Commentary: Contact tracing aside, you should worry if you have to report your whereabouts to your boss after work
Employees may find the collection of personal data intrusive but laws limit how far the contact tracing measures can go, says lawyer Lee In Hae.
SINGAPORE: After long lockdowns all over the world, countries are looking to ease them.
But the lifting of lockdowns means we are looking to resuming our daily activities with the fear of COVID-19 still hanging over us.
This means that governments and possibly employers will have to integrate various contact tracing measures into our routine.
The idea behind contact tracing is to take stock of where and when we come into contact with others for a significant period of time, so that we can track and curb the virus' transmission.
That said, how much information can employers collect from employees in the name of contact tracing?
After all, giving our name, mobile phone number, location data, and movement record risks invasion of privacy.
It pays to know what can be considered legitimate contact tracing as opposed to unwarranted surveillance.
GOVERNMENT-SANCTIONED CONTACT TRACING
The Government has two digital tools – SafeEntry and TraceTogether – for contact tracing.
It is interesting to note however that the Personal Data Protection Act 2012 (PDPA) does not impose the data protection obligations on "any public agency", which includes the government, including any ministry department, agency, or organ of State.
In other words, the Government does not need to obtain individuals' consent to disclose personal data to another public agency.
Further, under the Criminal Procedure Code, the police has the power to obtain data for any investigation or trial.
However, considering that both SafeEntry and TraceTogether websites express that the data collected will be used for the specific purpose of contact tracing only, public agencies will be slow to use the data for any other purposes, at the risk of losing public trust.
WHY PRIVATE CONTACT TRACING
In addition to SafeEntry and TraceTogether, employers have to implement their own forms of contact tracing at their premises - not only to comply with the Ministry of Manpower’s (MOM) Safe Management Measures advisory, but also for business continuity.
If there is an inspection, employers must be able to produce records of inspections and checks conducted and corrective actions taken.
For the manufacturing sector specifically, the Government has also advised tracking all interactions between individuals or groups who are in close contact or proximity for 30 minutes or more, inclusive of the location whenever relevant.
In terms of business costs, data to show where an individual has been for prolonged periods within the workplace could make the difference between having to close down a whole floor versus closing only a small section of the workspace with minimal business disruption.
MOM’s advisory states that if someone at the workplace is a confirmed case, employers should immediately vacate and cordon-off, clean and disinfect "the immediate section" of the premises where the confirmed case worked.
There is no need to vacate the building or the whole floor if there had been no sustained and close contact with the confirmed case.
Internal contact tracing data can help in better defining the area to be vacated, especially where employees do not have a fixed station or have to leave their stations often.
METHODS OF PRIVATE CONTACT TRACING
Depending on the nature of workplace - whether indoors, outdoors, in the office or a retail shop - the number of employees, and the budget available, employers may choose different options for contact tracing.
If there are CCTVs in place, employers may decide that it is convenient and cost-effective to use them to collect video footages of the employees within the workplaces.
Businesses could engage app developers for a bespoke solution, or build on the TraceTogether model to record “close contacts” – the exchanges of Bluetooth signals with nearby phones.
In the latter case, only the phone number and an ID assigned to the phone will be collected, and no location data will be collected.
Employers could also introduce wearable technology – a watch, lanyard or pen-shaped trackers that employees can carry with them during working hours. Imagine a fitness tracker, except for contact tracing.
Some of these use the exchanges of Bluetooth signals to track interactions between employees or even map out where in the workplace the infected employee has been and for how long, using Bluetooth beacons installed in the workplace.
READ: Commentary: The case for universal digital access, as home-based computing becomes a post-pandemic norm
This may be the best option that ensures the privacy of employees among the options considered here.
As a dedicated hardware for the specific purpose of contact tracing, it can simply be taken off outside of working hours unlike apps installed on phones.
Also, unlike CCTV footages where individuals are identified by their images, wearables can capture close contacts in the form of exchange of anonymous IDs, which will require an additional step of decryption to associate back to specific individuals.
Lastly, despite the risk of incomplete and inaccurate records, small businesses may decide to keep manual records – of when employees enter the workplace, where they are stationed, a list of their meetings, who the contacts are that they meet and for how long.
WHAT ARE MY PRIVACY RIGHTS?
Employees may feel that all of these measures are a little intrusive - and they are, to varying degrees – and feel a little helpless.
On one hand, employees would be required to accept the employers' contact tracing measures as long as they comply with the government’s requirements for Safe Management Measures.
On the other hand, however, the PDPA does limit how far the contact tracing measures can go, in three aspects in particular.
First, there’s the purpose limitation obligation. Personal data collected for the purpose of internal contact tracing should not be used or disclosed for any other purposes, unless consent is obtained or it is authorised under the law.
For example, an in-house app deployed for the sole purpose of contact tracing cannot then be used to check how employees spend their break time for the purpose of monitoring productivity.
Your employers shouldn’t be using the app to count how long you were away from your desk during your appraisal.
By the same logic, employers should be conducting contract tracing during working hours, at the workplace only.
So, if you head down to your nearest coffeeshop in the middle of the night to grab a cup of coffee or a snack, your boss doesn’t need to know.
Second, organisations must protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
In the case of the digital tools mentioned above, the personal data involved would be the CCTV footages where the employees are identifiable, or any data collected by the app or the wearables from which the individual employees can be identified - for example, mobile phone number or the location data.
The data should be accessed only by the designated personnel and adequately protected with strong passwords and encrypted storage.
Third, under the PDPA’s retention limitation obligation, companies must not keep the collected data once its original purpose is no longer being served.
The Government's guidelines for the manufacturing sector, for instance, requires contact tracing records to be kept for at least one month.
The Personal Data Protection Commission's (PDPC) advisory on this topic recommends companies to implement appropriate policies on their contact tracing measures, which should include explanation on how they comply with the above obligations.
In case of breach of PDPA obligations, including the failure to have appropriate policies in place, the PDPC has the power to give directions for companies to take corrective actions as well as to require payment of a financial penalty not exceeding S$1 million.
To protect their personal data, employees should be aware of and give their input on the policies to their employers or, if necessary, consider applying to the PDPC for a review of the suspected breach of the PDPA.
Contact tracing tools are currently pitched as something with a clear sunset horizon, that will last until the end of this pandemic.
However, if left unchecked, employers may take this opportunity to establish workplace monitoring as a new norm and continue with it even after the pandemic.
Worse, employers may even try to use it to monitor their staff’s movements outside of work for reasons other than contact tracing.
We may especially see this happen if work places transit to a remote working model on a more permanent basis, where employers may be tempted to use such apps to keep track of their staff.
Either of these possibilities will not only be taking a step backwards in terms of building a relationship of trust between employer and employee, but also with how we treat the privacy of personal data as a society.
Employees can help in preventing that from happening. The law empowers them to.
Lee In Hae, is Senior Associate of Intellectual Property & Technology at Withers KhattarWong.