Law Bites – March 2020
The arrival of the Black Swan has triggered the implementation of a slew of response measures. On the business front, organizations are collecting, amongst other data, health and travel declaration information. Questions then invariably arise as to how data privacy laws under the Personal Data Protection Act (PDPA) interplay with the collection, use and/or disclosure of such data during the pandemic.
This Q&A aims to shed light on some of these issues.
Does an organization need to obtain consent to collect personal data of event participants or building visitors as part of its response measures?
If the organization collects names, phone numbers, etc. for the purpose of keeping records of individuals entering the premises or participating in an event, then prior consent needs to be obtained from the individuals.
An organization can, without obtaining prior consent from the individual, disclose personal data of an individual to contact tracers, as this would fall within one of the consent exemptions under the PDPA.
What kind of data is the organization permitted to collect as part of its response measures?
This depends on the data required for the purpose of collection. For example, if the purpose of collection is to keep a record of the individuals who entered the premises, then a phone number is necessary. The full name of the individual may not be strictly necessary. The NRIC number (or any part thereof) should not be collected.
To the extent that personal data is being collected, such data should not be collected in a public document accessible by other individuals (e.g. lobby visitor logbook). The organization should consider preparing separate forms for each individual that only the organization has access to.
Do health data and travel history information of an individual constitute personal data?
In and of itself, each of these do not constitute personal data under the PDPA.
Do note however that health data constitutes sensitive data under the European General Data Protection Regulation, which attracts additional protections such as specific express consent. Organizations with offices both in Singapore and Europe should be cognisant of the differing requirements amongst the various jurisdictions.
How long can an organization retain the personal data?
Personal data should be destroyed once the organization can reasonably assume that the purpose for collection is no longer served by retention and retention is not necessary for legal or business purposes. In the context of the Covid-19 situation, organizations can, as a benchmark, look to official timelines adopted by the government for response measures. For example, it was published that an infected patient’s movements and contacts are traced for the last 14 days for the purpose of contact tracing.
To avoid unnecessary data breaches in these uncertain times, consider best practices –starting with a set of data protection processes addressing these issues.
*Straits Times Article published 9 February 2020, titled “Coronavirus: How contact tracers track down the people at risk of infection”
For further information, please contact:
JTJB Singapore Office