Singapore will only allow police to access personal data from its coronavirus contact-tracing app for “serious” criminal investigations, a move aimed at addressing privacy concerns among users and to safeguard against its unauthorised use.
An amendment to a COVID-19 bill – tabled in parliament this week – will only allow authorities to use data collected from contact tracing in investigations into seven types of crime, with strict penalties including jail for unauthorised use.
When the coronavirus pandemic is over, the government will stop using the contact tracing systems, and public agencies must stop collecting data and delete all personal information collected, according to the bill.
The changes to the law relating to use of data from the app – developed to curb the spread of the virus and used by nearly 80% of Singapore’s 5.7 million population – are expected to be enacted this month.
“The government is introducing this bill under extraordinary circumstances,” Singapore’s Smart Nation and Digital Government Office (SNDGO) said in a statement on Monday.
“The legislation is intended to remove any doubt about what personal contact tracing data can be used for.”
The coronavirus outbreak has empowered authorities worldwide to increase surveillance, with human rights groups expressing concerns that technologies such as contact-tracing apps will persist even after the pandemic ends.
Singapore’s TraceTogether scheme, deployed as both a phone application and a physical device, is mandatory for entering shopping malls and public places.
Authorities initially said the contact tracing system’s data was encrypted, stored locally, and only used if individuals tested positive for COVID-19.
But last month, officials said the data had been used in a criminal investigation, raising questions over privacy and surveillance.
“I take full responsibility for this mistake, and I deeply regret the consternation and anxiety caused by my mistake,” Vivian Balakrishnan, minister in charge of the Smart Nation initiative, told parliament on Tuesday.
Under the proposed bill, contact tracing data may be used to investigate offences including terrorism, rape, murder and drug trafficking, balancing the need to protect people’s data with the need to allow police to access information to help solve serious crimes to maintain safety and security, he said.
Having “clear legal limitations on the use of contact tracing and other personal data is obviously better than not having them”, but there is now a question of what else the Singapore government can change, said Sutawan Chanprasert, founder of digital rights non-profit DigitalReach.
“Explicit limitations on state powers are needed. Or the state could easily change its mind and include other conditions later,” she told the Thomson Reuters Foundation.
“Surveillance, identification and tracking can easily lead to abuse and discrimination.”
The World Health Organization has said that surveillance systems that capture data for the COVID-19 response must be transparent, respond to concerns of communities, and not infringe on people’s privacy.
After it made a U-turn on the use of its contact tracing data, Singapore was “right to correct the mistake and put up a defined set of exceptions”, said Harish Pillay, a software engineer and member of the opposition Progress Singapore Party.
“It is a mea culpa. It is about trying to make sure that the trust that we need to overcome the pandemic is not compromised,” he said.
A universal digital rights law is also needed that spells out what a citizen’s rights are and what action can be taken when these are contravened, said Pillay.
“It is one thing to say that the government has measures in place to keep things confidential … but we need proper oversight by independent citizens to ensure that these are indeed done in the manner that it is claimed,” he said.