Personal Data Protection Act 2012

Personal Data Protection Act 2012 (2012)
Parliament of Singapore
3457635Personal Data Protection Act 20122012Parliament of Singapore

REPUBLIC OF SINGAPORE

GOVERNMENT GAZETTE

ACTS SUPPLEMENT

Published by Authority



NO. 25]
FRIDAY, DECEMBER 7
[2012


First published in the Government Gazette, Electronic Edition, on 3rd December 2012 at 5:00 pm.

The following Act was passed by Parliament on 15th October 2012 and assented to by the President on 20th November 2012:—

PERSONAL DATA PROTECTION ACT 2012

(No. 26 of 2012)

ARRANGEMENT OF SECTIONS

PART I
PRELIMINARY
Section
1. Short title and commencement
2. Interpretation
3. Purpose
4. Application of Act
PART II
PERSONAL DATA PROTECTION COMMISSION AND ADMINISTRATION
5. Personal Data Protection Commission
6. Functions of Commission
7. Advisory committees
8. Delegation
9. Administration Body
10. Co-operation agreements
PART III
GENERAL RULES WITH RESPECT TO PROTECTION OF PERSONAL DATA
11. Compliance with Act
12. Policies and practices
PART IV
COLLECTION, USE AND DISCLOSURE OF PERSONAL DATA
Division 1—Consent
13. Consent required
14. Provision of consent
15. Deemed consent
16. Withdrawal of consent
17. Collection, use and disclosure without consent
Division 2—Purpose
18. Limitation of purpose and extent
19. Personal data collected before appointed day
20. Notification of purpose
PART V
ACCESS TO AND CORRECTION OF PERSONAL DATA
21. Access to personal data
22. Correction of personal data
PART VI
CARE OF PERSONAL DATA
23. Accuracy of personal data
24. Protection of personal data
25. Retention of personal data
26. Transfer of personal data outside Singapore
PART VII
ENFORCEMENT OF PARTS III TO VI
27. Alternative dispute resolution
28. Power to review
29. Power to give directions
30. Enforcement of directions of Commission in District Court
31. Reconsideration of directions or decisions
32. Right of private action
PART VIII
APPEALS TO DATA PROTECTION APPEAL COMMITTEE, HIGH COURT AND COURT OF APPEAL
33. Data Protection Appeal Panel and Data Protection Appeal Committees
34. Appeal from direction or decision of Commission
35. Appeals to High Court and Court of Appeal
PART IX
DO NOT CALL REGISTRY
Division 1—Preliminary
36. Interpretation of this part
37. Meaning of “specified message”
38. Application of this part
Division 2—Administration
39. Register
40. Applications
41. Evidence
42. Information on terminated Singapore telephone number
Division 3—Specified message to Singapore telephone number
43. Duty to check register
44. Contact information
45. Calling line identity not to be concealed
46. Consent
47. Withdrawal of consent
48. Defence for employee
PART X
GENERAL
49. Advisory guidelines
50. Powers of investigation
51. Offences and penalties
52. Offences by bodies corporate, etc.
53. Liability of employers for acts of employees
54. Jurisdiction of court
55. Composition of offences
56. General penalties
57. Public servants
58. Evidence in proceedings
59. Preservation of secrecy
60. Protection from personal liability
61. Symbol of Commission
62. Power to exempt
63. Certificate as to national interest
64. Amendment of Schedules
65. Power to make regulations
66. Rules of Court
67. Related and consequential amendments
68. Savings and transitional provision
First Schedule—Constitution and proceedings of Personal Data Protection Commission
Second Schedule—Collection of personal data without consent
Third Schedule—Use of personal data without consent
Fourth Schedule—Disclosure of personal data without consent
Fifth Schedule—Exceptions from access requirement
Sixth Schedule—Exceptions from correction requirement
Seventh Schedule—Constitution and proceedings of Data Protection Appeal Panel and Data Protection Appeal Committees
Eighth Schedule—Exclusion from meaning of “specified message”
Ninth Schedule—Powers of investigation of Commission and inspectors

REPUBLIC OF SINGAPORE


No. 26 of 2012.

I assent.

TONY TAN KENG YAM,
President.
20th November 2012
.




An Act to govern the collection, use and disclosure of personal data by organisations, and to establish the Personal Data Protection Commission and Do Not Call Register and to provide for their administration, and for matters connected therewith, and to make related and consequential amendments to various other Acts.

Be it enacted by the President with the advice and consent of the Parliament of Singapore, as follows:

PART I
PRELIMINARY

Short title and commencement

1. This Act may be cited as the Personal Data Protection Act 2012 and shall come into operation on such date as the Minister may, by notification in the Gazette, appoint.

Interpretation

2.—(1) In this Act, unless the context otherwise requires—

“Administration Body” means the Administration Body appointed under section 9;

“advisory committee” means an advisory committee appointed under section 7;

“Appeal Committee” means a Data Protection Appeal Committee nominated under section 33(4);

“Appeal Panel” means the Data Protection Appeal Panel established under section 33(1);

“appointed day” means the date of commencement of Parts III to VI;

“authorised officer”, in relation to the exercise of any power or performance of any function or duty under any provision of this Act, means a person to whom the exercise of that power or performance of that function or duty under that provision has been delegated under section 8(2);

“benefit plan” means an insurance policy, a pension plan, an annuity, a provident fund plan or other similar plan;

“business” includes the activity of any organisation, whether or not carried on for purposes of gain, or conducted on a regular, repetitive or continuous basis, but does not include an individual acting in his personal or domestic capacity;

“business contact information” means an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes;

“Chairman” means the Chairman of the Commission appointed under paragraph 1(1) of the First Schedule;

“Commission” means the Personal Data Protection Commission established under section 5;

“credit bureau” means an organisation which—

(a) provides credit reports for gain or profit; or
(b) provides credit reports on a routine, non-profit basis as an ancillary part of a business carried on for gain or profit;

“credit report” means a communication, whether in written, oral or other form, provided to an organisation to assess the creditworthiness of an individual in relation to a transaction between the organisation and the individual;

“data intermediary” means an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation;

“document” includes information recorded in any form;

“domestic” means related to home or family;

“education institution” means any organisation that provides education, including instruction, training or teaching, whether by itself or in association or collaboration with or by affiliation with any other person;

“employee” includes a volunteer;

“employment” includes working under an unpaid volunteer work relationship;

“evaluative purpose” means—

(a) for the purpose of determining the suitability, eligibility or qualifications of the individual to whom the data relates—
(i) for employment or for appointment to office;
(ii) for promotion in employment or office or for continuance in employment or office;
(iii) for removal from employment or office;
(iv) for admission to an education institution;
(v) for the awarding of contracts, awards, bursaries, scholarships, honours or other similar benefits;
(vi) for selection for an athletic or artistic purpose; or
(vii) for grant of financial or social assistance, or the delivery of appropriate health services, under any scheme administered by a public agency;
(b) for the purpose of determining whether any contract, award, bursary, scholarship, honour or other similar benefit should be continued, modified or cancelled;
(c) for the purpose of deciding whether to insure any individual or property or to continue or renew the insurance of any individual or property; or
(d) for such other similar purposes as may be prescribed by the Minister;

“individual” means a natural person, whether living or deceased;

“investigation” means an investigation relating to—

(a) a breach of an agreement;
(b) a contravention of any written law, or any rule of professional conduct or other requirement imposed by any regulatory authority in exercise of its powers under any written law; or
(c) a circumstance or conduct that may result in a remedy or relief being available under any law;

“national interest” includes national defence, national security, public security, the maintenance of essential services and the conduct of international affairs;

“organisation” includes any individual, company, association or body of persons, corporate or unincorporated, whether or not—

(a) formed or recognised under the law of Singapore; or
(b) resident, or having an office or a place of business, in Singapore;

“personal data” means data, whether true or not, about an individual who can be identified—

(a) from that data; or
(b) from that data and other information to which the organisation has or is likely to have access;

“prescribed healthcare body” means a healthcare body, prescribed for the purposes of the Fourth Schedule by the Minister charged with the responsibility for health;

“prescribed law enforcement agency” means an authority charged with the duty of investigating offences or charging offenders under written law, prescribed for the purposes of section 21(4) and the Fourth Schedule by the Minister charged with the responsibility for that authority;

“private trust” means a trust for the benefit of one or more designated individuals who are friends, or members of the family, of the settlor;

“proceedings” means any civil, criminal or administrative proceedings by or before a court, tribunal or regulatory authority that is related to the allegation of—

(a) a breach of an agreement;
(b) a contravention of any written law or any rule of professional conduct or other requirement imposed by any regulatory authority in exercise of its powers under any written law; or
(c) a wrong or a breach of a duty for which a remedy is claimed under any law;

“processing”, in relation to personal data, means the carrying out of any operation or set of operations in relation to the personal data, and includes any of the following:

(a) recording;
(b) holding;
(c) organisation, adaptation or alteration;
(d) retrieval;
(e) combination;
(f) transmission;
(g) erasure or destruction;

“public agency” includes—

(a) the Government, including any ministry, department, agency, or organ of State;
(b) any tribunal appointed under any written law; or
(c) any statutory body specified under subsection (2);

“publicly available”, in relation to personal data about an individual, means personal data that is generally available to the public, and includes personal data which can be observed by reasonably expected means at a location or an event—

(a) at which the individual appears; and
(b) that is open to the public;

“relevant body” means the Commission, the Administration Body, the Appeal Panel or any Appeal Committee;

“tribunal” includes a judicial or quasi-judicial body or a disciplinary, an arbitral or a mediatory body.

(2) The Minister may, by notification in the Gazette, specify any statutory body established under a public Act for a public function to be a public agency for the purposes of this Act.

Purpose

3. The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

Application of Act

4.—(1) Parts III to VI shall not impose any obligation on—

(a) any individual acting in a personal or domestic capacity;
(b) any employee acting in the course of his employment with an organisation;
(c) any public agency or an organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data; or
(d) any other organisations or personal data, or classes of organisations or personal data, prescribed for the purposes of this provision.

(2) Parts III to VI (except for section 24 (protection of personal data) and section 25 (retention of personal data)) shall not impose any obligation on a data intermediary in respect of its processing of personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing.

(3) An organisation shall have the same obligation under this Act in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself.

(4) This Act shall not apply in respect of—

(a) personal data about an individual that is contained in a record that has been in existence for at least 100 years; or
(b) personal data about a deceased individual, except that the provisions relating to the disclosure of personal data and section 24 (protection of personal data) shall apply in respect of personal data about an individual who has been dead for 10 years or fewer.

(5) Except where business contact information is expressly referred to, Parts III to VI shall not apply to business contact information.

(6) Unless otherwise expressly provided in this Act—

(a) nothing in Parts III to VI shall affect any authority, right, privilege or immunity conferred, or obligation or limitation imposed, by or under the law, including legal privilege, except that the performance of a contractual obligation shall not be an excuse for contravening this Act; and
(b) the provisions of other written law shall prevail to the extent that any provision of Parts III to VI is inconsistent with the provisions of that other written law.

PART II
PERSONAL DATA PROTECTION COMMISSION AND ADMINISTRATION

Personal Data Protection Commission

5.—(1) There shall be established a Personal Data Protection Commission consisting of not fewer than 3 but not more than 17 members appointed by the Minister.

(2) The First Schedule shall have effect with respect to the Commission, its members and its proceedings.

Functions of Commission

6. The functions of the Commission shall be—

(a) to promote awareness of data protection in Singapore;
(b) to provide consultancy, advisory, technical, managerial or other specialist services relating to data protection;
(c) to advise the Government on all matters relating to data protection;
(d) to represent the Government internationally on matters relating to data protection;
(e) to conduct research and studies and promote educational activities relating to data protection, including organising and conducting seminars, workshops and symposia relating thereto, and supporting other organisations conducting such activities;
(f) to manage technical co-operation and exchange in the area of data protection with other organisations, including foreign data protection authorities and international or inter‑governmental organisations, on its own behalf or on behalf of the Government;
(g) to administer and enforce this Act;
(h) to carry out functions conferred on the Commission under any other written law; and
(i) to engage in such other activities and perform such functions as the Minister may permit or assign to the Commission by order published in the Gazette.

Advisory committees

7.—(1) The Minister may appoint one or more advisory committees to provide advice to the Commission with regard to the performance of any of its functions under this Act.

(2) The Commission may consult such advisory committees in relation to the performance of its functions and duties and the exercise of its powers under this Act but shall not be bound by such consultation.

Delegation

8.—(1) The Commission may appoint by name or office such number of inspectors and other officers, being public officers or employees of a statutory body, as the Commission thinks fit.

(2) The Commission may delegate the exercise of all or any of its functions, duties and powers under this Act (except the power of delegation conferred by this subsection) to any officer appointed under subsection (1), subject to such conditions or limitations as the Commission may specify.

(3) In exercising any of the powers of enforcement under this Act, an authorised officer shall on demand produce to the person against whom he is acting the authority issued to him by the Commission.

(4) Any decision of the Commission or of any person to whom any function, duty or power has been delegated by the Commission may be signified under the hand of the Chairman or any person authorised by the Chairman to sign on his behalf.

Administration Body

9.—(1) The Minister may, by notification in the Gazette, appoint an Administration Body.

(2) The Administration Body—

(a) may advise the Minister on any matter relating to the management and administration of the Commission that the Administration Body considers appropriate or that is referred to the Administration Body by the Minister;
(b) may enter into agreements for the purposes of the Commission, including any co-operation agreement;
(c) shall manage the budget for the Commission, and accounts and records of transactions and affairs relating to the Commission;
(d) shall submit such reports relating to the affairs of the Commission as the Minister may require; and
(e) may provide the Commission with such administrative and other support as may be required.

(3) Proceedings in respect of an offence under this Act may, with the authorisation of the Public Prosecutor, be conducted by an officer of the Administration Body who is authorised in writing in that behalf by the Chairman.

(4) Notwithstanding the provisions of any written law, a legal counsel (by whatever name called) of the Administration Body who has been admitted as an advocate and solicitor under the Legal Profession Act (Cap. 161) may—

(a) appear in any civil proceedings involving the Commission in the performance of its functions or duties under any written law; and
(b) make and do all acts and applications in respect of the civil proceedings on behalf of the Commission.

Co-operation agreements

10.—(1) For the purposes of sections 9 and 59, a co-operation agreement is an agreement for the purposes of—

(a) facilitating co-operation between the Commission and another regulatory authority in the performance of their respective functions in so far as those functions relate to data protection; and
(b) avoiding duplication of activities by the Commission and another regulatory authority, being activities involving the enforcement of data protection laws.

(2) A co-operation agreement may include provisions—

(a) to enable the Commission and the other regulatory authority to furnish to each other information in their respective possession if the information is required by the other for the purpose of performance by it of any of its functions;
(b) to provide such other assistance to each other as will facilitate the performance by the other of any of its functions; and
(c) to enable the Commission and the other regulatory authority to forbear to perform any of their respective functions in relation to a matter in circumstances where it is satisfied that the other is performing functions in relation to that matter.

(3) The Commission shall not furnish any information to a foreign data protection body pursuant to a co-operation agreement unless it requires of, and obtains from, that body an undertaking in writing by it that it will comply with terms specified in that requirement, including terms that correspond to the provisions of any written law concerning the disclosure of that information by the Commission.

(4) The Commission may give an undertaking to a foreign data protection body that it will comply with terms specified in a requirement made of the Commission by the foreign data protection body to give such an undertaking where—

(a) those terms correspond to the provisions of any law in force in the country or territory in which the foreign data protection body is established, being provisions which concern the disclosure by the foreign data protection body of the information referred to in paragraph (b); and
(b) compliance with the requirement is a condition imposed by the foreign data protection body for furnishing information in its possession to the Commission pursuant to a co‑operation agreement.

(5) In this section—

“foreign data protection body” means a body in whom there are vested functions under the law of another country or territory with respect to the enforcement or the administration of provisions of law of that country or territory concerning data protection;
“regulatory authority” includes the Commission and any foreign data protection body.

PART III
GENERAL RULES WITH RESPECT TO PROTECTION OF PERSONAL DATA

Compliance with Act

11.—(1) In meeting its responsibilities under this Act, an organisation shall consider what a reasonable person would consider appropriate in the circumstances.

(2) An organisation is responsible for personal data in its possession or under its control.

(3) An organisation shall designate one or more individuals to be responsible for ensuring that the organisation complies with this Act.

(4) An individual designated under subsection (3) may delegate to another individual the responsibility conferred by that designation.

(5) An organisation shall make available to the public the business contact information of at least one of the individuals designated under subsection (3) or delegated under subsection (4).

(6) The designation of an individual by an organisation under subsection (3) shall not relieve the organisation of any of its obligations under this Act.

Policies and practices

12. An organisation shall—

(a) develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act;
(b) develop a process to receive and respond to complaints that may arise with respect to the application of this Act;
(c) communicate to its staff information about the organisation’s policies and practices referred to in paragraph (a); and
(d) make information available on request about —
(i) the policies and practices referred to in paragraph (a); and
(ii) the complaint process referred to in paragraph (b).

PART IV
COLLECTION, USE AND DISCLOSURE OF PERSONAL DATA

Division 1—Consent

Consent required

13. An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless—

(a) the individual gives, or is deemed to have given, his consent under this Act to the collection, use or disclosure, as the case may be; or
(b) the collection, use or disclosure, as the case may be, without the consent of the individual is required or authorised under this Act or any other written law.

Provision of consent

14.—(1) An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless—

(a) the individual has been provided with the information required under section 20; and
(b) the individual provided his consent for that purpose in accordance with this Act.

(2) An organisation shall not—

(a) as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual; or
(b) obtain or attempt to obtain consent for collecting, using or disclosing personal data by providing false or misleading information with respect to the collection, use or disclosure of the personal data, or using deceptive or misleading practices.

(3) Any consent given in any of the circumstances in subsection (2) is not validly given for the purposes of this Act.

(4) In this Act, references to consent given, or deemed to have been given, by an individual for the collection, use or disclosure of personal data about the individual shall include consent given, or deemed to have been given, by any person validly acting on behalf of that individual for the collection, use or disclosure of such personal data.

Deemed consent

15.—(1) An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if—

(a) the individual, without actually giving consent referred to in section 14, voluntarily provides the personal data to the organisation for that purpose; and
(b) it is reasonable that the individual would voluntarily provide the data.

(2) If an individual gives, or is deemed to have given, consent to the disclosure of personal data about the individual by one organisation to another organisation for a particular purpose, the individual is deemed to consent to the collection, use or disclosure of the personal data for that particular purpose by that other organisation.

Withdrawal of consent

16.—(1) On giving reasonable notice to the organisation, an individual may at any time withdraw any consent given, or deemed to have been given under this Act, in respect of the collection, use or disclosure by that organisation of personal data about the individual for any purpose.

(2) On receipt of the notice referred to in subsection (1), the organisation concerned shall inform the individual of the likely consequences of withdrawing his consent.

(3) An organisation shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal.

(4) Subject to section 25, if an individual withdraws consent to the collection, use or disclosure of personal data about the individual by an organisation for any purpose, the organisation shall cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the personal data, as the case may be, unless such collection, use or disclosure, as the case may be, without the consent of the individual is required or authorised under this Act or other written law.

Collection, use and disclosure without consent

17.—(1) An organisation may collect personal data about an individual, without consent or from a source other than the individual, only in the circumstances and subject to any condition in the Second Schedule.

(2) An organisation may use personal data about an individual, without the consent of the individual, only in the circumstances and subject to any condition in the Third Schedule.

(3) An organisation may disclose personal data about an individual, without the consent of the individual, only in the circumstances and subject to any condition in the Fourth Schedule.

Division 2—Purpose

Limitation of purpose and extent

18. An organisation may collect, use or disclose personal data about an individual only for purposes—

(a) that a reasonable person would consider appropriate in the circumstances; and
(b) that the individual has been informed of under section 20, if applicable.

Personal data collected before appointed day

19. Notwithstanding the other provisions in this Part, an organisation may use personal data about an individual collected before the appointed day for the purposes for which the personal data was collected unless—

(a) consent for such use is withdrawn in accordance with section 16; or
(b) the individual, whether before, on or after the appointed day, has otherwise indicated to the organisation that he does not consent to the use of the personal data.

Notification of purpose

20.—(1) For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of—

(a) the purposes for the collection, use or disclosure of the personal data, as the case may be, on or before collecting the personal data;
(b) any other purpose of the use or disclosure of the personal data of which the individual has not been informed under paragraph (a), before the use or disclosure of the personal data for that purpose; and
(c) on request by the individual, the business contact information of a person who is able to answer on behalf of the organisation the individual’s questions about the collection, use or disclosure of the personal data.

(2) An organisation, on or before collecting personal data about an individual from another organisation without the consent of the individual, shall provide the other organisation with sufficient information regarding the purpose of the collection to allow that other organisation to determine whether the disclosure would be in accordance with this Act.

(3) Subsection (1) shall not apply if—

(a) the individual is deemed to have consented to the collection, use or disclosure, as the case may be, under section 15; or
(b) the organisation collects, uses or discloses the personal data without the consent of the individual in accordance with section 17.

(4) Notwithstanding subsection (3), an organisation, on or before collecting, using or disclosing the personal data about an individual for the purpose of managing or terminating an employment relationship between the organisation and that individual, shall inform the individual of—

(a) that purpose; and
(b) on request by the individual, the business contact information of a person who is able to answer the individual’s questions about that collection, use or disclosure on behalf of the organisation.

PART V
ACCESS TO AND CORRECTION OF PERSONAL DATA

Access to personal data

21.—(1) Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with—

(a) personal data about the individual that is in the possession or under the control of the organisation; and
(b) information about the ways in which the personal data referred to in paragraph (a) has been or may have been used or disclosed by the organisation within a year before the date of the request.

(2) An organisation is not required to provide an individual with the individual’s personal data or other information under subsection (1) in respect of the matters specified in the Fifth Schedule.

(3) An organisation shall not provide an individual with the individual’s personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to—

(a) threaten the safety or physical or mental health of an individual other than the individual who made the request;
(b) cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;
(c) reveal personal data about another individual;
(d) reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his identity; or
(e) be contrary to the national interest.

(4) An organisation shall not inform any individual under subsection (1) that it has disclosed personal data to a prescribed law enforcement agency if the disclosure was made without the consent of the individual pursuant to paragraph 1(f) or (n) of the Fourth Schedule or under any other written law.

(5) If an organisation is able to provide the individual with the individual’s personal data and other information requested under subsection (1) without the personal data or other information excluded under subsections (2), (3) and (4), the organisation shall provide the individual with access to the personal data and other information without the personal data or other information excluded under subsections (2), (3) and (4).

Correction of personal data

22.—(1) An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation.

(2) Unless the organisation is satisfied on reasonable grounds that a correction should not be made, the organisation shall—

(a) correct the personal data as soon as practicable; and
(b) subject to subsection (3), send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose.

(3) An organisation (not being a credit bureau) may, if the individual consents, send the corrected personal data only to specific organisations to which the personal data was disclosed by the organisation within a year before the date the correction was made.

(4) When an organisation is notified under subsection (2)(b) or (3) of a correction of personal data, the organisation shall correct the personal data in its possession or under its control unless the organisation is satisfied on reasonable grounds that the correction should not be made.

(5) If no correction is made under subsection (2)(a) or (4), the organisation shall annotate the personal data in its possession or under its control with the correction that was requested but not made.

(6) Nothing in this section shall require an organisation to correct or otherwise alter an opinion, including a professional or an expert opinion.

(7) An organisation is not required to comply with this section in respect of the matters specified in the Sixth Schedule.

PART VI
CARE OF PERSONAL DATA

Accuracy of personal data

23. An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data—

(a) is likely to be used by the organisation to make a decision that affects the individual to whom the personal data relates; or
(b) is likely to be disclosed by the organisation to another organisation.

Protection of personal data

24. An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

Retention of personal data

25. An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that—

(a) the purpose for which that personal data was collected is no longer being served by retention of the personal data; and
(b) retention is no longer necessary for legal or business purposes.

Transfer of personal data outside Singapore

26.—(1) An organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under this Act to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under this Act.

(2) The Commission may, on the application of any organisation, by notice in writing exempt the organisation from any requirement prescribed pursuant to subsection (1) in respect of any transfer of personal data by that organisation.

(3) An exemption under subsection (2)—

(a) may be granted subject to such conditions as the Commission may specify in writing; and
(b) need not be published in the Gazette and may be revoked at any time by the Commission.

(4) The Commission may at any time add to, vary or revoke any condition imposed under this section.

PART VII
ENFORCEMENT OF PARTS III TO VI

Alternative dispute resolution

27.—(1) If the Commission is of the opinion that any complaint by an individual against an organisation may more appropriately be resolved by mediation, the Commission may, with the consent of the complainant and the organisation, refer the matter for mediation.

(2) Subject to subsection (1), the Commission may, with or without the consent of the complainant and the organisation, direct a complainant or the organisation or both to attempt to resolve the complaint of the individual in the way directed by the Commission.

Power to review

28.—(1) On the application of a complainant, the Commission may review—

(a) a refusal to provide access to personal data requested by the complainant under section 21, or a failure to provide such access within a reasonable time;
(b) a fee required from the complainant by an organisation in relation to a request by the complainant under section 21 or 22; or
(c) a refusal to correct personal data in accordance with a request by the complainant under section 22, or a failure to make such correction within a reasonable time.

(2) Upon completion of its review under subsection (1), the Commission may—

(a) confirm the refusal to provide access to the personal data, or direct the organisation to provide access to the personal data, within such time as the Commission may specify;
(b) confirm, reduce or disallow a fee, or direct the organisation to make a refund to the complainant; or
(c) confirm the refusal to correct the personal data, or direct the organisation to correct the personal data, in such manner and within such time as the Commission may specify.

Power to give directions

29.—(1) The Commission may, if it is satisfied that an organisation is not complying with any provision in Parts III to VI, give the organisation such directions as the Commission thinks fit in the circumstances to ensure compliance with that provision.

(2) Without prejudice to the generality of subsection (1), the Commission may, if it thinks fit in the circumstances to ensure compliance with Parts III to VI, give the organisation all or any of the following directions:

(a) to stop collecting, using or disclosing personal data in contravention of this Act;
(b) to destroy personal data collected in contravention of this Act;
(c) to comply with any direction of the Commission under section 28(2);
(d) to pay a financial penalty of such amount not exceeding $1 million as the Commission thinks fit.

(3) Subsection (2)(d) shall not apply in relation to any failure to comply with a provision of this Act, the breach of which is an offence under this Act.

(4) The Commission shall, in any direction requiring the payment of a financial penalty, specify the date before which the financial penalty is to be paid, being a date not earlier than the end of the period within which an application for reconsideration of the direction, or an appeal against the direction, may be brought under section 31 or 34, respectively.

(5) The interest payable on the outstanding amount of any financial penalty imposed under subsection (2)(d) and for payment by instalment (as may be directed by the Commission in its discretion) of any financial penalty imposed under subsection (2)(d) shall be at such rate as the Commission may direct, which shall not exceed the rate prescribed in the Rules of Court in respect of judgment debts.

(6) Any interest ordered to be paid under subsection (5) shall form part of the penalty payable and be enforced in accordance with section 30.

Enforcement of directions of Commission in District Court

30.—(1) For the purposes of enforcement of any direction made by the Commission under section 28(2) or 29, the Commission may apply for the direction to be registered in a District Court in accordance with the Rules of Court and the District Court shall register the direction in accordance with the Rules of Court.

(2) From the date of registration of any direction under subsection (1), the direction shall be of the same force and effect, and all proceedings may be taken on the direction, for the purposes of enforcement as if it had been an order originally obtained in the District Court which shall have power to enforce it accordingly.

(3) A District Court shall have jurisdiction to enforce any direction in accordance with subsection (2) regardless of the monetary amount involved and may, for the purpose of enforcing such direction, make any order—

(a) to secure compliance with the direction; or
(b) to require any person to do anything to remedy, mitigate or eliminate any effects arising from—
(i) anything done which ought not, under the direction, to have been done; or
(ii) anything not done which ought, under the direction, to have been done,
which would not have occurred had the direction been complied with.

Reconsideration of directions or decisions

31.—(1) An organisation or individual aggrieved by—

(a) any direction made by the Commission under section 27(2) or section 29(1) or (2); or
(b) any direction or decision made under section 28(2),

may, within 28 days after the issue of the direction or decision concerned, make a written application to the Commission to reconsider the direction or decision.

(2) Unless the Commission decides otherwise in any particular case, an application for reconsideration shall not suspend the effect of the direction or decision to be reconsidered except in the case of an application for reconsideration of a direction to pay a financial penalty or of the amount thereof.

(3) The application for reconsideration shall be made in such form and manner as the Commission may require and shall set out the grounds on which the applicant is requesting the reconsideration.

(4) If any application for reconsideration is made in accordance with this section, the Commission shall—

(a) reconsider the direction or decision;
(b) affirm, revoke or vary the direction or decision as the Commission thinks fit; and
(c) notify the applicant in writing of the result of the reconsideration.

(5) There shall be no application for reconsideration of a decision made under subsection (4)(b).

Right of private action

32.—(1) Any person who suffers loss or damage directly as a result of a contravention of any provision in Part IV, V or VI by an organisation shall have a right of action for relief in civil proceedings in a court.

(2) If the Commission has made a decision under this Act in respect of a contravention specified in subsection (1), no action accruing under subsection (1) may be brought in respect of that contravention until after the decision has become final as a result of there being no further right of appeal.

(3) The court may grant to the plaintiff in an action under subsection (1) all or any of the following:

(a) relief by way of injunction or declaration;
(b) damages;
(c) such other relief as the court thinks fit.

PART VIII
APPEALS TO DATA PROTECTION APPEAL COMMITTEE, HIGH COURT AND COURT OF APPEAL

Data Protection Appeal Panel and Data Protection Appeal Committees

33.—(1) There shall be established a Data Protection Appeal Panel.

(2) The Minister shall appoint the members of the Appeal Panel.

(3) The Chairman of the Appeal Panel shall be appointed by the Minister from among the members of the Appeal Panel.

(4) For the purpose of hearing any appeal under section 34, the Chairman of the Appeal Panel may nominate a Data Protection Appeal Committee comprising 3 or more members of the Appeal Panel.

(5) The Seventh Schedule shall have effect with respect to the Appeal Panel, Appeal Committees and their members and the proceedings of Appeal Committees, as the case may be.

Appeal from direction or decision of Commission

34.—(1) Any organisation or individual aggrieved by—

(a) any direction made by the Commission under section 27(2) or section 29(1) or (2);
(b) any direction or decision made by the Commission under section 28(2); or
(c) any decision made by the Commission under section 31(4)(b),

may, within 28 days after the issue of the direction or decision concerned, appeal to the Chairman of the Appeal Panel against that direction or decision.

(2) Where any application for reconsideration has been made under section 31, every appeal in respect of the same direction or decision which is the subject of the application for reconsideration shall be deemed to be withdrawn.

(3) Unless the Appeal Committee decides otherwise in any particular case, the making of an appeal under this section shall not suspend the effect of the direction or decision to which the appeal relates except in the case of an appeal against the imposition of a financial penalty or the amount thereof.

(4) An Appeal Committee hearing an appeal may confirm, vary or set aside the direction or decision which is the subject of the appeal, and, in particular, may—

(a) remit the matter to the Commission;
(b) impose or revoke, or vary the amount of, a financial penalty;
(c) give such direction, or take such other step, as the Commission could itself have given or taken; or
(d) make any other direction or decision which the Commission could itself have made.

(5) Any direction or decision of an Appeal Committee on an appeal has the same effect, and may be enforced in the same manner, as a direction or decision of the Commission, except that there shall be no application for further reconsideration under section 31 and no further appeal under this section from any direction or decision of the Appeal Committee.

(6) If an Appeal Committee confirms the direction or decision which is the subject of the appeal, it may nevertheless set aside any finding of fact on which the direction or decision was based.

Appeals to High Court and Court of Appeal

35.—(1) An appeal against, or with respect to, a direction or decision of an Appeal Committee shall lie to the High Court—

(a) on a point of law arising from a direction or decision of the Appeal Committee; or
(b) from any direction of the Appeal Committee as to the amount of a financial penalty.

(2) An appeal under this section may be made only at the instance of—

(a) the organisation aggrieved by the direction or decision of the Appeal Committee;
(b) if the decision relates to a complaint, the complainant; or
(c) the Commission.

(3) The High Court shall hear and determine any such appeal and may —

(a) confirm, modify or reverse the direction or decision of the Appeal Committee; and
(b) make such further or other order on such appeal, whether as to costs or otherwise, as the Court may think fit.

(4) There shall be such further right of appeal from decisions of the High Court under this section as exists in the case of decisions made by that Court in the exercise of its original civil jurisdiction.

PART IX
DO NOT CALL REGISTRY

Division 1—Preliminary

Interpretation of this Part

36.—(1) In this Part, unless the context otherwise requires—

“calling line identity” means the telephone number or information identifying the sender;
“financial services” has the same meaning as in section 2 of the Consumer Protection (Fair Trading) Act (Cap. 52A);
“goods” means any personal property, whether tangible or intangible, and shall be deemed to include—
(a) chattels that are attached or intended to be attached to real property on or after delivery;
(b) financial products and credit, including credit extended solely on the security of land;
(c) any residential property; or
(d) a voucher;
“message” means any message, whether in sound, text, visual or other form;
“register” means any Do Not Call Register kept and maintained under section 39;
“send”, in relation to a message, means—
(a) to send the message, cause the message to be sent, or authorise the sending of the message; or
(b) to make a voice call containing the message, cause a voice call containing the message to be made, or authorise the making of a voice call containing the message;
“sender”, in relation to a message, means a person—
(a) who sends the message, causes the message to be sent, or authorises the sending of the message; or
(b) who makes a voice call containing the message, causes a voice call containing the message to be made, or authorises the making of a voice call containing the message;
“services” includes—
(a) a service offered or provided that involves the addition to or maintenance, repair or alteration of goods or any residential property;
(b) a membership in any club or organisation if the club or organisation is a business formed to make a profit for its owners;
(c) the right to use time share accommodation under a time share contract; and
(d) financial services;
“Singapore telephone number” means—
(a) a telephone number, with 8 digits beginning with the digit “3”, “6”, “8” or “9”, that is in accordance with the National Numbering Plan referred to in regulation 12A of the Telecommunications (Class Licences) Regulations (Cap. 323, Rg 3); or
(b) any other telephone numbers as may be prescribed;
“subscriber”, in relation to a Singapore telephone number, means the subscriber of the telecommunications service to which the Singapore telephone number is allocated;
“time share accommodation” means any living accommodation, in Singapore or elsewhere, used or intended to be used (wholly or partly) for leisure purposes by a class of persons all of whom have rights to use, or participate in arrangements under which they may use, that accommodation or accommodation within a pool of accommodation to which that accommodation belongs;
“time share contract” means a contract which confers or purports to confer on an individual time share rights that are exercisable during a period of not less than 3 years;
“voice call” includes—
(a) a call that involves a recorded or synthetic voice; or
(b) in the case of a recipient with a disability (for example, a hearing impairment), a call that is equivalent to a voice call,
whether or not the recipient responds by way of pressing buttons on a telephone handset or similar telecommunications device.

(2) For the purposes of this Part, a telecommunications service provider who merely provides a service that enables a specified message to be sent shall, unless the contrary is proved, be presumed not to have sent the message and not to have authorised the message to be sent.

(3) For the purposes of this Part, if a specified message is sent and at the relevant time the telecommunications device, service or network from which it was sent was controlled by a person without the knowledge of the owners or authorised users of the telecommunications device, service or network, the owners or authorised users shall, unless the contrary is proved, be presumed not to have sent the message and not to have authorised the sending of the message.

(4) In subsection (3), “control” means either physical control or control through the use of software or other means.

Meaning of “specified message”

37.—(1) Subject to subsection (5), for the purposes of this Part, a specified message is a message, where, having regard to—

(a) the content of the message;
(b) the presentational aspects of the message;
(c) the content that can be obtained using the numbers, URLs or contact information (if any) mentioned in the message; and
(d) if the telephone number from which the message is made is disclosed to the recipient (whether by calling line identity or otherwise), the content (if any) that can be obtained by calling that number,

it would be concluded that the purpose, or one of the purposes, of the message is—

(i) to offer to supply goods or services;
(ii) to advertise or promote goods or services;
(iii) to advertise or promote a supplier, or prospective supplier, of goods or services;
(iv) to offer to supply land or an interest in land;
(v) to advertise or promote land or an interest in land;
(vi) to advertise or promote a supplier, or prospective supplier, of land or an interest in land;
(vii) to offer to provide a business opportunity or an investment opportunity;
(viii) to advertise or promote a business opportunity or an investment opportunity;
(ix) to advertise or promote a provider, or prospective provider, of a business opportunity or an investment opportunity; or
(x) any other prescribed purpose related to obtaining or providing information.

(2) For the purposes of subsection (1)(i) to (x), it is immaterial whether—

(a) the goods, services, land, interest or opportunity exist; or
(b) it is lawful to acquire the goods, services, land or interest or take up the opportunity.

(3) Subject to subsection (4), a person who authorises another person to offer, advertise or promote the first person’s goods, services, land, interest or opportunity shall be deemed to have authorised the sending of any message sent by the second person that offers, advertises or promotes that first person’s goods, services, land, interest or opportunity.

(4) For the purposes of subsection (3), a person who takes reasonable steps to stop the sending of any message referred to in that subsection shall be deemed not to have authorised the sending of the message.

(5) For the purposes of this Part, a specified message shall not include any message referred to in the Eighth Schedule.

Application of this Part

38. This Part shall apply to a specified message addressed to a Singapore telephone number where—

(a) the sender of the specified message is present in Singapore when the specified message is sent; or
(b) the recipient of the specified message is present in Singapore when the specified message is accessed.

Division 2—Administration

Register

39.—(1) The Commission shall cause to be kept and maintained one or more registers of Singapore telephone numbers, each known as a Do Not Call Register, for the purposes of this Part.

(2) Each register shall be kept in such form and shall contain such particulars as the Commission thinks fit.

(3) The Commission may authorise another person to maintain any register, on its behalf, subject to such conditions or restrictions as the Commission may think fit.

Applications

40.—(1) A subscriber may apply to the Commission, in the form and manner prescribed—

(a) to add his Singapore telephone number to a register; or
(b) to remove his Singapore telephone number from a register.

(2) Any person may apply to the Commission, in the form and manner required by the Commission, to confirm whether any Singapore telephone number is listed in a register.

Evidence

41. A certificate purporting to be signed by the Chairman or an authorised officer and stating that a Singapore telephone number was or was not listed in a register at a date specified in the certificate shall be admissible as evidence of its contents in any proceedings.

Information on terminated Singapore telephone number

42.—(1) Every telecommunications service provider shall report to the Commission, in the form and manner prescribed, all terminated Singapore telephone numbers.

(2) A telecommunications service provider which contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000.

(3) In this section, “terminated Singapore telephone number” means—

(a) a Singapore telephone number to which the following apply:
(i) the Singapore telephone number which has been allocated to a subscriber;
(ii) the telecommunications service associated with the Singapore telephone number has been terminated by the subscriber or telecommunications service provider; and
(iii) the Singapore telephone number has not been allocated to a different subscriber; or
(b) any other telephone numbers and circumstances as may be prescribed.

(4) For the purpose of subsection (1), where—

(a) a Singapore telephone number has been allocated to a subscriber by a telecommunications service provider (referred to in this subsection as the first provider);
(b) the telecommunications service associated with the Singapore telephone number has been terminated by the subscriber;
(c) the subscriber contracts for a telecommunications service associated with the Singapore telephone number with another telecommunications service provider (referred to in this subsection as the subsequent provider);
(d) the telecommunications service referred to in paragraph (c) has been terminated by the subscriber or the subsequent provider; and
(e) the Singapore telephone number has not subsequently been allocated to any subscriber,

it shall be the responsibility of the first provider to satisfy subsection (1).

(5) Without prejudice to the obligations of the telecommunications service provider under subsections (1) to (4), the Commission shall pay the prescribed fees to the telecommunications service provider for each terminated Singapore telephone number reported to the Commission in accordance with this section.

Division 3—Specified message to Singapore telephone number

Duty to check register

43.—(1) No person shall, on or after the prescribed date, send a specified message addressed to a Singapore telephone number unless the person had within the prescribed duration (which may include a duration before the prescribed date) before sending the specified message—

(a) applied to the Commission under section 40(2) to confirm whether that Singapore telephone number is listed in the relevant register; and
(b) received confirmation from the Commission that that Singapore telephone number is not listed in the relevant register.

(2) Any person who contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000.

(3) In any proceedings for an offence under subsection (1), it shall be a defence for the person charged to prove that the subscriber or user of the telephone number—

(a) gave clear and unambiguous consent to the sending of the specified message to that Singapore telephone number; and
(b) the consent is evidenced in written or other form so as to be accessible for subsequent reference.

(4) For the purpose of this section—

(a) where there is only one register kept or maintained under section 39, the relevant register shall refer to that one register; and
(b) where there are 2 or more registers kept or maintained under section 39 for different types of specified messages, the relevant register shall refer to the register relevant for the particular type of specified message.

Contact information

44.—(1) No person shall, on or after the prescribed date, send a specified message addressed to a Singapore telephone number unless—

(a) the specified message includes clear and accurate information identifying the individual or organisation who sent or authorised the sending of the specified message;
(b) the specified message includes clear and accurate information about how the recipient can readily contact that individual or organisation;
(c) the specified message includes such information and complies with such conditions as is or are specified in the regulations, if any; and
(d) the information included in the specified message in compliance with this subsection is reasonably likely to be valid for at least 30 days after the message is sent.

(2) Any person who contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000.

Calling line identity not to be concealed

45.—(1) A person who, on or after the prescribed date, makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number from a telephone number or facsimile number, shall not do any of the following:

(a) conceal or withhold from the recipient the calling line identity of the sender;
(b) perform any operation or issue any instruction in connection with the sending of the specified message for the purpose of, or that has the effect of, concealing or withholding from the recipient the calling line identity of the sender.

(2) Any person who contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000.

Consent

46.—(1) A person shall not, as a condition for supplying goods, services, land, interest or opportunity, require a subscriber or user of a Singapore telephone number to give consent for the sending of a specified message to that Singapore telephone number or any other Singapore telephone number beyond what is reasonable to provide the goods, services, land, interest or opportunity to that subscriber or user, and any consent given in such circumstance is not validly given.

(2) If a person obtains or attempts to obtain consent for sending a specified message to a Singapore telephone number—

(a) by providing false or misleading information with respect to the sending of the specified message; or
(b) by using deceptive or misleading practices,

any consent given in such circumstances is not validly given.

Withdrawal of consent

47.—(1) On giving notice, a subscriber or user of a Singapore telephone number may at any time withdraw any consent given to a person for the sending of any specified message to that Singapore telephone number.

(2) A person shall not prohibit a subscriber or user of a Singapore telephone number from withdrawing his consent to the sending of a specified message to that Singapore telephone number, but this section shall not affect any legal consequences arising from such withdrawal.

(3) If a subscriber or user of a Singapore telephone number gives notice withdrawing consent given to a person for the sending of any specified message to that Singapore telephone number, the person shall cease (and cause its agent to cease) sending any specified message to that Singapore telephone number after the expiry of the prescribed period.

(4) For the purposes of this Part, a subscriber or user of a Singapore telephone number shall be deemed to have given his consent to a person to send a specified message to that Singapore telephone number if the subscriber or user—

(a) consents to the sending of the specified message before the date of commencement of this Part; and
(b) that consent has not been withdrawn on or after the date of commencement of this Part.

(5) For the purposes of this Part, where a subscriber or user of a Singapore telephone number—

(a) consents to a person sending a specified message to that Singapore telephone number before, on or after the date of commencement of this Part; and
(b) subsequently applies to add or adds that Singapore telephone number to the register on or after the date of commencement of this Part,

the application to add or the addition of that Singapore telephone number shall not be regarded as a withdrawal of the consent.

(6) For the avoidance of doubt, a subscriber of a Singapore telephone number may, at any time on or after the date of commencement of this Part, withdraw any consent given for the sending of a specified message to that Singapore telephone number.

Defence for employee

48.—(1) In any proceedings for an offence under this Part brought against any employee in respect of an act or conduct alleged to have been done or engaged in, as the case may be, by the employee, it is a defence for the employee to prove that he did the act or engaged in the conduct in good faith—

(a) in the course of his employment; or
(b) in accordance with instructions given to him by or on behalf of his employer in the course of his employment.

(2) Subsection (1) does not apply to an employee who, at the time the act was done or the conduct was engaged in, was an officer and it is proved—

(a) the act was done or the conduct was engaged in with the consent or connivance of that officer; or
(b) the act done or the conduct engaged in was attributable to any neglect on the part of that officer.

(3) In subsection (2), “officer” has the same meaning as in section 52(5).

PART X
GENERAL

Advisory guidelines

49.—(1) The Commission may, from time to time, issue written advisory guidelines indicating the manner in which the Commission will interpret the provisions of this Act.

(2) Guidelines issued under this section may, from time to time, be varied, amended or revoked by the Commission.

(3) The Commission shall publish the guidelines in any way the Commission thinks fit, but failure to comply with this subsection in respect of any guidelines shall not invalidate the guidelines.

Powers of investigation

50.—(1) The Commission may, upon complaint or of its own motion, conduct an investigation under this section to determine whether an organisation is not complying with this Act.

(2) The powers of investigation under this section of the Commission and the inspectors shall be as set out in the Ninth Schedule.

(3) The Commission may suspend, discontinue or refuse to conduct an investigation under this section if it thinks fit, including but not limited to any of the following circumstances:

(a) the complainant has not complied with a direction under section 27(2);
(b) the parties involved in the matter have mutually agreed to settle the matter;
(c) any party involved in the matter has commenced legal proceedings against another party in respect of any contravention or alleged contravention of this Act by the other party;
(d) the Commission is of the opinion that the matter may be more appropriately investigated by another regulatory authority and has referred the matter to that authority; or
(e) the Commission is of the opinion that—
(i) a complaint is frivolous or vexatious or is not made in good faith; or
(ii) any other circumstances warrant refusing to conduct, suspending or discontinuing the investigation.

(4) An organisation shall retain records relating to an investigation under this section for one year after the conclusion of the investigation or any longer period specified in writing by the Commission.

Offences and penalties

51.—(1) A person shall be guilty of an offence if he makes a request under section 21 or 22, as the case may be, to obtain access to or to change the personal data about another individual without the authority of that individual.

(2) Any person guilty of an offence under subsection (1) shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 12 months or to both.

(3) An organisation or person commits an offence if the organisation or person—

(a) with an intent to evade a request under section 21 or 22, disposes of, alters, falsifies, conceals or destroys, or directs another person to dispose of, alter, falsify, conceal or destroy, a record containing—
(i) personal data; or
(ii) information about the collection, use or disclosure of personal data;
(b) obstructs or impedes the Commission or an authorised officer in the exercise of their powers or performance of their duties under this Act; or
(c) knowingly or recklessly makes a false statement to the Commission, or knowingly misleads or attempts to mislead the Commission, in the course of the performance of the duties or powers of the Commission under this Act.

(4) An organisation or person that commits an offence under subsection (3)(a) is liable—

(a) in the case of an individual, to a fine not exceeding $5,000; and
(b) in any other case, to a fine not exceeding $50,000.

(5) An organisation or person that commits an offence under subsection (3)(b) or (c) is liable—

(a) in the case of an individual, to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 12 months or to both; and
(b) in any other case, to a fine not exceeding $100,000.

Offences by bodies corporate, etc.

52.—(1) Where an offence under this Act committed by a body corporate is proved—

(a) to have been committed with the consent or connivance of an officer; or
(b) to be attributable to any neglect on his part,

the officer as well as the body corporate shall be guilty of the offence and shall be liable to be proceeded against and punished accordingly.

(2) Where the affairs of a body corporate are managed by its members, subsection (1) shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director of the body corporate.

(3) Where an offence under this Act committed by a partnership is proved—

(a) to have been committed with the consent or connivance of a partner; or
(b) to be attributable to any neglect on his part,

the partner as well as the partnership shall be guilty of the offence and shall be liable to be proceeded against and punished accordingly.

(4) Where an offence under this Act committed by an unincorporated association (other than a partnership) is proved—

(a) to have been committed with the consent or connivance of an officer of the unincorporated association or a member of its governing body; or
(b) to be attributable to any neglect on the part of such an officer or member,

the officer or member as well as the unincorporated association shall be guilty of the offence and shall be liable to be proceeded against and punished accordingly.

(5) In this section—

“body corporate” includes a limited liability partnership;
“officer”—
(a) in relation to a body corporate, means any director, partner, member of the committee of management, chief executive, manager, secretary or other similar officer of the body corporate and includes any person purporting to act in any such capacity; or
(b) in relation to an unincorporated association (other than a partnership), means the president, the secretary, or any member of the committee of the unincorporated association, or any person holding a position analogous to that of president, secretary or member of such a committee and includes any person purporting to act in any such capacity;
“partner” includes a person purporting to act as a partner.

(6) Regulations may be made to provide for the application of any provision of this section, with such modifications as the Minister considers appropriate, to any body corporate or unincorporated association formed or recognised under the law of a territory outside Singapore.

Liability of employers for acts of employees

53.—(1) Any act done or conduct engaged in by a person in the course of his employment (referred to in this section as the employee) shall be treated for the purposes of this Act as done or engaged in by his employer as well as by him, whether or not it was done or engaged in with the employer’s knowledge or approval.

(2) In any proceedings for an offence under this Act brought against any person in respect of an act or conduct alleged to have been done or engaged in, as the case may be, by an employee of that person, it is a defence for that person to prove that he took such steps as were practicable to prevent the employee from doing the act or engaging in the conduct, or from doing or engaging in, in the course of his employment, acts or conduct, as the case may be, of that description.

Jurisdiction of court

54. Notwithstanding any provision to the contrary in the Criminal Procedure Code (Cap. 68), a District Court shall have jurisdiction to try any offence under this Act and shall have power to impose the full penalty or punishment in respect of the offence.

Composition of offences

55.—(1) The Commission may, in its discretion, compound any offence under this Act (except Part IX) which is prescribed as a compoundable offence by collecting from a person reasonably suspected of having committed the offence a sum not exceeding the lower of the following sums:

(a) one half of the amount of the maximum fine that is prescribed for the offence;
(b) a sum of $5,000.

(2) The Commission may, in its discretion, compound any offence under Part IX which is prescribed as a compoundable offence by collecting from a person reasonably suspected of having committed the offence a sum not exceeding $1,000.

(3) On payment of such sum of money, no further proceedings shall be taken against that person in respect of the offence.

(4) The Minister may make regulations prescribing the offences which may be compounded.

General penalties

56. Any person guilty of an offence under this Act for which no penalty is expressly provided shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both and, in the case of a continuing offence, to a further fine not exceeding $1,000 for every day or part thereof during which the offence continues after conviction.

Public servants

57. All members and officers of the Commission and persons authorised or appointed to exercise the powers of the Commission shall be deemed to be public servants for the purposes of the Penal Code (Cap. 224).

Evidence in proceedings

58.—(1) The Commission, the Appeal Panel, an Appeal Committee, their members and anyone acting for or under the direction of the Commission shall not give or be compelled to give evidence in a court or in any other proceedings in respect of any information obtained in performing their duties or exercising their powers or functions under this Act, except—

(a) in a prosecution for perjury or for the furnishing of false information;
(b) in a prosecution for an offence under this Act; or
(c) in an application for judicial review or an appeal from a decision with respect to such an application.

(2) Subsection (1) applies also in respect of evidence of the existence of proceedings conducted before the Commission.

Preservation of secrecy

59.—(1) Subject to subsection (5), every specified person shall preserve, and aid in the preservation of, secrecy with regard to—

(a) any personal data an organisation would be required or authorised to refuse to disclose if it were contained in personal data requested under section 21;
(b) whether information exists, if an organisation in refusing to provide access under section 21 does not indicate whether the information exists;
(c) all matters that have been identified as confidential under subsection (3); and
(d) all matters relating to the identity of persons furnishing information to the Commission,

that may come to his knowledge in the performance of his functions and discharge of his duties under this Act and shall not communicate any such matter to any person, except in so far as such communication—

(i) is necessary for the performance of any such function or discharge of any such duty; or
(ii) is lawfully required by any court, or lawfully required or permitted under this Act or any other written law.

(2) Any person who fails to comply with subsection (1) shall be guilty of an offence.

(3) Any person, when furnishing any information to the Commission, may identify information that he claims to be confidential information.

(4) Every claim made under subsection (3) shall be supported by a written statement giving reasons why the information is confidential.

(5) Notwithstanding subsection (1), the Commission may disclose, or authorise any specified person to disclose, any information relating to any matter referred to in subsection (1) in any of the following circumstances:

(a) where the consent of the person to whom the information relates has been obtained;
(b) if the Commission considers there is evidence of an offence, disclose information relating to the commission of an offence to the Public Prosecutor, any police officer and other law enforcement authorities;
(c) to give effect to any provision of this Act;
(d) for the purposes of a prosecution, an application or an appeal referred to in section 58(1)(a), (b) or (c);
(e) to comply with any provision of a co-operation agreement entered into under section 10, where the conditions specified in subsection (6) are satisfied; or
(f) to a public body in such circumstances as may be prescribed by the Minister.

(6) The conditions referred to in subsection (5)(e) are—

(a) that the information or documents requested by the foreign country are in the possession of the Commission;
(b) that unless the Government otherwise allows, the foreign country undertakes to keep the information given confidential at all times; and
(c) that the disclosure of the information is not likely to be contrary to the public interest.

(7) In this section, “specified person” means a person who is or has been—

(a) a member or an officer of a relevant body;
(b) a member of a committee of a relevant body or any person authorised, appointed or employed to assist the relevant body; or
(c) an inspector or a person authorised, appointed or employed to assist an inspector.

Protection from personal liability

60. No liability shall be incurred by—

(a) any member or officer of a relevant body;
(b) any person authorised, appointed or employed to assist a relevant body;
(c) any person who is on secondment or attachment to a relevant body;
(d) any person authorised or appointed by a relevant body to exercise the relevant body’s powers, perform the relevant body’s functions or discharge the relevant body’s duties or to assist the relevant body in the exercise of its powers, the performance of its functions or the discharge of its duties under this Act or any other written law; or
(e) any inspector or any person authorised, appointed or employed to assist him in connection with any function or duty of the inspector under this Act,

as a result of anything done (including any statement made) or omitted to be done with reasonable care and in good faith in the course of or in connection with—

(i) the exercise or purported exercise of any power under this Act or any other written law;
(ii) the performance or purported performance of any function or the discharge or purported discharge of any duty under this Act or any other written law; or
(iii) the compliance or purported compliance with this Act or any other written law.

Symbol of Commission

61.—(1) The Commission shall have the exclusive right to the use of such symbol or representation as may be prescribed in connection with its activities or affairs.

(2) Any person who, without the authority of the Commission, uses a symbol or representation identical with that of the Commission, or which so resembles the symbol or representation of the Commission as to deceive or cause confusion, or to be likely to deceive or to cause confusion, shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $2,000 or to imprisonment for a term not exceeding 6 months or to both.

Power to exempt

62. The Commission may, with the approval of the Minister, by order published in the Gazette, exempt any person or organisation or any class of persons or organisations from all or any of the provisions of this Act, subject to such terms or conditions as may be specified in the order.

Certificate as to national interest

63. For the purposes of this Act, if any doubt arises as to whether anything is necessary for the purpose of, or could be contrary to, the national interest, a certificate signed by the Minister charged with responsibility for that matter shall be conclusive evidence of the matters stated therein.

Amendment of Schedules

64.—(1) The Minister may, by order published in the Gazette, amend any of the Schedules, except the Ninth Schedule.

(2) An order under this section shall be presented to Parliament as soon as possible after publication in the Gazette.

Power to make regulations

65.—(1) The Minister may make such regulations as may be necessary or expedient for carrying out the purposes and provisions of this Act and for prescribing anything that may be required or authorised to be prescribed by this Act.

(2) Without prejudice to the generality of subsection (1), the Minister may make regulations for or with respect to all or any of the following matters:

(a) the keeping and audit of accounts and records, and submission of reports, relating to the transactions and affairs of the Commission by the Administration Body, including the powers of the auditor;
(b) the form, manner and procedures, relating to the making and responding to requests under section 21 or 22, including the content of responses to such requests, the period for such responses, the circumstances in which an organisation may refuse to provide a response or refuse to confirm or deny the existence of any matter and the fees that an organisation may charge in respect of such requests;
(c) the classes of persons who may act under this Act for minors, deceased persons or any other individuals who lack capacity to act under this Act and regulating the manner in which, and the extent to which, any rights or powers of individuals under this Act may be exercised on their behalf;
(d) the form, manner and procedures relating to applications and complaints under this Act;
(e) the conduct of reviews by the Commission under section 28;
(f) the form, manner and procedures for applications for reconsideration by the Commission under section 31, including the fees to be paid in respect of such applications;
(g) the form, manner and procedures for appeals to an Appeal Committee, including the fees to be paid in respect of such appeals;
(h) the award of costs of or incidental to any proceedings before the Commission or Appeal Committee, and the award of expenses, including any allowances payable to persons in connection with their attendance before the Commission or Appeal Committee;
(i) the criteria for determining whether a Singapore telephone number is eligible to be listed in a register;
(j) the manner in which entries in the register are to be made, corrected or removed;
(k) the manner and form of giving or withdrawing consent for the sending of a specified message;
(l) any other matter relating to the establishment, operation or administration of the register;
(m) the fees to be paid in respect of applications, and services provided by or on behalf of the Commission, under this Act, including applications to confirm whether a Singapore telephone number is listed in the relevant register for the purposes of section 43(1)(a).

(3) Regulations made under this section may provide differently for different organisations, individuals, classes of organisations or classes of individuals.

Rules of Court

66. Rules of Court may be made to provide for the practice and procedure relating to actions under section 32 and appeals under section 35, including the requirement that the plaintiff notify the Commission upon commencing any such action or appeal, and for matters related thereto.

Related and consequential amendments

67.—(1) Part II of the Third Schedule to the Banking Act (Cap. 19) is amended by deleting item 9.

(2) Section 26 of the Electronic Transactions Act (Cap. 88) is amended by inserting, immediately after subsection (1), the following subsection:

“(1A) Subject to subsection (2), a network service provider shall not be subject to any liability under the Personal Data Protection Act 2012 in respect of third-party material in the form of electronic records to which he merely provides access.”.

(3) The Info-communications Development Authority of Singapore Act (Cap. 137A) is amended—

(a) by deleting the word “and” at the end of section 6(1)(t);
(b) by deleting the full-stop at the end of paragraph (u) of section 6(1) and substituting the word “; and”, and by inserting immediately thereafter the following paragraph:
“(v) to support the Personal Data Protection Commission in the performance of its functions and duties and exercise of its powers under the Personal Data Protection Act 2012.”; and
(c) by inserting, immediately after paragraph 31 of the Second Schedule, the following paragraphs:
“31A. To provide administrative support, including the provision of premises, office supplies and equipment and manpower and premises to the Personal Data Protection Commission in the performance of its functions under the Personal Data Protection Act 2012.
31B. To perform the functions and duties and exercise the powers of the Administration Body under the Personal Data Protection Act 2012, if so appointed.”.

Savings and transitional provision

68. The Minister may, in relation to any provision of this Act, for a period of 2 years after the date of commencement of that provision, prescribe by regulations published in the Gazette, such provisions of a savings or transitional nature consequent on the enactment of that provision as he considers necessary or expedient.

FIRST SCHEDULE

Sections 2 and 5(2)

CONSTITUTION AND PROCEEDINGS OF PERSONAL DATA PROTECTION COMMISSION

Appointment of Chairman and Deputy Chairman

1.—(1) The Chairman and the Deputy Chairman shall be appointed by the Minister from among the members of the Commission.

(2) The Deputy Chairman may, subject to such directions as may be given by the Chairman, exercise all or any of the powers exercisable by the Chairman under this Act, including the power under section 8(4).

Temporary Chairman or Deputy Chairman

2. The Minister may appoint any member to be a temporary Chairman or temporary Deputy Chairman during the temporary incapacity from illness or otherwise or during the temporary absence from Singapore of the Chairman or the Deputy Chairman, as the case may be.

Revocation of appointment

3. The Minister may revoke the appointment of the Chairman, the Deputy Chairman or any member without assigning any reason.

Tenure of office of appointed member

4. The Chairman, the Deputy Chairman or a member, unless his appointment is revoked by the Minister or unless he resigns during his term of office, shall hold office for such period as the Minister may determine and shall be eligible for re‑appointment.

Filling of vacancies

5. If a member resigns, dies or has his appointment revoked before the expiry of the term for which he has been appointed, the Minister may appoint a person to fill the vacancy for the remainder of the term for which his predecessor was appointed.

Meetings of Commission

6.—(1) The Commission shall meet for the despatch of business at such times and places as the Chairman may from time to time appoint.

(2) At every meeting of the Commission, one half of the number of members shall form a quorum.

(3) A decision at a meeting of the Commission shall be adopted by a simple majority of the members present and voting except that, in the case of an equality of votes, the Chairman or member presiding shall have a casting vote in addition to his original vote.

(4) The Chairman or, in his absence, the Deputy Chairman shall preside at meetings of the Commission.

(5) Where both the Chairman and the Deputy Chairman are absent at a meeting, such member as the members present may elect shall preside at that meeting.

(6) Subject to the provisions of this Act, the Commission may regulate its own procedures generally and, in particular, regarding the holding of meetings, the notice to be given of such meetings, the proceedings thereat, the keeping of minutes and the custody, production and inspection of such minutes.

Commission may act notwithstanding vacancy

7. The Commission may act notwithstanding any vacancy in its membership.

SECOND SCHEDULE

Section 17(1)

COLLECTION OF PERSONAL DATA WITHOUT CONSENT

1. An organisation may collect personal data about an individual without the consent of the individual or from a source other than the individual in any of the following circumstances:

(a) the collection is necessary for any purpose that is clearly in the interest of the individual, if consent for its collection cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;
(b) the collection is necessary to respond to an emergency that threatens the life, health or safety of the individual or another individual;
(c) the personal data is publicly available;
(d) the collection is necessary in the national interest;
(e) the collection is necessary for any investigation or proceedings, if it is reasonable to expect that seeking the consent of the individual would compromise the availability or the accuracy of the personal data;
(f) the collection is necessary for evaluative purposes;
(g) the personal data is collected solely for artistic or literary purposes;
(h) subject to paragraph 2, the personal data is collected by a news organisation solely for its news activity;
(i) the personal data is collected for the organisation to recover a debt owed to the organisation by the individual or for the organisation to pay to the individual a debt owed by the organisation;
(j) the collection is necessary for the provision of legal services by the organisation to another person or for the organisation to obtain legal services;
(k) the personal data is collected by a credit bureau from a member of the credit bureau to create a credit report, or by a member of the credit bureau from a credit report provided by the credit bureau to that member in relation to a transaction between the member and the individual;
(l) the personal data is collected to confer an interest or a benefit on the individual under a private trust or a benefit plan, and to administer such trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be;
(m) the personal data was provided to the organisation by another individual to enable the organisation to provide a service for the personal or domestic purposes of that other individual;
(n) the personal data is included in a document—
(i) produced in the course, and for the purposes, of the individual’s employment, business or profession; and
(ii) collected for purposes consistent with the purposes for which the document was produced;
(o) the personal data is collected by the individual’s employer and the collection is reasonable for the purpose of managing or terminating an employment relationship between the organisation and the individual;
(p) subject to the conditions in paragraph 3, the personal data—
(i) is collected by an organisation, being a party or a prospective party to a business asset transaction with another organisation, from that other organisation;
(ii) is about an employee, customer, director, officer or shareholder of the other organisation; and
(iii) relates directly to the part of the other organisation or its business assets with which the business asset transaction is concerned;
(q) the personal data was disclosed by a public agency, and the collection is consistent with the purpose of the disclosure by the public agency; or
(r) the personal data—
(i) was disclosed to the organisation in accordance with section 17(3); and
(ii) is collected by the organisation for purposes consistent with the purpose of that disclosure.

2. In this paragraph and paragraph 1(h)—

“broadcasting service” has the same meaning as in section 2 of the Broadcasting Act (Cap. 28);
“news activity” means—
(a) the gathering of news, or the preparation or compilation of articles or programmes of or concerning news, observations on news, or current affairs, for the purposes of dissemination to the public or any section of the public; or
(b) the dissemination, to the public or any section of the public, of any article or programme of or concerning—
(i) news;
(ii) observations on news; or
(iii) current affairs;
“news organisation” means—
(a) any organisation—
(i) the business of which consists, in whole or in part, of news activity carried out in relation to a relevant broadcasting service, a newswire service or the publication of a newspaper; and
(ii) which, if the organisation publishes a newspaper in Singapore within the meaning of section 8(1) of the Newspaper and Printing Presses Act (Cap. 206), is required to be a newspaper company within the meaning of Part III of that Act; or
(b) any organisation which provides a broadcasting service in or from Singapore and holds a broadcasting licence granted under section 8 of the Broadcasting Act;
“newspaper” has the same meaning as in section 2 of the Newspaper and Printing Presses Act;
“relevant broadcasting service” means any of the following licensable broadcasting services within the meaning of the Broadcasting Act:
(a) Free-to-air nationwide television services;
(b) Free-to-air localised television services;
(c) Free-to-air international television services;
(d) Subscription nationwide television services;
(e) Subscription localised television services;
(f) Subscription international television services;
(g) Special interest television services;
(h) Free-to-air nationwide radio services;
(i) Free-to-air localised radio services;
(j) Free-to-air international radio services;
(k) Subscription nationwide radio services;
(l) Subscription localised radio services;
(m) Subscription international radio services;
(n) Special interest radio services.

3.—(1) The conditions in this paragraph shall apply if the personal data is collected under paragraph 1(p).

(2) If the organisation is a prospective party to a business asset transaction—

(a) the personal data collected must be necessary for the organisation to determine whether to proceed with the business asset transaction; and
(b) the organisation and the other organisation must have entered into an agreement that requires the prospective party to use or disclose the personal data solely for purposes related to the business asset transaction.

(3) If an organisation enters into the business asset transaction with another organisation—

(a) the organisation shall only use or disclose the personal data collected for the same purposes for which the other organisation would have been permitted to use or disclose the data;
(b) if any of the personal data collected does not relate directly to the part of the other organisation or its business assets with which the business asset transaction entered into is concerned, the organisation shall destroy, or return to the other organisation, any such personal data; and
(c) the employees, customers, directors, officers and shareholders whose personal data is disclosed shall be notified that—
(i) the business asset transaction has taken place; and
(ii) the personal data about them has been disclosed to the organisation.

(4) If a business asset transaction does not proceed or is not completed, the organisation shall destroy, or return to the other organisation, all the personal data collected.

(5) In this paragraph and paragraph 1(p), “business asset transaction” has the same meaning as in paragraph 3(4) of the Fourth Schedule.

4. For the avoidance of doubt, personal data disclosed before the appointed day in the circumstances and conditions set out in the Fourth Schedule shall satisfy paragraph 1(r), notwithstanding that section 17(3) was not in force at the time of the disclosure.

THIRD SCHEDULE

Section 17(2)

USE OF PERSONAL DATA WITHOUT CONSENT

1. An organisation may use personal data about an individual without the consent of the individual in any of the following circumstances:

(a) the use is necessary for any purpose which is clearly in the interests of the individual, if consent for its use cannot be obtained in a timely way or the individual would not reasonably be expected to withhold consent;
(b) the use is necessary to respond to an emergency that threatens the life, health or safety of the individual or another individual;
(c) the personal data is publicly available;
(d) the use is necessary in the national interest;
(e) the use is necessary for any investigation or proceedings;
(f) the use is necessary for evaluative purposes;
(g) the personal data is used for the organisation to recover a debt owed to the organisation by the individual or for the organisation to pay to the individual a debt owed by the organisation;
(h) the use is necessary for the provision of legal services by the organisation to another person or for the organisation to obtain legal services;
(i) subject to the conditions in paragraph 2, the personal data is used for a research purpose, including historical or statistical research; or
(j) the data was collected by the organisation in accordance with section 17(1), and is used by the organisation for purposes consistent with the purpose of that collection.

2. Paragraph 1(i) shall not apply unless—

(a) the research purpose cannot reasonably be accomplished unless the personal data is provided in an individually identifiable form;
(b) it is impracticable for the organisation to seek the consent of the individual for the use;
(c) the personal data will not be used to contact persons to ask them to participate in the research; and
(d) linkage of the personal data to other information is not harmful to the individuals identified by the personal data and the benefits to be derived from the linkage are clearly in the public interest.

3. For the avoidance of doubt, personal data collected before the appointed day in the circumstances and conditions set out in the Second Schedule shall satisfy paragraph 1(j) notwithstanding that section 17(1) was not in force at the time of the collection.

FOURTH SCHEDULE

Sections 2, 17(3) and 21(4)

DISCLOSURE OF PERSONAL DATA WITHOUT CONSENT

1. An organisation may disclose personal data about an individual without the consent of the individual in any of the following circumstances:

(a) the disclosure is necessary for any purpose which is clearly in the interests of the individual, if consent for its disclosure cannot be obtained in a timely way;
(b) the disclosure is necessary to respond to an emergency that threatens the life, health or safety of the individual or another individual;
(c) subject to the conditions in paragraph 2, there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected and consent for the disclosure of the data cannot be obtained in a timely way;
(d) the personal data is publicly available;
(e) the disclosure is necessary in the national interest;
(f) the disclosure is necessary for any investigation or proceedings;
(g) the disclosure is to a public agency and such disclosure is necessary in the public interest;
(h) the disclosure is necessary for evaluative purposes;
(i) the disclosure is necessary for the organisation to recover a debt owed by the individual to the organisation or for the organisation to pay to the individual a debt owed by the organisation;
(j) the disclosure is necessary for the provision of legal services by the organisation to another person or for the organisation to obtain legal services;
(k) the personal data is disclosed by a member of a credit bureau to the credit bureau for the purpose of preparing credit reports, or in a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual;
(l) the personal data about the current or former students of the organisation, being an education institution, is disclosed to a public agency for the purposes of policy formulation or review;
(m) the personal data about the current or former patients of a healthcare institution licensed under the Private Hospitals and Medical Clinics Act (Cap. 248) or any other prescribed healthcare body is disclosed to a public agency for the purposes of policy formulation or review;
(n) the personal data is disclosed to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer;
(o) the disclosure is for the purpose of contacting the next‑of‑kin or a friend of any injured, ill or deceased individual;
(p) subject to the conditions in paragraph 3, the personal data—
(i) is disclosed to a party or a prospective party to a business asset transaction with the organisation;
(ii) is about an employee, customer, director, officer or shareholder of the organisation; and
(iii) relates directly to the part of the organisation or its business assets with which the business asset transaction is concerned;
(q) subject to the conditions in paragraph 4, the disclosure is for a research purpose, including historical or statistical research;
(r) the disclosure is for archival or historical purposes if a reasonable person would not consider the personal data to be too sensitive to the individual to be disclosed at the proposed time; or
(s) subject to the conditions in paragraph 5, the personal data—
(i) was collected by the organisation in accordance with section 17(1); and
(ii) is disclosed by the organisation for purposes consistent with the purpose of that collection.

2. In the case of disclosure under paragraph 1(c), the organisation shall, as soon as may be practicable, notify the individual whose personal data is disclosed of the disclosure and the purposes of the disclosure.

3.—(1) The conditions in this paragraph shall apply to personal data disclosed under paragraph 1(p).

(2) In the case of disclosure to a prospective party to a business asset transaction—

(a) the personal data must be necessary for the prospective party to determine whether to proceed with the business asset transaction; and
(b) the organisation and prospective party must have entered into an agreement that requires the prospective party to use or disclose the personal data solely for purposes related to the business asset transaction.

(3) If the organisation enters into the business asset transaction, the employees, customers, directors, officers and shareholders whose personal data is disclosed shall be notified that—

(a) the business asset transaction has taken place; and
(b) the personal data about them has been disclosed to the party.

(4) In this paragraph and paragraph 1(p)—

“business asset transaction” means the purchase, sale, lease, merger or amalgamation or any other acquisition, disposal or financing of an organisation or a portion of an organisation or of any of the business or assets of an organisation other than the personal data to be disclosed under paragraph 1(p);
“party” means another organisation that enters into the business asset transaction with the organisation.

4. Paragraph 1(q) shall not apply unless—

(a) the research purpose cannot reasonably be accomplished without the personal data being provided in an individually identifiable form;
(b) it is impracticable for the organisation to seek the consent of the individual for the disclosure;
(c) the personal data will not be used to contact persons to ask them to participate in the research;
(d) linkage of the personal data to other information is not harmful to the individuals identified by the personal data and the benefits to be derived from the linkage are clearly in the public interest; and
(e) the organisation to which the personal data is to be disclosed has signed an agreement to comply with—
(i) this Act;
(ii) the policies and procedures relating to the confidentiality of personal data of the organisation that collected the personal data;
(iii) security and confidentiality conditions of the organisation disclosing the personal data;
(iv) a requirement to remove or destroy individual identifiers at the earliest reasonable opportunity; and
(v) a requirement not to use the personal data for any other purpose or to disclose the personal data in individually identifiable form without the express authorisation of the organisation that disclosed the personal data.

5. For the avoidance of doubt, personal data collected before the appointed day in the circumstances and conditions set out in the Second Schedule shall satisfy paragraph 1(s) notwithstanding that section 17(1) was not in force at the time of the collection.

FIFTH SCHEDULE

Section 21(2)

EXCEPTIONS FROM ACCESS REQUIREMENT

1. An organisation is not required to provide information under section 21(1) in respect of—

(a) opinion data kept solely for an evaluative purpose;
(b) any examination conducted by an education institution, examination scripts and, prior to the release of examination results, examination results;
(c) the personal data of the beneficiaries of a private trust kept solely for the purpose of administering the trust;
(d) personal data kept by an arbitral institution or a mediation centre solely for the purposes of arbitration or mediation proceedings administered by the arbitral institution or mediation centre;
(e) a document related to a prosecution if all proceedings related to the prosecution have not been completed;
(f) personal data which is subject to legal privilege;
(g) personal data which, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of the organisation;
(h) personal data collected, used or disclosed without consent, under paragraph 1(e) of the Second Schedule, paragraph 1(e) of the Third Schedule or paragraph 1(f) of the Fourth Schedule, respectively, for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed;
(i) the personal data was collected or created by a mediator or arbitrator in the conduct of a mediation or arbitration for which he was appointed to act—
(i) under a collective agreement under the Industrial Relations Act (Cap. 136) or by agreement between the parties to the mediation or arbitration;
(ii) under any written law; or
(iii) by a court, arbitral institution or mediation centre; or
(j) any request—
(i) that would unreasonably interfere with the operations of the organisation because of the repetitious or systematic nature of the requests;
(ii) if the burden or expense of providing access would be unreasonable to the organisation or disproportionate to the individual’s interests;
(iii) for information that does not exist or cannot be found;
(iv) for information that is trivial; or
(v) that is otherwise frivolous or vexatious.

SIXTH SCHEDULE

Section 22(7)

EXCEPTIONS FROM CORRECTION REQUIREMENT

1. Section 22 shall not apply in respect of—

(a) opinion data kept solely for an evaluative purpose;
(b) any examination conducted by an education institution, examination scripts and, prior to the release of examination results, examination results;
(c) the personal data of the beneficiaries of a private trust kept solely for the purpose of administering the trust;
(d) personal data kept by an arbitral institution or a mediation centre solely for the purposes of arbitration or mediation proceedings administered by the arbitral institution or mediation centre; or
(e) a document related to a prosecution if all proceedings related to the prosecution have not been completed.

SEVENTH SCHEDULE

Section 33(5)

CONSTITUTION AND PROCEEDINGS OF DATA PROTECTION APPEAL PANEL AND DATA PROTECTION APPEAL COMMITTEES

Data Protection Appeal Panel

1.—(1) The Data Protection Appeal Panel shall consist of not more than 30 members appointed, from time to time, by the Minister on the basis of their ability and experience in industry, commerce or administration or their professional qualifications or their suitability otherwise for appointment.

(2) Members of the Appeal Panel shall be appointed for such period as may be determined by the Minister and shall be eligible for re-appointment.

(3) The Minister may at any time revoke the appointment of any member of the Appeal Panel without assigning any reason.

(4) A member of the Appeal Panel may resign by giving notice in writing to the Minister.

Chairman of Appeal Panel or temporary Chairman of Appeal Panel

2.—(1) The Chairman of the Appeal Panel, unless his appointment is revoked by the Minister or unless he resigns during his term of office, shall hold office for such period as the Minister may determine and shall be eligible for re‑appointment.

(2) The Minister may appoint any member to be a temporary Chairman of the Appeal Panel during the temporary incapacity from illness or otherwise or during the temporary absence from Singapore of the Chairman of the Appeal Panel.

Proceedings of Appeal Committees

3.—(1) Subject to sub‑paragraph (2), where the Chairman of the Appeal Panel is nominated as a member of an Appeal Committee under section 33(4), he shall preside at every meeting of the Appeal Committee, and where the Chairman of the Appeal Panel is not nominated as a member of the Appeal Committee, the Chairman of the Appeal Panel shall determine which member of the Appeal Committee shall preside at every meeting of that Appeal Committee.

(2) All matters coming before an Appeal Committee at any sitting thereof shall be decided by a majority of votes of those members present and, in the event of an equality of votes, the Chairman of the Appeal Panel (if he is nominated as a member of the Appeal Committee) or any other member presiding shall have a second or casting vote.

(3) Any member of the Appeal Panel whose term of appointment expires in the course of proceedings by an Appeal Committee to which he has been appointed shall continue as a member of that Appeal Committee until the Committee has completed its work.

Powers of Appeal Committees

4.—(1) An Appeal Committee shall have all the powers and duties of the Commission that are necessary to perform its functions and discharge its duties under this Act.

(2) An Appeal Committee shall have the powers, rights and privileges vested in a District Court on the hearing of an action, including—

(a) the enforcement of the attendance of witnesses and their examination on oath or otherwise;
(b) the compelling of the production of documents; and
(c) the award of such costs or expenses as may be prescribed under section 65.

(3) A summons signed by such member of an Appeal Committee as may be authorised by the Appeal Committee shall be equivalent to any formal procedure capable of being issued in an action for enforcing the attendance of witnesses and compelling the production of documents.

(4) Where any person being duly summoned to attend before an Appeal Committee does not so attend, that person shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 6 months or to both.

(5) A witness before an Appeal Committee shall be entitled to the same immunities and privileges as if he were a witness before a District Court.

(6) All appeals under section 34 shall be determined, having regard to the nature and complexity of the appeal, as soon as reasonably practicable.

(7) An Appeal Committee shall notify the Commission and the parties to the appeal of the date on and the place at which the appeal shall be heard.

(8) An Appeal Committee shall notify the Commission and the parties to the appeal of its decision in respect of the appeal and the reasons for its decision.

Allowances

5. Members of the Appeal Committee may receive such remuneration and such travelling and subsistence allowances as the Minister may determine.

EIGHTH SCHEDULE

Section 37(5)

EXCLUSION FROM MEANING OF “SPECIFIED MESSAGE”

1. For the purposes of Part IX, a specified message shall not include any of the following:

(a) any message sent by a public agency under, or to promote, any programme carried out by any public agency which is not for a commercial purpose;
(b) any message sent by an individual acting in a personal or domestic capacity;
(c) any message which is necessary to respond to an emergency that threatens the life, health or safety of any individual;
(d) any message the sole purpose of which is—
(i) to facilitate, complete or confirm a transaction that the recipient of the message has previously agreed to enter into with the sender;
(ii) to provide warranty information, product recall information or safety or security information with respect to a product or service purchased or used by the recipient of the message; or
(iii) to deliver goods or services, including product updates or upgrades, that the recipient of the message is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender;
(e) any message the sole purpose of which is to provide—
(i) notification concerning a change in the terms or features of;
(ii) notification of a change in the standing or status of the recipient of the message with respect to; or
(iii) at regular periodic intervals, account balance information or other type of account statement with respect to,
a subscription, membership, account, loan or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of goods or services offered by the sender;
(f) any message the sole purpose of which is to conduct market research or market survey; or
(g) any message sent to an organisation other than an individual acting in a personal or domestic capacity, for any purpose of the receiving organisation.

2. In this Schedule, “individual” does not include a sole proprietor registered under the Business Registration Act (Cap. 32).

NINTH SCHEDULE

Section 50(2)

POWERS OF INVESTIGATION OF COMMISSION AND INSPECTORS

Power to require documents or information

1.—(1) For the purposes of an investigation under section 50, the Commission or an inspector may, by notice in writing to any organisation, require the organisation to produce to the Commission or the inspector a specified document or specified information, which the Commission or inspector considers relates to any matter relevant to such investigation.

(2) A notice under sub‑paragraph (1) shall indicate the purpose for which the specified document or specified information is required by the Commission.

(3) The Commission may specify in the notice—

(a) the time and place at which any document is to be produced or any information is to be provided; and
(b) the manner and form in which it is to be produced or provided.

(4) The power under this paragraph to require an organisation to produce a document includes the power—

(a) if the document is produced—
(i) to take copies of it or extracts from it; and
(ii) to require such organisation, or any person who is a present or past officer of the organisation, or is or was at any time employed by the organisation, to provide an explanation of the document; or
(b) if the document is not produced, to require such organisation or person to state, to the best of his knowledge and belief, where it is.

(5) In sub‑paragraphs (1) and (2), “specified” means—

(a) specified or described in the notice; or
(b) falling within a category which is specified or described in the notice.

Power to enter premises without warrant

2.—(1) In connection with an investigation under section 50, an inspector, and such other persons as the inspector may require to assist him, may enter any premises.

(2) No inspector or person assisting the inspector shall enter any premises in exercise of the powers under this paragraph unless the inspector has given the occupier of the premises a written notice which—

(a) gives at least 2 working days’ notice of the intended entry; and
(b) indicates the subject-matter and purpose of the investigation.

(3) Sub-paragraph (2) shall not apply if the inspector has reasonable grounds for suspecting that the premises are, or have been, occupied by an organisation which is being investigated in relation to a contravention of this Act and if the inspector has taken all such steps as are reasonably practicable to give written notice under that sub‑paragraph but has not been able to do so.

(4) Where sub‑paragraph (3) applies, the power of entry conferred by sub‑paragraph (1) shall be exercised upon production of—

(a) evidence of the inspector’s appointment; and
(b) a document containing the information referred to in sub‑paragraph (2)(b).

(5) An inspector or a person assisting the inspector entering any premises under this paragraph may—

(a) take with him such equipment as appears to him to be necessary;
(b) require any person on the premises—
(i) to produce any document which he considers relates to any matter relevant to the investigation; and
(ii) if the document is produced, to provide an explanation of it;
(c) require any person to state, to the best of the person’s knowledge and belief, where any such document is to be found;
(d) take copies of, or extracts from, any document which is produced;
(e) require any information which is stored in any electronic form and is accessible from the premises and which he considers relates to any matter relevant to the investigation, to be produced in a form—
(i) in which it can be taken away; and
(ii) in which it is visible and legible; and
(f) take any step which appears to be necessary for the purpose of preserving or preventing interference with any document which he considers relates to any matter relevant to the investigation.

Power to enter premises under warrant

3.—(1) The Commission or any inspector may apply to a court for a warrant and the court may issue such a warrant if it is satisfied that—

(a) there are reasonable grounds for suspecting that there are, on any premises, documents—
(i) the production of which has been required under paragraph 1 or 2; and
(ii) which have not been produced as required;
(b) there are reasonable grounds for suspecting that—
(i) there are, on any premises, documents which the Commission or the inspector has power under paragraph 1 to require to be produced; and
(ii) if the documents were required to be produced, they would not be produced but would be concealed, removed, tampered with or destroyed; or
(c) an inspector or a person assisting the inspector has attempted to enter the premises in the exercise of his powers under paragraph 2 but has been unable to do so and that there are reasonable grounds for suspecting that there are, on the premises, documents the production of which could have been required under that paragraph.

(2) A warrant under this paragraph shall authorise a named officer, and such other persons as the inspector may require to assist him, to do all or any of the following:

(a) to enter the premises specified in the warrant, using such force as is reasonably necessary for the purpose;
(b) to search any person on those premises if there are reasonable grounds for believing that that person has in his possession any document, equipment or article which has a bearing on the investigation;
(c) to search the premises and take copies of, or extracts from, any document appearing to be of a kind in respect of which the application under sub‑paragraph (1) was granted (the relevant kind);
(d) to take possession of any document appearing to be of the relevant kind if—
(i) such action appears to be necessary for preserving the document or preventing interference with it; or
(ii) it is not reasonably practicable to take copies of the document on the premises;
(e) to take any other step which appears to be necessary for the purpose mentioned in sub‑paragraph (d)(i);
(f) to require any person to provide an explanation of any document appearing to be of the relevant kind or to state, to the best of his knowledge and belief, where it may be found;
(g) to require any information which is stored in any electronic form and is accessible from the premises and which he considers relates to any matter relevant to the investigation, to be produced in a form—
(i) in which it can be taken away; or
(ii) in which it is visible and legible; and
(h) to remove from those premises for examination any equipment or article which relates to any matter relevant to the investigation.

(3) If, in the case of a warrant under sub‑paragraph (1)(b), the court is satisfied that it is reasonable to suspect that there are also on the premises other documents relating to the investigation concerned, the warrant shall also authorise the actions mentioned in sub‑paragraph (2) to be taken in relation to any such document.

(4) Where possession of any document is taken under sub‑paragraph (2)(d) or (3), the named officer may, at the request of the person from whom possession of the document was taken, provide such person with a copy of the document.

(5) A named officer may allow any equipment or article which has a bearing on an investigation and which may be removed from any premises for examination under sub‑paragraph (2)(h) to be retained on those premises subject to such conditions as the named officer may require.

(6) A warrant issued under this paragraph shall—

(a) indicate the subject-matter and purpose of the investigation; and
(b) continue in force until the end of the period of one month beginning from the day on which it is issued.

(7) The powers conferred by this paragraph shall not be exercised except upon production of a warrant issued under this paragraph.

(8) Any person entering any premises by virtue of a warrant under this paragraph may take with him such equipment as appears to him to be necessary.

(9) If there is no one at the premises when the named officer proposes to execute such a warrant, he shall, before executing it—

(a) take such steps as are reasonable in all the circumstances to inform the occupier of the intended entry; and
(b) if the occupier is informed, afford him or his legal or other representative a reasonable opportunity to be present when the warrant is executed.

(10) If the named officer is unable to inform the occupier of the intended entry, he shall, when executing the warrant, leave a copy of the warrant in a prominent place on the premises.

(11) On leaving any premises which he has entered by virtue of a warrant under this paragraph, the named officer shall, if the premises are unoccupied or the occupier is temporarily absent, leave them as effectively secured as he found them.

(12) Any document of which possession is taken under sub‑paragraph (2)(d) or (3) may be retained for a period of not more than 3 months.

(13) In this paragraph—

“named officer” means an inspector named in the warrant;
“occupier”, in relation to any premises, means a person whom the inspector reasonably believes is the occupier of those premises.

This work is Singaporean legislation (Act of Parliament or subsidiary legislation), which is copyrighted in Singapore for 70 years after publication pursuant to

  • sections 114(1) and 136(1)(b) of the Copyright Act 2021, or
  • section 197(3)(b) of the repealed Copyright Act (Cap. 63, 2006 Rev. Ed.) for legislation published before 21 November 2021.

However, as an edict of a government, it is in the public domain in the U.S.

Public domainPublic domainfalsefalse