, they should consider the following:

• As far as possible, use a dedicated device to collect personal data. The device should not be used for any other purposes, including accessing other websites. If this is not possible, premise owners/employers should ensure that the device used is secure and capable of safeguarding the personal data adequately. The Advisories also state that if possible, a factory reset should be conducted before using the device for the collection of data (which may delete all data in the device).
• Do not install unnecessary applications on the devices, and ensure that there are no applications that are able to do screen recording on the devices.
• Turn off the web browser’s autocomplete/autofill function to ensure that users cannot see what others have typed into the form previously.
• Regularly check the device to ensure that it is scanned for viruses and malware, and that it has not been jailbroken. Ensure that the device operating software (OS) is updated regularly.
• Only allow authorised personnel to have access to the device. Enable lock screen when the device is not in use, and use password or biometric protection for device login.

Premise owners should also put in place administrative processes and controls to ensure the proper collection of visitors’ personal data for SafeEntry. These include:

• Verifying that the QR codes placed along queues are accurate before making it available for use by visitors (e.g. test the QR code to confirm that it leads to a *.gov.sg webpage). Check periodically that they have not been tampered with.
• Ensuring the personal data collected is not exposed to other visitors (e.g. projected on screens or read aloud by personnel assisting visitors with data entry).
• Ensuring the relevant personnel are briefed on the proper procedures for collecting personal data.

Implementation of other safe management measures at premises and workplaces

Besides SafeEntry, premise owners and employers may deploy safe management solutions, such as temperature screening/recording systems, crowd counting/management solutions and safe distancing technologies. at premises and workplaces respectively.[5]

Employers may also encourage employees to download and use the Government-developed TraceTogether app to support the Government’s contact tracing efforts. Data recorded by TraceTogether is stored in the user’s device, and is only uploaded to the Ministry of Health when it requires the data.

Where possible, premise owners and employers should deploy solutions that do not collect personal data, for example:

• Premise owners may deploy temperature scanners to check visitors’ temperatures without recording their temperature readings, or crowd management solutions that only detect or measure distances between human figures without collecting facial images.
• Employers may deploy crowd counting or safe distancing solutions on top of their security camera systems that only detect or measure distances between human figures without collecting facial images.

Where no personal data is collected, the PDPA’s Data Protection Provisions do not apply. However, where personal data is collected by premise owners (e.g. facial images are captured using security camera systems) or employers (e.g. temperature readings with facial images of employees), measures should be put in place to minimise the type/amount of personal data collected and to protect such data. These measures include:

• Update policies to ensure that closed-circuit television (CCTV) and security video footage continue to be protected.
• Ensure that only authorised personnel can access the personal data for purposes of contact tracing or safe management of premises/workplace. Provide clear instructions on who can approve the disclosure of such data.
• Provide training to all personnel so that they are familiar with the policies relevant to their roles.

Should premise owners wish to manually record the personal data of visitors or contractors at their premises to supplement the use of digital solutions, they should take note of the following:

• Ensure the personal data collected is not exposed to other visitors (e.g. leaving physical logbooks or forms containing visitors’ personal data exposed at registration areas).
• Ensure the personal data collected is protected (under supervision by staff on duty, or under lock and key when no one is watching over it).

Where employers permit employees to use contact tracing or safe management applications on organisation-issued devices, they should:

• Update the organisation’s IT policy to include the installation and use of safe management apps on organisation-issued devices.
• Regularly remind employees to ensure that the most updated version of the apps is installed.
• Ensure that organisation-issued devices are updated with the latest security patches, and that security software is used to complement the use of the apps.

If an employer is permitting employees to install and run organisation-supplied apps in their own personal devices, employers should implement bring-your-own-device policies to govern the installation and use of such apps on their employees’ personal devices.

When there is a COVID-19 case

In the event of a COVID-19 case, the Government may disclose personal data to a premise owner or an employer to assist in its contact tracing efforts. Premise owners and employers must ensure that such personal data is used only to facilitate the Government’s contact tracing efforts, and there is no improper use or disclosure of the personal data (i.e. divulging personal data of confirmed COVID-19 cases to other employees or members of public).

Premise owners and employers may provide personal data of individuals or employees at their premises or workplaces (as the case may be) to the Government when required for contact tracing purposes.

Commentary

While Singapore has emerged from the “Circuit Breaker” measures that were imposed to combat the outbreak of COVID-19, Singapore is not out of the woods yet; the COVID-19 pandemic is still running rife in various parts of the world and the risk of future outbreaks in Singapore remains very real. As Singapore gradually re-opens its economy, contact tracing will become all the more vital to prevent future outbreaks of COVID-19. While it is crucial for organisations to implement SafeEntry to collect personal data for this purpose, organisations should remain mindful of the rules and regulations pertaining to personal data protection. In this regard, the Advisories provide useful guidance on the implementation of SafeEntry and other safe management measures that would assist premise owners and employers in complying with the requirements of the PDPA.

[1] Aw Cheng Wai, ‘What are some of the new rules at workplaces from May 12 as Singapore eases tightened Covid-19 circuit breaker measures’ (Straits Times, 9 May 2020).

[2] Ministry of Health,  ‘Implementing SafeEntry And Safe Management Practices’ <https://www.moh.gov.sg/news-highlights/details/implementing-safeentry-and-safe-management-practices>; ‘Fight the spread of Covid-19 with contact tracing’ (Straits Times, 30 May 2020).

[3] Note: The Government has prescribed a list of venues/facilities which must adopt the use of SafeEntry. Please refer here for the full list of venues/facilities that must adopt the use of SafeEntry.

[4] SafeEntry, ‘What is SafeEntry’ <https://support.safeentry.gov.sg/hc/en-us/articles/900000667463-What-is-SafeEntry->.

[5] Note: For example, there are pre-approved solutions under the Infocomm Media Development Authority’s SME Go Digital Programme. Please refer here for further details.

If you have any questions or require any additional information, please feel free to reach out to Dr Qiu Yang, Denzel Chua or any director of ZICO Insights Law LLC.

This alert is for general information only and is not a substitute for legal advice.