MDDI's response to PQ on Raising Understanding of Biometric Data Usage and Security

Parliament Sitting on 10 September 2024

QUESTION FOR ORAL ANSWER

*61. Mr Zhulkarnain Abdul Rahim asked the Minister for Digital Development and Information whether the Ministry will take additional steps to raise the understanding and awareness of biometric data usage and security among the public, especially for vulnerable groups like the elderly or migrant workers, in light of the recent case of private entities like Worldcoin collecting biometric data of users in exchange for monetary incentives.

Answer:

The Personal Data Protection Act (PDPA) governs the collection, use, disclosure and care of personal data by organisations in Singapore, including Worldcoin. Biometric data – which relate to the physiological, biological or behavioral characteristics of an individual – can form part of the personal data of an individual. The Personal Data Protection Commission (PDPC) has also issued a Guide on Responsible Use of Biometric Data in Security Applications, to advise on risks unique to biometric recognition technology and measures to govern and protect biometric data.

As biometric data are generally unique, they cannot be changed once compromised, unlike passwords or other tokens. Stolen biometric data can therefore be misused by malicious actors to spoof an individual’s identity – in order to access information or systems or conduct scams or other fraudulent activity. Such misuse is harder to defuse because biometric data cannot be changed.

Organisations that handle such data must ensure they put in place the necessary data protection and security arrangements to address these risks, when designing and operating their systems and processes. They must also obtain consent from consumers before collecting their data by giving all necessary information in a manner that is understandable to the consumer.

The PDPC has been engaging Worldcoin on their obligations under the PDPA and will continue to monitor their collection, use and disclosure of personal data, including biometric data. The PDPC may take enforcement action against organisations in Singapore that are found to have breached their obligations under the PDPA. The PDPC also monitors developments in other jurisdictions and is ready to work with international counterparts as necessary.

To support the adoption of good data protection practices, the PDPC conducts educational and outreach activities through events such as the annual Personal Data Protection Week and Privacy Awareness Week. The PDPC has also worked with MOM to disseminate notices to migrant workers to raise awareness about the importance of keeping their personal data safe.

Ultimately, everyone must exercise judgement and ensure they fully understand how their personal data will be used by whom before giving consent for it to be collected.