Generally, organisations may continue to use the personal data collected prior to the effective date of the data protection rules, unless you withdraw your consent (if consent had previously been given) or indicate that you do not consent to such use of the personal data. Consent will need to be obtained if the existing data is to be used for a new purpose different from the purpose for which it was collected, or if the existing data is to be disclosed to another organisation or individual, unless any exception applies. These exceptions are set out in the Second, Third and Fourth Schedules of the PDPA respectively. This includes exceptions catering to certain emergency situations, investigations, publicly available data or where the personal data is used for evaluative purposes.For example, if a company has been using your personal data to provide after-sales customer support prior to the PDPA, it can continue to do so after the PDPA comes into effect, even if it did not obtain consent previously. However, if it now intends to use the same personal data for direct marketing where it had not collected the personal data for this purpose, consent will need to be obtained for such a purpose. If the organisation wishes to use the personal data for telemarketing, it will separately have to ensure compliance with the DNC provisions under the PDPA. Generally, organisations may continue to use the personal data that was collected prior to the effective date of the data protection rules, for the reasonable purposes for which the personal data was collected.
Organisations may collect personal data of visitors to premises where it is necessary for purposes of contact tracing and other response measures in the event of an emergency, such as during the outbreak of the COVID-19.
In the event of a COVID-19 case, your personal data can be collected, used and disclosed without consent to carry out contact tracing and other response measures, pursuant to sections 1(b) of the Second, Third and Fourth Schedules to the PDPA, as this is necessary to respond to an emergency that threatens the life, health or safety of other individuals.
As organisations may require NRIC/FIN/passport numbers to accurately identify individuals in the event of a COVID-19 case, organisations may collect your NRIC, FIN or passport number where it is necessary for this purpose.
Organisations that collect such personal data must comply with the Data Protection Provisions of the PDPA, such as making reasonable security arrangements to protect the personal data in their possession from unauthorised access or disclosure (e.g. ensure visitor logbooks are kept secured from other visitors), and ensuring that the personal data is not used for other purposes without consent or authorisation under the law. Organisations should also expunge the data when it is no longer needed for contact tracing-related purposes.
© 2020 Government of Singapore.
Best supported by IE 9 and above, Firefox and Chrome.