Singapore's Personal Data Protection Act may have kicked in earlier this month, but not all security guards and building front-line staff are prepared for the new law, which mandates they must answer questions by visitors on how data is used and stored.
A check by The Straits Times at several building reception counters, where security guards routinely ask visitors to hand over their identity cards to gain entry, found that few had all the answers at their fingertips.
With the full implementation of the Act on July 2, visitors must be informed of what information on them is collected and what the data is used for.
A person may also request in writing for access to his personal data held by the building owner.
The Straits Times visited five commercial buildings: One Raffles Quay, One Marina Boulevard, Raffles City Tower, Mapletree Business City in Pasir Panjang Road and the SGX Centre in Shenton Way.
One Raffles Quay's building owner holds on to a person's identity card in exchange for a visitor's pass, which is allowed under the Act. As such, no personal data is recorded.
The other four buildings record a visitor's name, contact details and identity card number into a computer.
Their security guards were asked four questions:
- What personal data is collected?
- What is the data used for?
- How long is the data kept?
- How may a visitor access his recorded personal information held by the building owner?
Answers to the first two questions were readily available at One Marina Boulevard and Raffles City Tower, which had a notice stating that visitors' personal data would be collected for "security" and "emergency" purposes.
The notice at One Marina Boulevard contained the e-mail address of its security chief, while the Raffles City Tower security manager's e-mail address was given only when requested.
When contacted, both confirmed the purpose was for "contact tracing" during emergencies like a severe acute respiratory syndrome outbreak.
One Marina Boulevard's security chief could not confirm how long a visitor's personal data would be kept, while Raffles City Tower's security manager said data is stored for six months from the date of the last visit.
When asked to access personal data held, One Marina Boulevard's security chief required the exact date and time of this reporter's last visit, as well as the identity card number, before doing so.
However, Raffles City Tower's security manager did not provide such access. Over at Mapletree Business City and SGX Centre, no "personal data protection" notices were displayed.
A security guard at Mapletree Business City said data collection was for tracking people entering and leaving the building.
He supplied two phone numbers for reaching the building's fire control chief and manager of operations. The former could not answer any questions except to say that data collection is a "normal process", while the latter had left the job five months earlier.
A security guard at SGX Centre said visitors' personal data is "flushed out" when they leave the building. However, its security chief said a visitor's name and identity card number would be kept for "a few years".
Both Mapletree Business City and SGX Centre did not have a process for visitors to access any of their personal data held.
When contacted, a spokesman at Mapletree Investments, which owns Mapletree Business City, said it will continue to work with its security contractor "to equip staff with better knowledge".
Singapore Land, which owns SGX Centre, could not be reached for comment.