“business” includes the activity of any organisation, whether or not carried on for purposes of gain, or conducted on a regular, repetitive or continuous basis, but does not include an individual acting in his personal or domestic capacity;
“credit bureau” means an organisation which —
“credit report” means a communication, whether in written, oral or other form, provided to an organisation to assess the creditworthiness of an individual in relation to a transaction between the organisation and the individual;
“data intermediary” means an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation;
“education institution” means any organisation that provides education, including instruction, training or teaching, whether by itself or in association or collaboration with or by affiliation with any other person;
organisation” includes any individual, company, association or body of persons, corporate or unincorporated, whether or not —
(b) from that data and other information to which the organisation has or is likely to have access;
(c) organisation, adaptation or alteration;
The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
(b) any employee acting in the course of his employment with an organisation;
(c) any public agency or an organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data; or
(d) any other organisations or personal data, or classes of organisations or personal data, prescribed for the purposes of this provision.
(2) Parts III to VI (except for section 24 (protection of personal data) and section 25 (retention of personal data)) shall not impose any obligation on a data intermediary in respect of its processing of personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing.
(3) An organisation shall have the same obligation under this Act in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself.
(e) to conduct research and studies and promote educational activities relating to data protection, including organising and conducting seminars, workshops and symposia relating thereto, and supporting other organisations conducting such activities;
(f) to manage technical co-operation and exchange in the area of data protection with other organisations, including foreign data protection authorities and international or inter governmental organisations, on its own behalf or on behalf of the Government;
(1) In meeting its responsibilities under this Act, an organisation shall consider what a reasonable person would consider appropriate in the circumstances.
(2) An organisation is responsible for personal data in its possession or under its control.
(3) An organisation shall designate one or more individuals to be responsible for ensuring that the organisation complies with this Act.
(5) An organisation shall make available to the public the business contact information of at least one of the individuals designated under subsection (3) or delegated under subsection (4).
(6) The designation of an individual by an organisation under subsection (3) shall not relieve the organisation of any of its obligations under this Act.
An organisation shall —
(a) develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act;
(c) communicate to its staff information about the organisation’s policies and practices referred to in paragraph (a); and
An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless —
(1) An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless —
(2) An organisation shall not —
(1) An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if —
(a) the individual, without actually giving consent referred to in section 14, voluntarily provides the personal data to the organisation for that purpose; and
(2) If an individual gives, or is deemed to have given, consent to the disclosure of personal data about the individual by one organisation to another organisation for a particular purpose, the individual is deemed to consent to the collection, use or disclosure of the personal data for that particular purpose by that other organisation.
(1) On giving reasonable notice to the organisation, an individual may at any time withdraw any consent given, or deemed to have been given under this Act, in respect of the collection, use or disclosure by that organisation of personal data about the individual for any purpose.
(2) On receipt of the notice referred to in subsection (1), the organisation concerned shall inform the individual of the likely consequences of withdrawing his consent.
(3) An organisation shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal.
(4) Subject to section 25, if an individual withdraws consent to the collection, use or disclosure of personal data about the individual by an organisation for any purpose, the organisation shall cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the personal data, as the case may be, unless such collection, use or disclosure, as the case may be, without the consent of the individual is required or authorised under this Act or other written law.
(1) An organisation may collect personal data about an individual, without consent or from a source other than the individual, only in the circumstances and subject to any condition in the Second Schedule.
(2) An organisation may use personal data about an individual, without the consent of the individual, only in the circumstances and subject to any condition in the Third Schedule.
(3) An organisation may disclose personal data about an individual, without the consent of the individual, only in the circumstances and subject to any condition in the Fourth Schedule.
An organisation may collect, use or disclose personal data about an individual only for purposes —
Notwithstanding the other provisions in this Part, an organisation may use personal data about an individual collected before the appointed day for the purposes for which the personal data was collected unless —
(b) the individual, whether before, on or after the appointed day, has otherwise indicated to the organisation that he does not consent to the use of the personal data.
(1) For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of —
(c) on request by the individual, the business contact information of a person who is able to answer on behalf of the organisation the individual’s questions about the collection, use or disclosure of the personal data.
(2) An organisation, on or before collecting personal data about an individual from another organisation without the consent of the individual, shall provide the other organisation with sufficient information regarding the purpose of the collection to allow that other organisation to determine whether the disclosure would be in accordance with this Act.
(b) the organisation collects, uses or discloses the personal data without the consent of the individual in accordance with section 17.
(4) Notwithstanding subsection (3), an organisation, on or before collecting, using or disclosing the personal data about an individual for the purpose of managing or terminating an employment relationship between the organisation and that individual, shall inform the individual of —
(b) on request by the individual, the business contact information of a person who is able to answer the individual’s questions about that collection, use or disclosure on behalf of the organisation.
(1) Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with —
(a) personal data about the individual that is in the possession or under the control of the organisation; and
(b) information about the ways in which the personal data referred to in paragraph (a) has been or may have been used or disclosed by the organisation within a year before the date of the request.
(2) An organisation is not required to provide an individual with the individual’s personal data or other information under subsection (1) in respect of the matters specified in the Fifth Schedule.
(3) An organisation shall not provide an individual with the individual’s personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to —
(4) An organisation shall not inform any individual under subsection (1) that it has disclosed personal data to a prescribed law enforcement agency if the disclosure was made without the consent of the individual pursuant to paragraph 1(f) or (n) of the Fourth Schedule or under any other written law.
(5) If an organisation is able to provide the individual with the individual’s personal data and other information requested under subsection (1) without the personal data or other information excluded under subsections (2), (3) and (4), the organisation shall provide the individual with access to the personal data and other information without the personal data or other information excluded under subsections (2), (3) and (4).
(1) An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation.
(2) Unless the organisation is satisfied on reasonable grounds that a correction should not be made, the organisation shall —
(b) subject to subsection (3), send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose.
(3) An organisation (not being a credit bureau) may, if the individual consents, send the corrected personal data only to specific organisations to which the personal data was disclosed by the organisation within a year before the date the correction was made.
(4) When an organisation is notified under subsection (2)(b) or (3) of a correction of personal data, the organisation shall correct the personal data in its possession or under its control unless the organisation is satisfied on reasonable grounds that the correction should not be made.
(5) If no correction is made under subsection (2)(a) or (4), the organisation shall annotate the personal data in its possession or under its control with the correction that was requested but not made.
(6) Nothing in this section shall require an organisation to correct or otherwise alter an opinion, including a professional or an expert opinion.
(7) An organisation is not required to comply with this section in respect of the matters specified in the Sixth Schedule.
An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data —
(a) is likely to be used by the organisation to make a decision that affects the individual to whom the personal data relates; or
(b) is likely to be disclosed by the organisation to another organisation.
An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that —
(1) An organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under this Act to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under this Act.
(2) The Commission may, on the application of any organisation, by notice in writing exempt the organisation from any requirement prescribed pursuant to subsection (1) in respect of any transfer of personal data by that organisation.
(1) If the Commission is of the opinion that any complaint by an individual against an organisation may more appropriately be resolved by mediation, the Commission may, with the consent of the complainant and the organisation, refer the matter for mediation.
(2) Subject to subsection (1), the Commission may, with or without the consent of the complainant and the organisation, direct a complainant or the organisation or both to attempt to resolve the complaint of the individual in the way directed by the Commission.
(b) a fee required from the complainant by an organisation in relation to a request by the complainant under section 21 or 22; or
(a) confirm the refusal to provide access to the personal data, or direct the organisation to provide access to the personal data, within such time as the Commission may specify;
(b) confirm, reduce or disallow a fee, or direct the organisation to make a refund to the complainant; or
(c) confirm the refusal to correct the personal data, or direct the organisation to correct the personal data, in such manner and within such time as the Commission may specify.
(1) The Commission may, if it is satisfied that an organisation is not complying with any provision in Parts III to VI, give the organisation such directions as the Commission thinks fit in the circumstances to ensure compliance with that provision.
(2) Without prejudice to the generality of subsection (1), the Commission may, if it thinks fit in the circumstances to ensure compliance with Parts III to VI, give the organisation all or any of the following directions:
(1) An organisation or individual aggrieved by —
(1) Any person who suffers loss or damage directly as a result of a contravention of any provision in Part IV, V or VI by an organisation shall have a right of action for relief in civil proceedings in a court.
(1) Any organisation or individual aggrieved by —
(a) the organisation aggrieved by the direction or decision of the Appeal Committee;
(b) a membership in any club or organisation if the club or organisation is a business formed to make a profit for its owners;
(a) the specified message includes clear and accurate information identifying the individual or organisation who sent or authorised the sending of the specified message;
(b) the specified message includes clear and accurate information about how the recipient can readily contact that individual or organisation;
(1) The Commission may, upon complaint or of its own motion, conduct an investigation under this section to determine whether an organisation is not complying with this Act.
(4) An organisation shall retain records relating to an investigation under this section for one year after the conclusion of the investigation or any longer period specified in writing by the Commission.
(3) An organisation or person commits an offence if the organisation or person —
(c) makes a statement, or furnishes any information or document, to the Commission, an inspector or an authorised officer under this Act, which the organisation or person knows, or ought reasonably to know, to be false or misleading in any material particular.
(4) An organisation or person that commits an offence under subsection (3)(a) is liable —
(5) An organisation or person that commits an offence under subsection (3)(b) or (c) is liable —
(a) any personal data an organisation would be required or authorised to refuse to disclose if it were contained in personal data requested under section 21;
(b) whether information exists, if an organisation in refusing to provide access under section 21 does not indicate whether the information exists;
The Commission may, with the approval of the Minister, by order published in the Gazette, exempt any person or organisation or any class of persons or organisations from all or any of the provisions of this Act, subject to such terms or conditions as may be specified in the order.
(b) the form, manner and procedures, relating to the making and responding to requests under section 21 or 22, including the content of responses to such requests, the period for such responses, the circumstances in which an organisation may refuse to provide a response or refuse to confirm or deny the existence of any matter and the fees that an organisation may charge in respect of such requests;
(3) Regulations made under this section may provide differently for different organisations, individuals, classes of organisations or classes of individuals.
An organisation may collect personal data about an individual without the consent of the individual or from a source other than the individual in any of the following circumstances:
(h) subject to paragraph 2, the personal data is collected by a news organisation solely for its news activity;
(i) the personal data is collected for the organisation to recover a debt owed to the organisation by the individual or for the organisation to pay to the individual a debt owed by the organisation;
(j) the collection is necessary for the provision of legal services by the organisation to another person or for the organisation to obtain legal services;
(m) the personal data was provided to the organisation by another individual to enable the organisation to provide a service for the personal or domestic purposes of that other individual;
(o) the personal data is collected by the individual’s employer and the collection is reasonable for the purpose of managing or terminating an employment relationship between the organisation and the individual;
(i) is collected by an organisation, being a party or a prospective party to a business asset transaction with another organisation, from that other organisation;
(ii) is about an employee, customer, director, officer or shareholder of the other organisation; and
(iii) relates directly to the part of the other organisation or its business assets with which the business asset transaction is concerned;
(i) was disclosed to the organisation in accordance with section 17(3); and
(ii) is collected by the organisation for purposes consistent with the purpose of that disclosure.
“news organisation” means —
(a) any organisation
(ii) which, if the organisation publishes a newspaper in Singapore within the meaning of section 8(1) of the Newspaper and Printing Presses Act (Cap. 206), is required to be a newspaper company within the meaning of Part III of that Act; or
(b) any organisation which provides a broadcasting service in or from Singapore and holds a broadcasting licence granted under section 8 of the Broadcasting Act;
(2) If the organisation is a prospective party to a business asset transaction —
(a) the personal data collected must be necessary for the organisation to determine whether to proceed with the business asset transaction; and
(b) the organisation and the other organisation must have entered into an agreement that requires the prospective party to use or disclose the personal data solely for purposes related to the business asset transaction.
(3) If an organisation enters into the business asset transaction with another organisation
(a) the organisation shall only use or disclose the personal data collected for the same purposes for which the other organisation would have been permitted to use or disclose the data;
(b) if any of the personal data collected does not relate directly to the part of the other organisation or its business assets with which the business asset transaction entered into is concerned, the organisation shall destroy, or return to the other organisation, any such personal data; and
(ii) the personal data about them has been disclosed to the organisation.
(4) If a business asset transaction does not proceed or is not completed, the organisation shall destroy, or return to the other organisation, all the personal data collected.
An organisation may use personal data about an individual without the consent of the individual in any of the following circumstances:
(g) the personal data is used for the organisation to recover a debt owed to the organisation by the individual or for the organisation to pay to the individual a debt owed by the organisation;
(h) the use is necessary for the provision of legal services by the organisation to another person or for the organisation to obtain legal services;
(j) the data was collected by the organisation in accordance with section 17(1), and is used by the organisation for purposes consistent with the purpose of that collection.
(b) it is impracticable for the organisation to seek the consent of the individual for the use;
An organisation may disclose personal data about an individual without the consent of the individual in any of the following circumstances:
(i) the disclosure is necessary for the organisation to recover a debt owed by the individual to the organisation or for the organisation to pay to the individual a debt owed by the organisation;
(j) the disclosure is necessary for the provision of legal services by the organisation to another person or for the organisation to obtain legal services;
(l) the personal data about the current or former students of the organisation, being an education institution, is disclosed to a public agency for the purposes of policy formulation or review;
(i) is disclosed to a party or a prospective party to a business asset transaction with the organisation;
(ii) is about an employee, customer, director, officer or shareholder of the organisation; and
(iii) relates directly to the part of the organisation or its business assets with which the business asset transaction is concerned;
(i) was collected by the organisation in accordance with section 17(1); and
(ii) is disclosed by the organisation for purposes consistent with the purpose of that collection.
In the case of disclosure under paragraph 1(c), the organisation shall, as soon as may be practicable, notify the individual whose personal data is disclosed of the disclosure and the purposes of the disclosure.
(b) the organisation and prospective party must have entered into an agreement that requires the prospective party to use or disclose the personal data solely for purposes related to the business asset transaction.
(3) If the organisation enters into the business asset transaction, the employees, customers, directors, officers and shareholders whose personal data is disclosed shall be notified that —
“business asset transaction” means the purchase, sale, lease, merger or amalgamation or any other acquisition, disposal or financing of an organisation or a portion of an organisation or of any of the business or assets of an organisation other than the personal data to be disclosed under paragraph 1(p);
“party” means another organisation that enters into the business asset transaction with the organisation.
(b) it is impracticable for the organisation to seek the consent of the individual for the disclosure;
(e) the organisation to which the personal data is to be disclosed has signed an agreement to comply with —
(ii) the policies and procedures relating to the confidentiality of personal data of the organisation that collected the personal data;
(iii) security and confidentiality conditions of the organisation disclosing the personal data;
(v) a requirement not to use the personal data for any other purpose or to disclose the personal data in individually identifiable form without the express authorisation of the organisation that disclosed the personal data.
An organisation is not required to provide information under section 21(1) in respect of —
(g) personal data which, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of the organisation;
(i) that would unreasonably interfere with the operations of the organisation because of the repetitious or systematic nature of the requests;
(ii) if the burden or expense of providing access would be unreasonable to the organisation or disproportionate to the individual’s interests;
(g) any message sent to an organisation other than an individual acting in a personal or domestic capacity, for any purpose of the receiving organisation.
(1) For the purposes of an investigation under section 50, the Commission or an inspector may, by notice in writing to any organisation, require the organisation to produce to the Commission or the inspector a specified document or specified information, which the Commission or inspector considers relates to any matter relevant to such investigation.
(4) The power under this paragraph to require an organisation to produce a document includes the power —
(ii) to require such organisation, or any person who is a present or past officer of the organisation, or is or was at any time employed by the organisation, to provide an explanation of the document; or
(b) if the document is not produced, to require such organisation or person to state, to the best of his knowledge and belief, where it is.
(3) Sub-paragraph (2) shall not apply if the inspector has reasonable grounds for suspecting that the premises are, or have been, occupied by an organisation which is being investigated in relation to a contravention of this Act and if the inspector has taken all such steps as are reasonably practicable to give written notice under that sub-paragraph but has not been able to do so.