COVID-19: What should Employers do for collection of personal data under Phase 2 (Heightened Alert) - An advisory from the Singapore PDPC

Following the spike in COVID-19 cases, the Government of Singapore announced tightening of measures to stop the resurgence spread of the virus. Known as “Phase 2 (Heightened Alert)" it is currently in effect, lasting from May 16 through Jun 13, Under such an exceptional situation, the First and Second schedules under PDPA (Personal Data Protection Act) paragraph 17a on the Collection of Personal Data has provided for organisations to collect personal data even if consent is not explicitly given.  As such the PDPC updated its advisory for employers:

1. General Advisory

As Singapore is considered to be in a situation where personal data is necessary for contact tracing to mitigate risks or threats to life, health or safety of other individuals, organisations are allowed to collect personal data of visitors to premises. This is for the purposes of contact tracing and other response measures in the event of an emergency. Information that is required include the identity card number (NRIC) which can be collected, used and disclosed without consent to carry out contact tracing and other response measures.

However, organisations that collect such personal data must still comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession from unauthorised access or disclosure, and ensuring that the personal data is not used for other purposes without consent or authorisation under the law.

Complementing the advisory for premise owners is the section of the advisory for employers:

2. Advisory for Employers

a. Implementing TraceTogether-only SafeEntry at Workplace

The implementation of TraceTogether-only SafeEntry check-in (i.e., either via the TraceTogether App or token), which replaces the previous SafeEntry check-in is designed to strengthen the means of contact tracing purposes from 17 May 2021. Employers are advised to implement the Government-developed TraceTogether-only SafeEntry for employees entering its workplace (e.g., offices, factories, and educational institutes). The data collected will only be stored in the Government’s servers.

The PDPC reminds employers that the collection of NRIC numbers for checking into workplaces will be accepted until 31 May 2021. From 1 June 2021, employers may still manually key in visitors' NRIC, FIN or passport numbers into or scan the barcode of the national identification cards against the SafeEntry (Business) App/web version under the extenuating circumstances listed by the PDPC.

b. Can employers conduct audits/checks on the information displayed within the TraceTogether App?

The PDPC reiterated that the features of the TraceTogether (TT) App are intended for the user’s own reference or for the Government’s contact tracing purposes. 

Employers can view the SafeEntry Check-in Pass on the App to verify that staff have checked-in to SafeEntry when entering the workplace. For all other information on the App, employers should seek the consent of their staff to give the additional information. Employers should communicate the reasons for seeking the additional information and what they will be using the information for. In accordance with general privacy (data protection) principles, employers should not conduct intrusive checks of employees’ personal devices to obtain such personal information. 

c. How to secure devices deployed?

The PDPC outlines how employers can:

• deploy the SafeEntry Gateway (SEGW)
• implement processes that should be in place for responsible data collection
• implement other safe management measures at premises

The PDPC advisory also provides recommendation on “how to” deploy the devices; you may want to visit the PDPC advisory page. Employers can either download the SafeEntry (Business) App to use the SEGW function or set up the SEGW Box for employees’ entry into workplaces.

d. Implementing Safe Management Measures at Workplaces

Besides the TraceTogether token or App, employers may also deploy safe management measures, such as temperature screening systems, declaration of places visited, crowd counting/management measures and safe distancing technologies at your premises.

However, deploy measures that do not collect personal data. For instance, your organisation may deploy temperature scanners to check visitors’ temperature without recording their temperature readings, or crowd management solutions that only detect or measure distances between human figures without collecting facial images. Where no personal data is collected, the PDPA’s Data Protection Provisions do not apply.

e. Can I deploy my own devices for the use of apps by employees?

Employers may have an arrangement for employees to use other contact tracing or safe management apps on organisation-issued devices, on top of the TraceTogether-only SafeEntry, provided the following guidelines are adhered:

• Update your organisation’s IT policy to include the installation and use of the apps on organisation-issued devices.
• Regularly remind employees to ensure that the most updated version of the apps is installed.
• Ensure that organisation-issued devices are updated with the latest security patches, and that security software is used to complement the use of the apps.

If employees are permitted to install and run organisation-supplied apps in their own personal devices, the employer should:

• Implement BYOD policies to govern the installation and use of organisation-supplied apps on employees’ personal devices.
• 
  

f. What happens if there is a COVID-19 case?

In the event of a COVID-19 case, the Government may disclose personal data of affected employee(s) to the organisation to assist in its contact tracing efforts. It reminded the employer that the personal data are used only to facilitate Government’s contact tracing efforts, and there is no improper use or disclosure of the personal data (e.g., divulging personal data of confirmed COVID-19 cases to employees, tenants, or members of public). The employer may also be required to provide personal data collected of its employees to the Government when required for contact tracing purposes.

The list of organisations/venues/facilities that must adopt the use of TraceTogether-only SafeEntry can be found here.

The advisory also addresses what is required for premises owners to undertake with regards to collection of personal data under Phase 2 (Heightened Alert) situation. Having an understanding of data protection principles underlying the laws would be helpful to one in comprehending and applying such advisories.

3. What do I need to know?

Clearly, personal data is required for contact tracing and for the vital interest of both the individual and for the larger public.  In this case the Singapore PDPC has issued an advisory to what is already underlined in the statute and many of the personal data protection laws across many jurisdictions. For a greater understanding of data protection laws, do attend a course on data protection principles. Stay safe!

Adapted from www.pdpc.gov.sg/help-and-resources/2021/05/advisory-on-collection-of-personal-data-for-covid-19-contact-tracing
by: Leong Wai Chong, CIPM, GRCP.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.