Using cutting-edge tools like a Artificial Intelligence Monitoring System or Biometric Access System on your property can greatly improve security and productivity. But in Singapore, the Personal Data Protection Act (PDPA) tightly controls how they can be used [1]. Not following the rules could lead to big fines and damage to your reputation. This guide gives you a clear, step-by-step checklist to make sure that your use of facial recognition door access or AI video analytics is legal and doesn’t violate anyone’s privacy.
The main idea is to let people know, explain the purpose, and make sure it’s reasonable.
The PDPA says that personal data (including pictures that can be used to identify people) can only be collected and used for a “reasonable purpose,” and people must be “notified” of that purpose [1]. For surveillance, this means safety and security, not secret monitoring or profiling.
Your PDPA-Aware Deployment Checklist
When you plan your system with VSS vendors in Singapore, use this framework.
✅ 1. Transparency and Notification (The Most Important Step)
- Clear Signage: Put up clear signs at all entrances and in areas that are being watched. That there is CCTV/AI monitoring going on, the reason (for example, “for safety and security”), and the name and contact information for the organization in charge [1], [2].
- Public Notification: For employee areas, make sure to include the use of surveillance systems in policy documents or employee handbooks. Signage is the main way to let people know about things in public places.
✅ 2. Data Collection and Purpose Limitation
- Define a Specific Purpose: Write down the exact reason why you are using AI or biometrics. Is it for “controlling access to a restricted server room” or “checking that safety helmets are being worn in dangerous areas”? The amount collected must not be more than what is needed for this purpose [1].
- Don’t collect too much: Do not use facial recognition in break rooms or other private areas. Cameras should be set up to watch certain areas of interest, like gates, perimeters, and asset storage, rather than to keep an eye on people in general [2].
✅ 3. Security and Data Protection
- Encryption: Make sure that all data, whether it’s being sent (from the camera to the server) or stored (on your NVR/storage), is encrypted. This is not up for discussion for sensitive biometric templates [3].
- Access Controls: Only let certain people use the surveillance system and its data. Keep logs of who watched the footage, when, and why [3].
- Vendor Responsibility: If you use a cloud-based AI monitoring system, your vendor is a “data intermediary.” Your contract must clearly spell out their duties under the PDPA, such as keeping your data safe, letting you know if there is a breach, and following your instructions [1].
✅ 4. Keeping and throwing away
- Set a Policy for Keeping: Set a clear time frame for keeping footage and biometric data, and stick to it. For general safety, 30 days is a common time frame. It could be longer for access logs. The most important thing is that retention should not be longer than what is needed for your stated purpose [4].
- Safe Disposal: Set up a way to safely and permanently delete data after the retention period has ended, such as by automatically overwriting it or certifying its destruction [4].
✅ 5. Things to think about when giving consent for biometrics
The PDPA says that biometric data is private [1].
- Access Control: If you have a Biometric Access System (like facial recognition door access for employees), you can usually use “deemed consent” to let them into the workplace as long as you make it clear to them [2].
- Visitor Management: It’s best to get clear permission from visitors. Make sure that visitors know that their biometric and image data will be collected for security and access reasons, and how long it will be kept [2].
✅ 6. Accuracy and Responsibility with AI Systems
- AI Model Scrutiny: Be aware of the possibility of bias or error in your Artificial Intelligence Monitoring System. A “people counting” system is less likely to invade people’s privacy than one that makes decisions based on their individual traits [5].
- Human-in-the-Loop: Make sure there is a human review process for important decisions, like flagging a security threat. Do not depend only on AI decisions that have a big impact on people [5].
A Special Note About Facial Recognition in Public and Common Areas
It is okay to use facial recognition door access to get into condos, offices, or construction sites as long as you let people know ahead of time [2]. However, using it to track movement patterns or for analytics that aren’t made public is an invasion of privacy. Always be open and collect as little data as possible.
The Compliance Document is the last step.
Before you go live, make a simple PDPA Compliance Document for your system that says [1]:
- The reason for collecting data.
- The places where all the notification signs are.
- Your rules for keeping and protecting data.
- How to deal with requests from people to access data.
When you include privacy-by-design in your security planning, you build trust and a strong, legally sound framework. This lets you take advantage of AI and biometric technology to improve safety and efficiency while still following the law in Singapore.
References
[1] Personal Data Protection Commission (PDPC), Singapore. (2020, revised 2024). Advisory Guidelines on the Personal Data Protection Act for Selected Topics
[2] Building and Construction Authority (BCA), Singapore. (2022). Circular on Enhancing Safety at Construction Sites. Note: This document is typically available through the BCA portal but requires a login.
[3] Cybersecurity Agency of Singapore (CSA). (2023). Cybersecurity Best Practices for Critical Information Infrastructure
[4] Shunamite Pte Ltd. (2023). Data Retention and Disposal Policy for Surveillance Systems.
[5] Shunamite Pte Ltd. (2023). AI-Powered Video Analytics for Construction Site Safety.
