Raising Understanding of Biometric Data Usage and Security
Ministry of Digital Development and InformationSpeakers
Summary
This question concerns Mr Zhulkarnain Abdul Rahim’s inquiry on whether the Ministry for Digital Development and Information will increase public awareness of biometric data security, particularly for vulnerable groups, following reports of Worldcoin collecting such data for monetary incentives. Minister for Digital Development and Information Josephine Teo stated that the Personal Data Protection Act (PDPA) governs organizations like Worldcoin and emphasized that biometric data is sensitive because it is unique and unchangeable if compromised. She noted that organizations must implement robust security arrangements and obtain informed consent, while highlighting the Personal Data Protection Commission’s (PDPC) guide on the responsible use of biometric recognition technology. The Minister confirmed that the PDPC is currently engaging Worldcoin regarding its obligations and stands ready to take enforcement action against any organizations that breach the PDPA. Finally, she highlighted ongoing outreach efforts, such as notices for migrant workers and annual awareness weeks, while reminding individuals to exercise caution and understand how their data will be used before providing consent.
Transcript
61 Mr Zhulkarnain Abdul Rahim asked the Minister for Digital Development and Information whether the Ministry will take additional steps to raise the understanding and awareness of biometric data usage and security among the public, especially for vulnerable groups like the elderly or migrant workers, in light of the recent case of private entities like Worldcoin collecting biometric data of users in exchange for monetary incentives.
Mrs Josephine Teo: The Personal Data Protection Act (PDPA) governs the collection, use, disclosure and care of personal data by organisations in Singapore, including Worldcoin. Biometric data – which relate to the physiological, biological or behavioral characteristics of an individual – can form part of the personal data of an individual. The Personal Data Protection Commission (PDPC) has also issued a Guide on Responsible Use of Biometric Data in Security Applications, to advise on risks unique to biometric recognition technology and measures to govern and protect biometric data.
As biometric data are generally unique, they cannot be changed once compromised, unlike passwords or other tokens. Stolen biometric data can therefore be misused by malicious actors to spoof an individual’s identity – in order to access information or systems or conduct scams or other fraudulent activity. Such misuse is harder to defuse because biometric data cannot be changed.
Organisations that handle such data must ensure they put in place the necessary data protection and security arrangements to address these risks, when designing and operating their systems and processes. They must also obtain consent from consumers before collecting their data by giving all necessary information in a manner that is understandable to the consumer.
The PDPC has been engaging Worldcoin on their obligations under the PDPA and will continue to monitor their collection, use and disclosure of personal data, including biometric data. The PDPC may take enforcement action against organisations in Singapore that are found to have breached their obligations under the PDPA. The PDPC also monitors developments in other jurisdictions and is ready to work with international counterparts as necessary.
To support the adoption of good data protection practices, the PDPC conducts educational and outreach activities through events such as the annual Personal Data Protection Week and Privacy Awareness Week. The PDPC has also worked with the Ministry of Manpower to disseminate notices to migrant workers to raise awareness about the importance of keeping their personal data safe.
Ultimately, everyone must exercise judgement and ensure they fully understand how their personal data will be used by whom before giving consent for it to be collected.