The vast amounts of personal information now collected, used, and transferred to third party organizations for a variety of reasons is a trend that will surely grow as we move towards automation and digitalization. Data is also a vital component to ensure public health.
With the growing importance of data comes increased concern from individuals about how, when, why, and by whom their personal data is being collected, used, disposed of, and stored. In Singapore, that concern is addressed by the Personal Data Protection Act (PDPA) and a data protection regime to govern the collection, use, disposal and storage of personal data.
Singaporean public agencies are not governed by the PDPA because there are fundamental differences in how the public sector operates compared to the private sector. The public sector agencies have to comply with Government Instruction Manuals and the Public Sector (Governance) Act(PSGA) which collectively provide comparable, if not higher, standards of data protection compared to the PDPA. Investigations and enforcement actions for data security breaches are similar under both the PDPA and the PSGA.
After the World Health Organization (WHO) declared the outbreak of COVID‑19 a pandemic, various governments — including the Singapore government — took decisive actions to curb the spread of COVID-19. Since many of those actions involve the collection and use of personal information, thePersonal Data Protection Commission (PDPC) issued two advisories with regards to collecting Personal Data for COVID-19, and contact tracing and the use of Safe Entry
Collection of Personal Data for COVID-19
Singaporean organizations may collect personal data of visitors to their premises for the purposes of contact tracing and other response measures in the event of an emergency, such as during the outbreak of the novel coronavirus (COVID-19). Here, it is important to note that the personal data can be collected, used, disposed of, and stored for the purposes of contact tracing, and to respond to an emergency that threatens the life, health, or safety of other individuals. The intent of in that context is to prevent harm and ensure the safety of the population at large, regardless if it causes an invasion of privacy.
The PDPC has developed a notice to inform that building owners are advised to post at prominent locations, so as to notify all concerned that personal data will be collected, used, disposed of, and stored during the pandemic for the purposes of preventing harm and contact tracing.
To ensure that contact tracing can be conducted meaningfully and effectively, it is essential that information be complete and accurate. Accordingly, details are gathered from National Identity Cards, Foreign Identification Cards, or even passports (something that was prohibited before COVID‑19).
Contact Tracing and Use of Safe Entry
The Singapore Government has also encouraged premise owners and venue operators to use digital apps or systems such as Safe Entry for contact tracing. The intent here is to ensure that the personal data collected should not be used or disclosed for any other purposes except for contact tracing purposes. If the collected data is to be used for other purposes, then consent must be obtained, or the practice must be authorized by law.
Organizations must adequately protect the data that is being collected, and expunge it when it is no longer needed for the purposes related to contact tracing. The organizations should and must not keep such data if it is no longer needed.
When using digital apps or systems, organizations are encouraged to use their own devices and also register with the relevant Public Agencies, which have spelled out guidelines and measures that organizations must adhere to when using digital apps or systems. Cautionary guidelines and expectations to ensure the safe and proper collection of personal data are highlighted by the PDPC at www.pdpc.gov/sg/Help-and-Resources.
While the laws may differ between the countries, the common goal is to protect society at large during the pandemic, and protect the affected personnel without compromising their safety or privacy. A goal of many governments — earning and warranting the public’s trust — relies on informing people of the need to collect, use, dispose of, and store the personal data.
Corporations have a similar goal, and their Data Protection Officers provide essential services of ensuring proper and adequate training about the collection, use, storage, and disposal of personal information. Equipping data protection personnel with the right tools so that they can do their jobs efficiently and effectively — and ensuring proper measures, policies and systems are in place to mitigate breaches and resulting harms — is vital to achieve corporate objectives and enable organizations to comply with the Personal Data Protection Act 2012.