Division 1 - Consent
13. - Consent required14. - Provision of consent15. - Deemed consent16. - Withdrawal of consent17. - Collection, use and disclosure without consentDivision 2 - Purpose
18. - Limitation of purpose and extent19. - Personal data collected before appointed day20. - Notification of purposeDivision 1 - Preliminary
36. - Interpretation of this Part37. - Meaning of “specified message”38. - Application of this PartDivision 2 - Administration
39. - Register40. - Applications41. - Evidence42. - Information on terminated Singapore telephone numberDivision 3 - Specified message to Singapore telephone number
43. - Duty to check register44. - Contact information45. - Calling line identity not to be concealed46. - Consent47. - Withdrawal of consent48. - Defence for employee49. - Advisory guidelines50. - Powers of investigation51. - Offences and penalties52. - Offences by bodies corporate, etc.53. - Liability of employers for acts of employees54. - Jurisdiction of court55. - Composition of offences56. - General penalties57. - Public servants and public officers58. - Evidence in proceedings59. - Preservation of secrecy60. - Protection from personal liability61. - Symbol of Commission62. - Power to exempt63. - Certificate as to national interest64. - Amendment of Schedules65. - Power to make regulations66. - Rules of Court67. - Saving and transitional provisions68. - Dissolution
1. - An organisation may collect personal data about an individual without the consent of the individual or from a source other2. - In this paragraph and paragraph 1(h) —3. - (1) The conditions in this paragraph shall apply if the personal data is collected under paragraph 1(p).4. - For the avoidance of doubt, personal data disclosed before the appointed day in the circumstances and conditions set out in
1. - An organisation may disclose personal data about an individual without the consent of the individual in any of the following2. - In the case of disclosure under paragraph 1(c), the organisation shall, as soon as may be practicable, notify the individual3. - (1) The conditions in this paragraph shall apply to personal data disclosed under paragraph 1(p).4. - Paragraph 1(q) shall not apply unless —5. - For the avoidance of doubt, personal data collected before the appointed day in the circumstances and conditions set out in
The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless —
(3) An organisation may disclose personal data about an individual, without the consent of the individual, only in the circumstances and subject to any condition in the Fourth Schedule.
An organisation may collect, use or disclose personal data about an individual only for purposes —
(b) the organisation collects, uses or discloses the personal data without the consent of the individual in accordance with section 17.
(b) information about the ways in which the personal data referred to in paragraph (a) has been or may have been used or disclosed by the organisation within a year before the date of the request.
(4) An organisation shall not inform any individual under subsection (1) that it has disclosed personal data to a prescribed law enforcement agency if the disclosure was made without the consent of the individual pursuant to paragraph 1(f) or (n) of the Fourth Schedule or under any other written law.
(b) subject to subsection (3), send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose.
(3) An organisation (not being a credit bureau) may, if the individual consents, send the corrected personal data only to specific organisations to which the personal data was disclosed by the organisation within a year before the date the correction was made.
(b) is likely to be disclosed by the organisation to another organisation.
(d) if the telephone number from which the message is made is disclosed to the recipient (whether by calling line identity or otherwise), the content (if any) that can be obtained by calling that number,
(a) any personal data an organisation would be required or authorised to refuse to disclose if it were contained in personal data requested under section 21;
(5) Notwithstanding subsection (1), the Commission may disclose, or authorise any specified person to disclose, any information relating to any matter referred to in subsection (1) in any of the following circumstances:
(b) if the Commission considers there is evidence of an offence, disclose information relating to the commission of an offence to the Public Prosecutor, any police officer and other law enforcement authorities;
(q) the personal data was disclosed by a public agency, and the collection is consistent with the purpose of the disclosure by the public agency; or
(i) was disclosed to the organisation in accordance with section 17(3); and
(b) the organisation and the other organisation must have entered into an agreement that requires the prospective party to use or disclose the personal data solely for purposes related to the business asset transaction.
(a) the organisation shall only use or disclose the personal data collected for the same purposes for which the other organisation would have been permitted to use or disclose the data;
(c) the employees, customers, directors, officers and shareholders whose personal data is disclosed shall be notified that —
(ii) the personal data about them has been disclosed to the organisation.
For the avoidance of doubt, personal data disclosed before the appointed day in the circumstances and conditions set out in the Fourth Schedule shall satisfy paragraph 1(r), notwithstanding that section 17(3) was not in force at the time of the disclosure.
An organisation may disclose personal data about an individual without the consent of the individual in any of the following circumstances:
(k) the personal data is disclosed by a member of a credit bureau to the credit bureau for the purpose of preparing credit reports, or in a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual;
(l) the personal data about the current or former students of the organisation, being an education institution, is disclosed to a public agency for the purposes of policy formulation or review;
(m) the personal data about the current or former patients of a healthcare institution licensed under the Private Hospitals and Medical Clinics Act (Cap. 248) or any other prescribed healthcare body is disclosed to a public agency for the purposes of policy formulation or review;
(n) the personal data is disclosed to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer;
(i) is disclosed to a party or a prospective party to a business asset transaction with the organisation;
(r) the disclosure is for archival or historical purposes if a reasonable person would not consider the personal data to be too sensitive to the individual to be disclosed at the proposed time; or
(ii) is disclosed by the organisation for purposes consistent with the purpose of that collection.
In the case of disclosure under paragraph 1(c), the organisation shall, as soon as may be practicable, notify the individual whose personal data is disclosed of the disclosure and the purposes of the disclosure.
(1) The conditions in this paragraph shall apply to personal data disclosed under paragraph 1(p).
(b) the organisation and prospective party must have entered into an agreement that requires the prospective party to use or disclose the personal data solely for purposes related to the business asset transaction.
(3) If the organisation enters into the business asset transaction, the employees, customers, directors, officers and shareholders whose personal data is disclosed shall be notified that —
(b) the personal data about them has been disclosed to the party.
“business asset transaction” means the purchase, sale, lease, merger or amalgamation or any other acquisition, disposal or financing of an organisation or a portion of an organisation or of any of the business or assets of an organisation other than the personal data to be disclosed under paragraph 1(p);
(e) the organisation to which the personal data is to be disclosed has signed an agreement to comply with —
(v) a requirement not to use the personal data for any other purpose or to disclose the personal data in individually identifiable form without the express authorisation of the organisation that disclosed the personal data.
(g) personal data which, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of the organisation;
(h) personal data collected, used or disclosed without consent, under paragraph 1(e) of the Second Schedule, paragraph 1(e) of the Third Schedule or paragraph 1(f) of the Fourth Schedule, respectively, for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed;