Bill restricting police use of TraceTogether data introduced in Parliament, with tougher penalties for misuse
SINGAPORE: The Government moved one step closer to formally restricting the use of personal contact tracing data in police investigations to serious offences, as it introduced a Bill in Parliament on Monday (Feb 1) spelling out what these offences are.
According to the COVID-19 (Temporary Measures) (Amendment) Bill, these include offences related to terrorism, drug trafficking, murder, kidnapping and serious sexual offences such as rape.
Personal contact tracing data refers to entry or exit, proximity or other data collected by digital contact tracing systems that identify an individual. The systems include TraceTogether, SafeEntry and BluePass.
The minister can approve the addition of future contact tracing systems that fall under these restrictions. However, the removal of any system will require Parliament’s approval.
In another privacy safeguard, public officers found guilty of misusing personal contact tracing data will face tougher penalties than what is set out in current public sector data protection laws.
This comes after Parliament heard in January that police have the power to order anyone to produce any data, including TraceTogether data, for the purposes of a criminal investigation.
The revelation sparked privacy concerns after the Government had earlier said that TraceTogether data would be strictly used for contact tracing.
READ: Legislation to be introduced setting out serious offences for which TraceTogether data can be used for police probe
Minister-in-charge of the Smart Nation Initiative Vivian Balakrishnan then clarified that the police can obtain TraceTogether data only through a person involved in the investigation.
Law and Home Affairs Minister K Shanmugam also told the House that the use of the data would be restricted to “very serious offences”, before the Government said it would introduce legislation to “formalise these assurances”.
“If a serious criminal offence has been committed, the police must be able to use this data to bring the perpetrators to justice, seek redress for the victims, and protect society at large,” the Smart Nation and Digital Government Office (SNDGO) had said.
On that note, SNDGO said the data cannot be used in the investigations, inquiries or court proceedings of any other offence besides those in these seven categories:
The list of categories cannot be amended without Parliament’s approval, the Bill stated.
A spokesperson from the Ministry of Home Affairs told CNA on Monday that within the police, all requests for contact tracing data must be approved by the Criminal Investigation Department, which is the “staff authority” for all investigation-related matters.
“These restrictions on the Government’s use of personal contact tracing data will apply regardless of any other written law stating otherwise,” SNDGO said in a news release on Monday.
READ: TraceTogether: PAP MPs say proposed legislation addresses concerns; PSP suggests data should only be used for contact tracing
While this legislation restricts the use of personal contact tracing data, agencies can still use de-identified, aggregated or anonymised data recorded in contact tracing systems in epidemiological research to strengthen public health responses, or to monitor the effectiveness of safe management measures implemented by businesses, SNDGO said.
This data includes the total number of check-ins and check-outs at a mall, for instance.
Any public officer, or contractor engaged by a public sector agency, found guilty of unauthorised use or disclosure of personal contact tracing data can be fined up to S$20,000 and/or jailed for up to two years, it added.
This is higher than the baseline penalty found under the Public Sector (Governance) Act, which provides for a maximum fine of S$5,000 and/or two years’ jail.
“Once the pandemic is over, the Government will cease the use of the TraceTogether and SafeEntry systems,” SNDGO said. “Public agencies must then stop collecting such data, and delete the collected personal contact tracing data as soon as practicable.”
Regardless, the proximity data collected and stored on users’ TraceTogether devices are automatically deleted after 25 days on a rolling basis.
READ: Behind the scenes of a COVID-19 contact tracer’s work, tough cases and how TraceTogether has helped
To date, more than 80 per cent of the population have either downloaded the TraceTogether app or collected the TraceTogether token, SNDGO said. Digital contact tracing tools have shortened the average time required for contact tracing from four days to fewer than 1.5 days.
Effective contact tracing requires the “strong support and active usage” of the TraceTogether app or token, SNDGO stated.
“The Government is introducing this Bill under extraordinary circumstances,” it added. “The legislation is intended to remove any doubt about what personal contact tracing data can be used for.”
The Bill is being moved in Parliament under a Certificate of Urgency, which means it could, if deemed urgent, be put through all three readings in the same sitting.