Privacy laws applied to the Government at last

by Ngiam Shin Tung

Well, okay, we haven’t really seen the details yet, and we already know that there will be exceptions, and that it will be inherently time-limited because TraceTogether is supposed to go away when COVID-19 comes under control.

But the fact that the Government was forced to give in to calls for legal protection of contact tracing data is a big step forward for Singapore.

The Government has already announced that the legislation will be introduced under a Certificate of Urgency meaning that the First, Second and Third Readings of the Bill will be on the same day.

This is unavoidable as it is necessary to restore public trust in SafeEntry/TraceTogether as soon as possible but it also means that there will be even less opportunity than usual to examine the Bill before it becomes law.

Hopefully, the Government will release drafts of the Bill a reasonable time before it is introduced, rather than its usual practice of only releasing the text of a Bill at its First Reading, which in this case might be the same day that the Bill becomes law.

Here are some things that we should watch out for:

1) What will be protected?

The SNDGO press release mentioned “digital contact tracing solutions, which comprise the TraceTogether Programme and the SafeEntry Programme”, so both platforms will likely be included.

But what about contact tracing information obtained by non-digital means such as interviews?

A 65-year-old woman was recently sentenced to five month jail for trying to conceal her meetings with a male friend from MOH contact tracers.

Would patients and close contacts be more forthcoming with contact tracers if they could be assured that anything they say to contact tracers would be kept confidential under force of law and would only used for controlling disease?

As a side note, while looking at the legislative history of the Infectious Diseases Act, I discovered that healthcare professionals are prohibited, with some exceptions, from disclosing that a person is HIV positive.

Most of those exceptions are related to the treatement or prevention of AIDS, but one of the exceptions is disclosure to a police officer under the Criminal Procedure Code. The exception was added in 2008, but no explanation was given in Parliament as to why it was necessary.

It would be useful for an MP to ask for clarification from the government whether non-digital information provided to contact tracers can be used for any purpose besides disease control.

2) How serious is a “serious crime”?

The Progress Singapore Party (PSP) has issued a statement saying that contact tracing data should only be used for “fighting the pandemic and nothing else”.

I am sympathetic to that view and look forward to PSP Non-Constituency Members of Parliament (NCMPs) Leong Mun Wai and Hazel Poa arguing that position in parliament.

Pragmatically speaking, though, it would be very hard to legislate such a purist position even though other jurisdictions such as Australia have done so.

TraceTogether is certainly not required to conduct contact tracing. MOH contact tracers were very successful durings SARS in 2003, and in the early stages of the COVID-19 pandemic before electronic contact tracing was even introduced. All that digital contact tracing does is to reduce the manpower required and to make the process faster.

Similarly, Police were investigating crimes long before SafeEntry/TraceTogether and will still be able to investigate crimes after the COVID-19 pandemic is controlled and the government has promised that SafeEntry/TraceTogether will be stood down.

The only reason to justify police access to contact tracing data is to speed up investigations where speed is critical (e.g. to prevent imminent likelihood of serious harm to somebody) or where this is no realistic way of obtaining the information (e.g. from a deceased person and where no other witnesses are known).

Looking at the list of of crimes that SNDGO has released, most could be justified on the grounds that speed is critical and that access to the data could reduce the risk of serious harm.

The exception is drug trafficking. While we can argue over the long-term harm that is caused by drug addiction, it is hard to see any scenario where speed would be so essential that it would be necessary to make use of TraceTogether information to prevent imminent harm to others.

I would assume that “drug trafficking” is included in the list more to signal the Government’s “tough on drugs” stance than for actual public safety reasons.

Categories of serious offences to be covered

3) “Clear and pressing need” and “Who decides”?

This is perhaps the most important part of the proposed law that must be scrutinised if it is not possible to hold to the position of a total ban on the use of contact tracing data for anything other than prevention of infectious disease.

The Government says that digital contact tracing data will only be accessed if there is a “clear and pressing need” for it, but what exactly is a “clear and pressing need” and who decides if a specific request passes that criteria.

At a minimum, I would expect that any procedure for accessing contact tracing data would require the investigating officer to clearly specify the reasons for the request, the specific individual whose data is being targeted and why there is a “clear and pressing need” for the data, and that the request should be approved by an independent reviewer such as a Judge in a similar manner to how search warrants are issued today.

It will be meaningless if the investigating officer himself gets to decides that there is a “clear and pressing need” for the data. Might as well not bother with the law in the first place.

The present requirement in the Criminal Procedure Code of police officers above the rank of sergeant or inspector is a very low bar because even Police full-time National Servicemen (NSFs) are routinely appointed as sergeants or inspectors.

If a teenaged Police NSF sergeant is not even old enough to vote, I don’t think he is old enough to decide that there is a “clear and pressing need” to access contact tracing data.

What does the Government mean by “Clear and pressing need”? Does that mean that there is a likelihood of serious harm to an individual if the request for acess is not granted?

If there are alternative means of obtaining the information that the police are looking for, there is no “pressing need” and the request should not be granted.

I would also expect the police to have to demonstrate a reasonably clear idea of what they are looking for, rather than just going on a fishing expedition.

Data retention period

Both TraceTogether and SafeEntry claim that data is deleted for 25 days. That is relatively clear-cut in the case of TraceTogether data on your own app or token.

That would be deleted if you do not test positive within that period. However, you may still leave some digital footprints for much longer than 25 days on other people’s TraceTogether or in the SafeEntry system.

For example, let’s say you briefly said “Hi” to Bob a week ago. Bob tests positive and MOH extracts his TraceTogether data. Under present guidelines, you would not be considered a close contact so MOH will not contact you.

But would MOH decrypt your identifier anyway even though you only met Bob for one minute? And once the identifier is decrypted, how long is the data kept if the subject is never identified as a close contact to be sent for COVID-19 testing?

Similarly, for SafeEntry, if no one who visits a particular location tests positive, MOH is supposed to delete the SafeEntry records for that location after 25 days.

But let’s say Bob visited the supermarket a week before he tested positive and MOH extracts the list of everyone who visited the supermarket around the same time that Bob visited.

But how long is “around the same time”? Does that mean only a few hours or does it mean a few days before and after Bob’s visit? How long do they keep the data if no-one else tests positive besides Bob?

It’s not clear if the proposed legislation would also specify the data retention period (25 days) and most importantly, define the conditions under which data would be retained for longer than 25 days.

Ministerial exemptions

This is one of my pet peeves. Many laws in Singapore give the Minister substantial leeway to exempt people or classes of people from the law, or to unilaterally introduce subsidiary legislation that substantially changes requirements in an Act.

An example of this was under the Personal Data Protection Act, where the Minister for Communications and Information announced exemptions that weakened key parts of the Do Not Call (DNC) registry just a week before the new law was to come into effect.

Likewise, I would not be surprised if provisions that allow the Minister to unilaterally modify the privacy protections on contact tracing data are inserted into the legislation. Given that TraceTogether/SafeEntry are supposed to only be temporary anyway, it does not make sense for the Minister to be given that power.

If the Government wishes to tighten any rules on accessing contact tracing data, they can do that with internal SOPs anyway. If they wish to loosen the rules, they should go back to Parliament since any changes to COVID-19 regulations can be passed quickly under Certificates of Urgency.

For just US$7.50 a month, sign up as a subscriber on Patreon (and enjoy ads-free experience on our site) to support our mission to transform TOC into an alternative mainstream press in Singapore.
Subscribe
Notify of
8 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments

Trending posts

January 2021
MTWTFSS
 123
456