Bill introduced to make clear TraceTogether, SafeEntry data can be used to look into only 7 types of serious crimes

The Covid-19 (Temporary Measures) (Amendment) Bill stipulates that any unauthorised use or disclosure of personal contact tracing data is an offence. ST PHOTO: LIM YAOHUI

SINGAPORE - Contact tracing data is reserved strictly for the fight against the coronavirus and investigations into the most serious crimes, under proposed legal changes that will override all other legislation.

This means that public agencies cannot cite other laws to compel the use or disclosure of the personal data. It can be used only for tracing contacts to combat the pandemic or for investigations into very serious crimes such as murder and terrorism.

The proposed law follows an outcry after it emerged the police could obtain TraceTogether data for criminal inquiries.

Called the Covid-19 (Temporary Measures) (Amendment) Bill, it protects information including that of nearby contact tracing device users, the places people visited and personal information such as their names, identification numbers and contact details.

The Bill was introduced in Parliament on Monday (Feb 1) by Minister Vivian Balakrishnan on a Certificate of Urgency, which means that the proposed law is urgent enough to be put through all three readings in one parliamentary sitting, instead of separate sessions.

Dr Balakrishnan, who is Foreign Minister, is also Minister-in-charge of the Smart Nation Initiative, and introduced the Bill on behalf of Law Minister K. Shanmugam.

The Smart Nation and Digital Government Office (SNDGO) said in a statement on Monday that the Government is introducing the Bill "under extraordinary circumstances".

"For contact tracing to be carried out effectively, we continue to require the strong support and active usage of the TraceTogether app or token, to keep ourselves and Singapore safe," said the office. "The legislation is intended to remove any doubt about what personal contact tracing data can be used for."

The Bill also stipulates that any unauthorised use or disclosure of personal contact tracing data is an offence. Those found guilty of flouting the rule can be fined up to $20,000, jailed up to two years or both.

This is higher than the penalties under the Public Sector (Governance) Act, which states that public officers who recklessly or knowingly disclose the personal data of Singaporeans without authorisation or misuse it may be fined $5,000, jailed for two years, or both.

The proposed law's introduction follows an outcry after Minister of State for Home Affairs Desmond Tan revealed on Jan 4 that under the Criminal Procedure Code, the police can obtain any data under Singapore's jurisdiction for criminal investigations, including TraceTogether data.

It appeared to contradict statements the Government had made last year - that TraceTogether data would be used only for contact tracing to tackle the pandemic.

On Jan 8, the SNDGO said a Bill would be tabled in Parliament to formalise assurances made earlier that data from the TraceTogether contact tracing programme, if needed for criminal investigations, can be used to look into only seven categories of serious offences.

It said at the time that it was "not in the public interest to completely deny the police access to such data, when the safety of the public or the proper conduct of justice is at stake".

But the office added: "We acknowledge our error in not stating that data from TraceTogether is not exempt from the Criminal Procedure Code."

The seven types of serious crime listed in the Bill cannot be changed without Parliament's approval. The Ministry of Home Affairs said that within the police, all requests for contact tracing data must be approved by the Criminal Investigation Department.

On Monday, the SNDGO said contact tracing must continue to be done well so that Singapore can manage the Covid-19 crisis successfully, ring-fence cases quickly and keep community cases from rising.

It cited how TraceTogether, together with other digital contact tracing tools, has shortened the average time required for contact tracing from four days to fewer than 1½ days.

So far, more than 80 per cent of the population have either downloaded the TraceTogether app or collected the token.

The new Bill covers personal data collected through digital contact tracing solutions, including the Government's TraceTogether and SafeEntry programmes, as well as the private sector's BluePass programme which contributes data to TraceTogether.

Removing any of these from the Bill requires Parliament's approval but adding more solutions, and thus limiting the use of more data, can be approved by a minister.

The TraceTogether app and token exchange Bluetooth signals with nearby users to quickly track those who are exposed to Covid-19 patients.

SafeEntry logs the places a person has visited via QR code scanning.

BluePass includes contact tracing tokens used by migrant and local workers living or working in dormitories, as well as those in the construction, marine shipyard and process sectors. The BluePass tokens are compatible with the TraceTogether token or app, which means they can exchange information with one another.

The proposed law protects only contact tracing data which identifies an individual.

It does not cover aggregated or anonymised data that does not identify a person, which the SNDGO said may be used in epidemiological research to "strengthen our public health response", or to monitor the effectiveness of safe management measures businesses put in place.

After the pandemic is over, the Government will stop using the TraceTogether and SafeEntry systems, said the SNDGO.

Public agencies must then stop collecting data under the two programmes and delete the personal contact tracing data collected as soon as reasonably possible.

Parliament will debate the Bill on Tuesday. If passed, the amendments to the law are expected to come into force in the middle of February.

Join ST's WhatsApp Channel and get the latest news and must-reads.