Advisories on Collection of Personal Data for COVID-19 Contact Tracing and Use of SafeEntry

Quicklinks:

i. General Advisory
ii. Advisory for Premise Owners
iii. Advisory for Employers


Information correct as at 4 January 2022. 

i. General Advisory

Organisations may collect personal data of visitors to premises for purposes of contact tracing and other response measures in the event of an emergency, such as during the outbreak of the coronavirus disease 2019 (COVID-19).

In the event of a COVID-19 case, relevant personal data, including NRIC can be collected, used and disclosed without consent during this period to carry out contact tracing and other response measures, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.

Organisations that collect such personal data must comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession from unauthorised access or disclosure, and ensuring that the personal data is not used for other purposes without consent or authorisation under the law.

The PDPC has developed a notice to inform visitors that personal data would be collected during the outbreak of COVID-19 for contact tracing purposes. Organisations that would like to make use of the notice may access the following:

Notice for Collection of Personal Data for Contact Tracing

The PDPC would also like to highlight that there have been reports of scammers impersonating MOH contact tracing officers and requesting financial information from individuals. Members of the public are advised to verify the authenticity of the phone calls with the MOH hotline (6325 9220) if they have doubts about the caller's identity.

ii. Advisory for Premise Owners

a. Implementing TraceTogether-only SafeEntry at Premises

From 17 May 2021, contact tracing purposes will be further strengthened through the implementation of TraceTogether-only SafeEntry check-in (i.e., either via the TraceTogether App or token) [1], which replaces the previous SafeEntry check-in. The data collected will only be stored in the Government’s servers. In such instances, venue operators will be able to collect personal data without consent as the vital interests exception will apply. 

The collection of NRIC numbers for checking into venues will be accepted until 31 May 2021. Starting from 1 June 2021, venue operators may still manually key in visitors' NRIC, FIN or passport numbers into or scan the barcode of the national identification cards against the SafeEntry (Business) App/web version under the following extenuating circumstances at their discretion: 

  1. Short-term visitors to Singapore who are unable to register or use the TraceTogether App
  2. TraceTogether App users unable to check in with venue’s SE QR
  3. TraceTogether App users with a mobile phone that is out of battery
  4. Users causing significant inconvenience to rest of the patrons while attempting to check-in

Viewing the SafeEntry Check-in Pass in order to meet organisations’ safe management obligations under the COVID-19 (Temporary Measures) (Control Orders) Regulations 2020 is a reasonable and appropriate purpose permitted under the Personal Data Protection Act. Organisations cannot demand that visitors disclose other information from the TraceTogether App as a condition for entry, unless required under Safe Management Measures (SMM).

[1] The list of venues/facilities which must adopt the use of TraceTogether-only SafeEntry can be found at www.safeentry.gov.sg/deployment.

How to secure devices deployed?

Premise owners/venue operators can either download the SafeEntry (Business) App to use the SEGW function, or set up the SEGW Box. If you are deploying devices (e.g. smartphones, tablets, etc.) for the SafeEntry (Business) App, you should consider the following:

  • As far as possible, use a dedicated device to collect the personal data. The device should not be used for any other purposes, including accessing other websites. If possible, do a factory reset before using the device for the collection of data (note: this will delete all data in the device). 
  • Do not install unnecessary apps on the device. Ensure that there are no apps that can perform screen recording on the devices.
  • Turn off the web browser’s autocomplete/autofill function so that users cannot see what others have typed into the form previously.
  • Regularly check the device to ensure that it is scanned for viruses and malware, and that it has not been jailbroken. Ensure that the device operating software (OS) is updated regularly.
  • Only allow authorised personnel to have access to the device. Enable lock screen when the device is not in use, and use password or biometric protection for device login.

What processes should be in place for responsible data collection?

Premise owners/venue operators should put in place administrative processes and controls to ensure the proper collection of visitors’ personal data for TraceTogether-only SafeEntry. These include:

  • Verifying that the QR codes placed along the queue are accurate before making it available for use by visitors (e.g. test the QR code to confirm that it leads to the TraceTogether app). Check periodically that they have not been tampered with. 
  • Ensuring the personal data collected is not exposed to other visitors (e.g. projected on screens or read aloud by personnel assisting visitors with data entry).
  • Ensuring the relevant personnel are briefed on the proper procedures for collecting personal data 

Can F&B establishments request patrons to show their COVID Vaccination Status in their TraceTogether App?

From 22 November 2021, F&B establishments are permitted to seat dine-in groups of up to 5 fully-vaccinated persons [2]. As part of this measure, they have to verify the vaccination status of such individuals. The SafeEntry (Business) App is provided to facilitate quick and reliable entry and vaccination status checks as the default means of checking the vaccination status of both TraceTogether App and Token users.
 
As a backup, F&B establishments may visually sight the vaccination status of individuals either on their TraceTogether App or their HealthHub App or via hardcopies/screenshots of their vaccination reports or cards. F&B establishments cannot require other information in the Apps, such as check-in history information, to allow or deny entry into their establishments. In addition, any data of customers used by F&B establishments for eligibility checks should not be uploaded to the own databases of F&B establishments for storage. Such data should be limited to the purpose of conducting eligibility checks for dine-in and not used for other purposes.
 
For more information on vaccination-differentiated Safe Management Measures (SMM), please visit www.go.gov.sg/moh-smm.
 
[2] An individual is considered vaccinated if he/she has been: a) fully vaccinated, i.e. has received the appropriate regimen of World Health Organisation Emergency Use Listing (WHO EUL) vaccines including their respective duration post-vaccination for the vaccine to be fully effective, and had their vaccination records ingested in MOH’s national IT systems; b) recovered from COVID-19 within the last 180 days, or c) has obtained a negative result on a pre-event test taken in the past 24 hours before the expected end of the event. More information can be found at www.go.gov.sg/moh-smm.

b. Implementing Other Safe Management Measures at Premises

Besides the TraceTogether token or App, you may deploy safe management measures, such as temperature screening systems, crowd counting/management measures and safe distancing technologies at your premises. 

However, deploy measures that do not collect personal data. For instance, your organisation may deploy temperature scanners to check visitors’ temperature without recording their temperature readings, or crowd management solutions that only detect or measure distances between human figures without collecting facial images. Where no personal data is collected, the PDPA’s Data Protection Provisions do not apply. 

Can I manually record personal data? 

Premise owners/venue operators can manually enter the national identification numbers into the SafeEntry (Business) App/web version. There is no need for venue operators to separately record the personal data of visitors or contractors at your premises to supplement the use of the SafeEntry (Business) App/web version.

What happens if there is a COVID-19 case? 

In the event of a COVID-19 case, the Government may disclose personal data to your organisation to assist in its contact tracing efforts. You must ensure such personal data are used only to facilitate Government’s contact tracing efforts, and there is no improper use or disclosure of the personal data (e.g. divulging personal data of confirmed COVID-19 cases to employees, tenants or members of public).

Your organisation may also provide personal data collected of individuals at your premises to the Government when required for contact tracing purposes.

iii. Advisory for Employers

a. Implementing TraceTogether-only SafeEntry at Workplace

From 17 May 2021, contact tracing purposes will be further strengthened through the implementation of TraceTogether-only SafeEntry check-in (i.e., either via the TraceTogether App or token) [1], which replaces the previous SafeEntry check-in. As an employer, you are required to implement the Government-developed TraceTogether-only SafeEntry for employees entering your workplace (e.g. offices, factories and educational institutes). The data collected will only be stored in the Government’s servers.

The collection of national identification cards for checking into workplaces will be accepted until 31 May 2021. Starting from 1 June 2021, venue operators may still manually key in visitors' NRIC, FIN or passport numbers into or scan the barcode of the national identification cards against the SafeEntry (Business) App/web version under the following extenuating circumstances at their discretion:

  1. Short-term visitors to Singapore who are unable to register or use the TraceTogether App
  2. TraceTogether App users unable to check in with venue’s SE QR
  3. TraceTogether App users with a mobile phone that is out of battery
  4. Users causing significant inconvenience to rest of the patrons while attempting to check-in

[1] The list of venues/facilities which must adopt the use of TraceTogether-only SafeEntry can be found at www.safeentry.gov.sg/deployment.

Can employers conduct audits/checks on the information displayed within the TraceTogether App?  

The features of the TT App are intended for the user’s own reference or for the Government’s contact tracing purposes. 

Employers can view the SafeEntry Check-in Pass on the App to verify that staff have checked-in to SafeEntry when entering the workplace. For all other information on the App, employers should seek the consent of their staff to give the additional information. Employers should communicate the reasons for seeking the additional information and what they will be using the information for. Moreover, employers should not conduct intrusive checks of employees’ personal devices to obtain such personal information. 

How to secure devices deployed?

Employers can either download the SafeEntry (Business) App to use the SEGW function, or set up the SEGW Box for employees’ entry into workplaces. If you are deploying devices (e.g. smartphones, tablets, etc.) or the SafeEntry (Business) App, you should consider the following to ensure the safe and secure collection of personal data:

  • As far as possible, use a dedicated device to collect the personal data. The device should not be used for any other purposes, including accessing other websites. If possible, do a factory reset before using the device for the collection of data (note: this will delete all data in the device). 
  • Do not install unnecessary apps on the device. Ensure that there are no apps that can perform screen recording on the devices.
  • Turn off the web browser’s autocomplete/autofill function so that users cannot see what others have typed into the form previously.
  • Regularly check the device to ensure that it is scanned for viruses and malware, and that it has not been jailbroken. Ensure that the device operating software (OS) is updated regularly.
  • Only allow authorised personnel to have access to the device. Enable lock screen when the device is not in use, and use password or biometric protection for device login.

b. Implementing Safe Management Measures at Workplaces

Besides the TraceTogether token or App, you may deploy safe management measures, such as temperature screening systems, crowd counting/management measures and safe distancing technologies at your premises. 

However, deploy measures that do not collect personal data. For instance, your organisation may deploy temperature scanners to check visitors’ temperature without recording their temperature readings, or crowd management solutions that only detect or measure distances between human figures without collecting facial images. Where no personal data is collected, the PDPA’s Data Protection Provisions do not apply. 

Can I collect the vaccination status, Antigen Rapid Test (ART) or Pre-Event Test (PET) results of my employees?

From 1 January 2022, the Ministry of Manpower will implement Safe Management Measures (SMM) [2] and workplace vaccination measures [3] for employees returning to the workplace. According to these measures, employees are required to be vaccinated to be at the workplace, and those who return to the workplace are encouraged to self-test weekly via an Antigen Rapid Test (ART).

To enforce these measures, employers will need to ask information from employees, such as their ART result or Pre-Event Testing (PET) result, and/or their vaccination status and related details (e.g. whether employees have had their booster shots). For unvaccinated employees, employers may need to enquire more information, such as reasons for delay in vaccination and when they are expected to complete their vaccination.

Such personal information can be collected, used and disclosed without employees’ consent via the employment exception under the PDPA to enforce the above measures and to ensure a safe working environment for all staff [4]. You may request employees to show their vaccination status through their TraceTogether app or token, HealthHub app or the original physical vaccination card to determine the vaccination status of employees.

In general, in enforcing the above measures, employers should continue to comply with the Data Protection (“DP”) Provisions of the PDPA, such as:

  1. informing employees upfront the purpose(s) for the collection, use and disclosure of their personal data (e.g. vaccination status or COVID-19 test results)
  2. updating data protection policies to clearly reflect the new purpose(s) for the collection, use and disclosure of employees’ personal data
  3. making reasonable security arrangements to protect the personal data in their possession from unauthorised access, use, disclosure, modification or disposal

[2] Up to 50% of employees who are able to work from home can be at the workplace at any point in time from 1 January 2022. Those who report onsite are encouraged to self-test weekly via an Antigen Rapid Test (ART). More information on Safe Management Measures (SMM) at the workplace can be found at mom.gov.sg/covid-19/requirements-for-safe-management-measures.

[3] Unvaccinated employees are still allowed at the workplace with a negative Pre-Event Testing (PET) result from 1 January 2022 to 14 January 2022. Unvaccinated employees will not be allowed at the workplace even with a negative PET result from 15 January 2022 onwards. More information on workplace vaccination measures can be found at mom.gov.sg/covid-19/advisory-on-covid-19-vaccination-in-employment-settings.

[4] More information on the employment exception under the PDPA can be found in Chapter 5 of the Advisory Guidelines on PDPA for Selected Topics.

Can I deploy my own devices for the use of apps by employees?

If you require employees to use other contact tracing or safe management apps on organisation-issued devices, on top of the TraceTogether-only SafeEntry, you should:

  • Update your organisation’s IT policy to include the installation and use of the apps on organisation-issued devices. 
  • Regularly remind employees to ensure that the most updated version of the apps is installed.
  • Ensure that organisation-issued devices are updated with the latest security patches, and that security software is used to complement the use of the apps.

If you are permitting employees to install and run organisation-supplied apps in their own personal devices, you should:

  • Implement BYOD policies to govern the installation and use of organisation-supplied apps on employees’ personal devices.

What happens if there is a COVID-19 case? 

In the event of a COVID-19 case, the Government may disclose personal data to your organisation to assist in its contact tracing efforts. You must ensure such personal data is used only to facilitate Government’s contact tracing efforts, and there is no improper use or disclosure of the personal data (e.g. divulging personal data of confirmed COVID-19 cases to other employees or members of public).

Your organisation may also provide personal data of employees to the Government when required for contact tracing purposes.