Govt introduces Bill to restrict Police use of TraceTogether data to serious crimes only

The proposed Bill also clarified the penalties for misuse of contact tracing data.

Jason Fan | February 01, 2021, 08:28 PM

The government introduced a Bill in Parliament on Monday (Feb. 1), meant to formalise what Minister-in-Charge of the Smart Nation Initiative Vivian Balakrishnan said about how the government can use contact-tracing data collected by digital contact tracing systems.

This Covid-19 (Temporary Measures) (Amendment) Bill will restrict the use of personal contact tracing data in police investigations to serious offences, and will also spell out the penalties for unauthorised usage.

Seven categories of serious crimes

The Bill will cover the usage of personal contact tracing data recorded in digital contact tracing systems, including TraceTogether (TT), SafeEntry (SE) and Bluepass, which is used for migrant and local workers living or working in dormitories, as well as those in the construction, marine shipyard and process sectors.

It will specify that public sector agencies can use such personal contact tracing data only for the purpose of contact tracing, except when there is a need for police officers and law enforcement officers to use the data for criminal investigations and proceedings, in respect of serious offences.

There are seven categories of serious offences under the proposed Bill:

  1. Unlawful use or possession of corrosive and explosive substances, firearms or dangerous weapons.
  2. An offence relating to the committing, aiding, conspiring, abetting or financing of acts of terrorism under the Terrorism (Suppression of Bombings) Act, Terrorism (Suppression of Financing) Act, and Terrorism (Suppression of Misuse of Radioactive Material) Act.
  3. An offence relating to causing or concealment of death, or maliciously or wilfully causing grievous bodily (where the victim's injury is of a life-threatening nature).
  4. A drug offence that is punishable with death.
  5. An offence relating to escape from custody where there is reasonable belief that the subject will cause imminent harm to others
  6. Kidnapping, abduction or hostage-taking
  7. Any form of serious sexual assault such as rape or sexual assault by penetration.

Any public officer, or contractor engaged by a public sector agency found guilty of unauthorised use or disclosure of personal contact tracing data can be fined up to S$20,000, or sentenced to imprisonment for up to two years, or both.

Current safeguards for data collected

The Smart Nation and Digital Government Office (SNDGO) said that the government will cease the use of TT and SE systems after the pandemic is over, and that public agencies must stop collecting such data, and delete the collected personal contact tracing data as soon as practicable.

Currently, the proximity data collected by the TT programme is encrypted, and stored locally on the user's TT device, and is automatically deleted after 25 days on a rolling basis.

This data is anonymised and encrypted, and does not reveal the user's identity.

When the user is asked to share his data, either when he tests positive for Covid-19 or if it is necessary for a Police investigation related to serious offences, the user will be asked to upload his data with a PIN, and it will be decrypted for the requisite purposes.

Token users will need to hand in their device for the government to extract the data.

Similarly, the personal contact tracing data collected by SE is also encrypted, and stored in the government server.

This data is also automatically purged after 25 days.

SE data related to Covid-19 patients and close contacts, as well as data obtained by the Police in relation to serious offences, will be retained till it is no longer necessary.

Government will delete all personal contact tracing data after the pandemic

These restrictions on the government's use of personal contact tracing data will apply regardless of any other written law stating otherwise.

According to the proposed legislation, these restrictions only apply to contact tracing data which can be used to identify an individual.

It does not prohibit de-identified, aggregated or anonymised data recorded in the digital contact tracing systems from being used in epidemiological research, in order to strengthen Singapore's public health response, or to monitor the effectiveness of safe management measures implemented by businesses.

The Second Reading of the Bill will be held in Parliament on Tuesday (Feb. 2).

Related Stories

Top image via Unsplash.