COVID-19 and The Implications of The Personal Data Protection Act


Is your company collecting personal data for contact tracing? Are you complying with the PDPA?

With the outbreak of the coronavirus disease 2019 (COVID-19), many organisations have opted to collect the personal data of visitors to their premises for the purposes of contact tracing. This has led to some concern as to whether such actions are permissible under the Personal Data Protection Act 2012 (No. 26 of 2012) (“PDPA”).

Contact tracing purposes

On 13 February 2020, the Personal Data Protection Committee released an advisory stating that organisations may collect personal data of visitors to premises for purposes of contact tracing and other response measures in the event of an emergency. In order to accurately verify the identity of individuals, organisations may collect visitors' NRIC, FIN or passport numbers.

Verify before disclosing personal data

In addition, organisations may collect, use and disclose relevant personal data without consent to carry out contact tracing and other response measures in the event of a COVID-19 case, as this is in the public interest - being necessary to protect and safeguard the life, health or safety of other individuals. For example, organisations may receive calls from the Ministry of Health and/or the Singapore Police Force as part of their contact tracing efforts of confirmed or suspected COVID-19 cases. Whilst such organisations are permitted to disclose relevant personal data, they should take reasonable steps to verify the caller’s identity (e.g. requesting for the name, position and station of the caller). Taking such steps would minimize the risk of the organisation disclosing personal data to scam or phishing callers.

Have you made security arrangements for storing the data and avoiding misuse?

Nevertheless, organisations that collect such personal data must comply with the Data Protection Provisions of the PDPA. This includes making reasonable security arrangements to protect the personal data in their possession from unauthorised access or disclosure, and ensuring that the personal data is not used for other purposes without consent or authorisation under the law. For example, if the data is stored online, an organisation must take steps to conduct relevant tests of it’s IT environment to ensure that personal data is protected. Further, by way of example, information collected for the purpose of contact tracing or response measures cannot be used to promote services.

Are you prepared for disposal and inspection of the data?

Further, organisations should also cease to retain such personal data as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer being served and retention is no longer necessary for legal or business purposes. Individuals are also entitled to inspect the personal data collected and to know how it has been used in the previous one year. An organisation must therefore have in place a standard “access request” procedure allowing an individual to inspect his or her personal data.

How may we help you?

With a responsive team of 30 lawyers, your case is safe in our hands.

LLP Reg. No. T07LL1728C  |  GST Reg. No. M9-0359250-C

We are a Limited Liability Law Partnership registered in Singapore under the Limited Liability Partnerships Act (Chapter 153A).