Safeguarding TraceTogether Data (PQ Reply by Minister Josephine Teo)

Measures to prevent personal information from TraceTogether usage from being hacked

Fourteenth Parliament of Singapore – First Session for the Sitting on 5 October 2021

Question

Mr Gan Thiam Poh asked the Prime Minister in view of the increasing use of TraceTogether at many locations (a) what are the risks of all the personal information being hacked and appropriated at various data collection centres; and (b) what measures are in place to prevent such attacks.

Answer

Written answer by Mrs Josephine Teo, Minister for Communications and Information and Minister-in-charge of Smart Nation and Cybersecurity (for the Prime Minister)

Bluetooth proximity data recorded by TraceTogether is encrypted, stored locally on the user’s phone or token, and automatically deleted after 25 days. The data remains on the personal device unless required by the relevant authorities for contact tracing or other legally permitted purposes. In such instances, the data is uploaded to and stored on Government servers, where it is safeguarded in accordance with the public sector cybersecurity and data security requirements, including the recommendations made by the Public Sector Data Security Review Committee. In particular:

1. The TraceTogether databases are encrypted;
2. Additional field level encryption or hashing are applied to personal identifiers;
3. All access to the data is logged and monitored; and
4. Systems are required to undergo penetration testing annually.

Additionally, under the COVID-19 (Temporary Measures) Act, public officers who recklessly or knowingly disclose personal digital contact tracing data without authorisation, or who misuse the data, may be liable to a fine of up to $20,000 or imprisonment of up to two years, or both.