COVID-19: What should Premise Owners do for collection of personal data under Phase 2 (Heightened Alert) - An advisory from the Singapore PDPC Advisory

Following a spike in COVID-19 cases, the Government of Singapore announced tightening of measures to stop the resurgence spread of virus. Known as Phase 2 (Heightened Alert) it is currently in effect, lasting from May 16 through Jun 13. Under such an exceptional situation, the First and Second schedules under PDPA (Personal Data Protection Act) paragraph 17a on the Collection of Personal Data has provided for organisations to collect personal data even if consent is not explicitly given.

As such the Singapore PDPC (Personal Data Protection Commission) has updated its advisory:

1. General Advisory

As Singapore is considered to be in a situation where personal data is necessary for contact tracing to mitigate risks or threats to life, health or safety of other individuals, organisations are allowed to collect personal data of visitors to premises. This is for the purposes of contact tracing and other response measures in the event of an emergency. Information that is required include the identity card number (NRIC) which can be collected, used and disclosed without consent to carry out contact tracing and other response measures.

However, organisations that collect such personal data must still comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession from unauthorised access or disclosure, and ensuring that the personal data is not used for other purposes without consent or authorisation under the law.

2. Advisory for Premise Owners

Organisations (premise owners) are to:

a. Implement TraceTogether-only SafeEntry at Premises
The implementation of TraceTogether-only SafeEntry check-in (i.e., either via the TraceTogether App or token), which replaces the previous SafeEntry check-in is designed to strengthen the means of contact tracing purposes from 17 May 2021. The data collected will only be stored in the Government’s servers. In such instances, venue operators will be able to collect personal data without consent as the vital interests exception will apply.

The PDPC reminds premise owners that the collection of NRIC numbers for checking into venues will be accepted until 31 May 2021. From 1 June 2021, venue operators may still manually key in visitors' NRIC, FIN or passport numbers into or scan the barcode of the national identification cards against the SafeEntry (Business) App/web version under the extenuating circumstances listed by the PDPC.

The PDPC outlines how organisations/premise owners/venue operators can:

• deploy the SafeEntry Gateway (SEGW)
• implement processes that should be in place for responsible data collection
• implement other safe management measures at premises

b. Implementing Other Safe Management Measures at Premises

Besides the TraceTogether token or App, organisations may deploy safe management measures, such as temperature screening systems, crowd counting/management measures and safe distancing technologies at its premises, including manual data entry. However, organisations cannot demand that visitors disclose other information from the individuals or the TraceTogether App as a condition for entry.
The list of organisations/venues/facilities that must adopt the use of TraceTogether-only SafeEntry can be found here.

c. What happens if there is a COVID-19 case?

In the event of a COVID-19 case, the Government may disclose personal data of affected individual(s) to the organisation to assist in its contact tracing efforts. It is specific that the personal data are used only to facilitate Government’s contact tracing efforts, and there is no improper use or disclosure of the personal data (e.g., divulging personal data of confirmed COVID-19 cases to employees, tenants, or members of public). The organisation may also be required to provide personal data collected of individuals at its premises to the Government when required for contact tracing purposes.

The advisory also addresses what is required for employers to undertake with regards to collection of personal data under Phase 2 (Heightened Alert) situation. Having an understanding of data protection principles underlying the laws would be helpful to one in comprehending and applying such advisories.

3. What do I need to know?

Clearly, personal data is required for contact tracing and for the vital interest of both the individual and for the larger public. In this case the Singapore PDPC has issued an advisory to what is already underlined in the statute and many of the personal data protection laws across many jurisdictions. For a greater understanding of data protection laws, do attend a course on data protection principles. Stay safe!

Adapted from www.pdpc.gov.sg/help-and-resources/2021/05/advisory-on-collection-of-personal-data-for-covid-19-contact-tracing
by: Leong Wai Chong, CIPM, GRCP.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.