Division 1 - Consent
13. - Consent required14. - Provision of consent15. - Deemed consent16. - Withdrawal of consent17. - Collection, use and disclosure without consentDivision 2 - Purpose
18. - Limitation of purpose and extent19. - Personal data collected before appointed day20. - Notification of purposeDivision 1 - Preliminary
36. - Interpretation of this Part37. - Meaning of “specified message”38. - Application of this PartDivision 2 - Administration
39. - Register40. - Applications41. - Evidence42. - Information on terminated Singapore telephone numberDivision 3 - Specified message to Singapore telephone number
43. - Duty to check register44. - Contact information45. - Calling line identity not to be concealed46. - Consent47. - Withdrawal of consent48. - Defence for employee49. - Advisory guidelines50. - Powers of investigation51. - Offences and penalties52. - Offences by bodies corporate, etc.53. - Liability of employers for acts of employees54. - Jurisdiction of court55. - Composition of offences56. - General penalties57. - Public servants and public officers58. - Evidence in proceedings59. - Preservation of secrecy60. - Protection from personal liability61. - Symbol of Commission62. - Power to exempt63. - Certificate as to national interest64. - Amendment of Schedules65. - Power to make regulations66. - Rules of Court67. - Saving and transitional provisions68. - Dissolution
1. - An organisation may collect personal data about an individual without the consent of the individual or from a source other2. - In this paragraph and paragraph 1(h) —3. - (1) The conditions in this paragraph shall apply if the personal data is collected under paragraph 1(p).4. - For the avoidance of doubt, personal data disclosed before the appointed day in the circumstances and conditions set out in
1. - An organisation may disclose personal data about an individual without the consent of the individual in any of the following2. - In the case of disclosure under paragraph 1(c), the organisation shall, as soon as may be practicable, notify the individual3. - (1) The conditions in this paragraph shall apply to personal data disclosed under paragraph 1(p).4. - Paragraph 1(q) shall not apply unless —5. - For the avoidance of doubt, personal data collected before the appointed day in the circumstances and conditions set out in
“advisory committee” means an advisory committee appointed under section 7;
“Appeal Committee” means a Data Protection Appeal Committee nominated under section 33(4);
“Appeal Panel” means the Data Protection Appeal Panel established under section 33(1);
“authorised officer”, in relation to the exercise of any power or performance of any function or duty under any provision of this Act, means a person to whom the exercise of that power or performance of that function or duty under that provision has been delegated under section 38 of the Info-communications Media Development Authority Act 2016;
“Authority” means the Info-communications Media Development Authority established by section 3 of the Info-communications Media Development Authority Act 2016;
“Chief Executive”, in relation to the Authority, means the Chief Executive of the Authority appointed under section 40(2) of the Info-communications Media Development Authority Act 2016, and includes any individual acting in that capacity;
“Commission” means the person designated as the Personal Data Protection Commission under section 5 to be responsible for the administration of this Act;
“Commissioner” means the Commissioner for Personal Data Protection appointed under section 8(1)(a), and includes any Deputy Commissioner for Personal Data Protection or Assistant Commissioner for Personal Data Protection appointed under section 8(1)(b);
“inspector” means an individual appointed as an inspector under section 8(1)(b);
“prescribed law enforcement agency” means an authority charged with the duty of investigating offences or charging offenders under written law, prescribed for the purposes of section 21(4) and the Fourth Schedule by the Minister charged with the responsibility for that authority;
(c) any statutory body specified under subsection (2);
(2) Parts III to VI (except for section 24 (protection of personal data) and section 25 (retention of personal data)) shall not impose any obligation on a data intermediary in respect of its processing of personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing.
(b) personal data about a deceased individual, except that the provisions relating to the disclosure of personal data and section 24 (protection of personal data) shall apply in respect of personal data about an individual who has been dead for 10 years or fewer.
(2) Where any function, duty or power of the Commission under this Act is delegated to the Commissioner under section 38 of the Info-communications Media Development Authority Act 2016 —
(1) An individual appointed under section 8(1) or an employee of the Authority, who is authorised in writing by the Chief Executive of the Authority for the purpose of this section, may conduct, with the authorisation of the Public Prosecutor, proceedings in respect of an offence under this Act.
(1) For the purposes of section 59, a co-operation agreement is an agreement for the purposes of —
(5) In this section —
(4) An individual designated under subsection (3) may delegate to another individual the responsibility conferred by that designation.
(5) An organisation shall make available to the public the business contact information of at least one of the individuals designated under subsection (3) or delegated under subsection (4).
(6) The designation of an individual by an organisation under subsection (3) shall not relieve the organisation of any of its obligations under this Act.
(a) the individual has been provided with the information required under section 20; and
(3) Any consent given in any of the circumstances in subsection (2) is not validly given for the purposes of this Act.
(a) the individual, without actually giving consent referred to in section 14, voluntarily provides the personal data to the organisation for that purpose; and
(2) On receipt of the notice referred to in subsection (1), the organisation concerned shall inform the individual of the likely consequences of withdrawing his consent.
(3) An organisation shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal.
(4) Subject to section 25, if an individual withdraws consent to the collection, use or disclosure of personal data about the individual by an organisation for any purpose, the organisation shall cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the personal data, as the case may be, unless such collection, use or disclosure, as the case may be, without the consent of the individual is required or authorised under this Act or other written law.
(b) that the individual has been informed of under section 20, if applicable.
(a) consent for such use is withdrawn in accordance with section 16; or
(1) For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of —
(3) Subsection (1) shall not apply if —
(a) the individual is deemed to have consented to the collection, use or disclosure, as the case may be, under section 15; or
(b) the organisation collects, uses or discloses the personal data without the consent of the individual in accordance with section 17.
(4) Notwithstanding subsection (3), an organisation, on or before collecting, using or disclosing the personal data about an individual for the purpose of managing or terminating an employment relationship between the organisation and that individual, shall inform the individual of —
(1) Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with —
(2) An organisation is not required to provide an individual with the individual’s personal data or other information under subsection (1) in respect of the matters specified in the Fifth Schedule.
(3) An organisation shall not provide an individual with the individual’s personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to —
(4) An organisation shall not inform any individual under subsection (1) that it has disclosed personal data to a prescribed law enforcement agency if the disclosure was made without the consent of the individual pursuant to paragraph 1(f) or (n) of the Fourth Schedule or under any other written law.
(5) If an organisation is able to provide the individual with the individual’s personal data and other information requested under subsection (1) without the personal data or other information excluded under subsections (2), (3) and (4), the organisation shall provide the individual with access to the personal data and other information without the personal data or other information excluded under subsections (2), (3) and (4).
(b) subject to subsection (3), send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose.
(4) When an organisation is notified under subsection (2)(b) or (3) of a correction of personal data, the organisation shall correct the personal data in its possession or under its control unless the organisation is satisfied on reasonable grounds that the correction should not be made.
(5) If no correction is made under subsection (2)(a) or (4), the organisation shall annotate the personal data in its possession or under its control with the correction that was requested but not made.
(6) Nothing in this section shall require an organisation to correct or otherwise alter an opinion, including a professional or an expert opinion.
(7) An organisation is not required to comply with this section in respect of the matters specified in the Sixth Schedule.
(2) The Commission may, on the application of any organisation, by notice in writing exempt the organisation from any requirement prescribed pursuant to subsection (1) in respect of any transfer of personal data by that organisation.
(3) An exemption under subsection (2) —
(4) The Commission may at any time add to, vary or revoke any condition imposed under this section.
(2) Subject to subsection (1), the Commission may, with or without the consent of the complainant and the organisation, direct a complainant or the organisation or both to attempt to resolve the complaint of the individual in the way directed by the Commission.
(a) a refusal to provide access to personal data requested by the complainant under section 21, or a failure to provide such access within a reasonable time;
(b) a fee required from the complainant by an organisation in relation to a request by the complainant under section 21 or 22; or
(c) a refusal to correct personal data in accordance with a request by the complainant under section 22, or a failure to make such correction within a reasonable time.
(2) Upon completion of its review under subsection (1), the Commission may —
(2) Without prejudice to the generality of subsection (1), the Commission may, if it thinks fit in the circumstances to ensure compliance with Parts III to VI, give the organisation all or any of the following directions:
(c) to comply with any direction of the Commission under section 28(2);
(3) Subsection (2)(d) shall not apply in relation to any failure to comply with a provision of this Act, the breach of which is an offence under this Act.
(4) The Commission shall, in any direction requiring the payment of a financial penalty, specify the date before which the financial penalty is to be paid, being a date not earlier than the end of the period within which an application for reconsideration of the direction, or an appeal against the direction, may be brought under section 31 or 34, respectively.
(5) The interest payable on the outstanding amount of any financial penalty imposed under subsection (2)(d) and for payment by instalment (as may be directed by the Commission in its discretion) of any financial penalty imposed under subsection (2)(d) shall be at such rate as the Commission may direct, which shall not exceed the rate prescribed in the Rules of Court in respect of judgment debts.
(6) Any interest ordered to be paid under subsection (5) shall form part of the penalty payable and be enforced in accordance with section 30.
(1) For the purposes of enforcement of any direction made by the Commission under section 28(2) or 29, the Commission may apply for the direction to be registered in a District Court in accordance with the Rules of Court and the District Court shall register the direction in accordance with the Rules of Court.
(2) From the date of registration of any direction under subsection (1), the direction shall be of the same force and effect, and all proceedings may be taken on the direction, for the purposes of enforcement as if it had been an order originally obtained in the District Court which shall have power to enforce it accordingly.
(3) A District Court shall have jurisdiction to enforce any direction in accordance with subsection (2) regardless of the monetary amount involved and may, for the purpose of enforcing such direction, make any order —
(a) any direction made by the Commission under section 27(2) or section 29(1) or (2); or
(b) any direction or decision made under section 28(2),
(4) If any application for reconsideration is made in accordance with this section, the Commission shall —
(5) There shall be no application for reconsideration of a decision made under subsection (4)(b).
(2) If the Commission has made a decision under this Act in respect of a contravention specified in subsection (1), no action accruing under subsection (1) may be brought in respect of that contravention until after the decision has become final as a result of there being no further right of appeal.
(3) The court may grant to the plaintiff in an action under subsection (1) all or any of the following:
(4) For the purpose of hearing any appeal under section 34, the Chairman of the Appeal Panel may nominate a Data Protection Appeal Committee comprising 3 or more members of the Appeal Panel.
(a) any direction made by the Commission under section 27(2) or section 29(1) or (2);
(b) any direction or decision made by the Commission under section 28(2); or
(c) any decision made by the Commission under section 31(4)(b),
(2) Where any application for reconsideration has been made under section 31, every appeal in respect of the same direction or decision which is the subject of the application for reconsideration shall be deemed to be withdrawn.
(3) Unless the Appeal Committee decides otherwise in any particular case, the making of an appeal under this section shall not suspend the effect of the direction or decision to which the appeal relates except in the case of an appeal against the imposition of a financial penalty or the amount thereof.
(5) Any direction or decision of an Appeal Committee on an appeal has the same effect, and may be enforced in the same manner, as a direction or decision of the Commission, except that there shall be no application for further reconsideration under section 31 and no further appeal under this section from any direction or decision of the Appeal Committee.
(2) An appeal under this section may be made only at the instance of —
(4) There shall be such further right of appeal from decisions of the High Court under this section as exists in the case of decisions made by that Court in the exercise of its original civil jurisdiction.
“financial services” has the same meaning as in section 2 of the Consumer Protection (Fair Trading) Act (Cap. 52A);
“register” means any Do Not Call Register kept and maintained under section 39;
(4) In subsection (3), “control” means either physical control or control through the use of software or other means.
(1) Subject to subsection (5), for the purposes of this Part, a specified message is a message, where, having regard to —
(2) For the purposes of subsection (1)(i) to (x), it is immaterial whether —
(3) Subject to subsection (4), a person who authorises another person to offer, advertise or promote the first person’s goods, services, land, interest or opportunity shall be deemed to have authorised the sending of any message sent by the second person that offers, advertises or promotes that first person’s goods, services, land, interest or opportunity.
(4) For the purposes of subsection (3), a person who takes reasonable steps to stop the sending of any message referred to in that subsection shall be deemed not to have authorised the sending of the message.
(2) A telecommunications service provider which contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000.
(3) In this section, “terminated Singapore telephone number” means —
(4) For the purpose of subsection (1), where —
(a) a Singapore telephone number has been allocated to a subscriber by a telecommunications service provider (referred to in this subsection as the first provider);
(c) the subscriber contracts for a telecommunications service associated with the Singapore telephone number with another telecommunications service provider (referred to in this subsection as the subsequent provider);
it shall be the responsibility of the first provider to satisfy subsection (1).
(5) Without prejudice to the obligations of the telecommunications service provider under subsections (1) to (4), the Commission shall pay the prescribed fees to the telecommunications service provider for each terminated Singapore telephone number reported to the Commission in accordance with this section.
(a) applied to the Commission under section 40(2) to confirm whether that Singapore telephone number is listed in the relevant register; and
(2) Any person who contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000.
(3) In any proceedings for an offence under subsection (1), it shall be a defence for the person charged to prove that the subscriber or user of the telephone number —
(4) For the purpose of this section —
(a) where there is only one register kept or maintained under section 39, the relevant register shall refer to that one register; and
(b) where there are 2 or more registers kept or maintained under section 39 for different types of specified messages, the relevant register shall refer to the register relevant for the particular type of specified message.
(d) the information included in the specified message in compliance with this subsection is reasonably likely to be valid for at least 30 days after the message is sent.
(2) Any person who contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000.
(2) Any person who contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000.
(2) A person shall not prohibit a subscriber or user of a Singapore telephone number from withdrawing his consent to the sending of a specified message to that Singapore telephone number, but this section shall not affect any legal consequences arising from such withdrawal.
(2) Subsection (1) does not apply to an employee who, at the time the act was done or the conduct was engaged in, was an officer and it is proved —
(3) In subsection (2), “officer” has the same meaning as in section 52(5).
(2) Guidelines issued under this section may, from time to time, be varied, amended or revoked by the Commission.
(3) The Commission shall publish the guidelines in any way the Commission thinks fit, but failure to comply with this subsection in respect of any guidelines shall not invalidate the guidelines.
(1) The Commission may, upon complaint or of its own motion, conduct an investigation under this section to determine whether an organisation is not complying with this Act.
(2) The powers of investigation under this section of the Commission and the inspectors shall be as set out in the Ninth Schedule.
(3) The Commission may suspend, discontinue or refuse to conduct an investigation under this section if it thinks fit, including but not limited to any of the following circumstances:
(a) the complainant has not complied with a direction under section 27(2);
(4) An organisation shall retain records relating to an investigation under this section for one year after the conclusion of the investigation or any longer period specified in writing by the Commission.
(1) A person shall be guilty of an offence if he makes a request under section 21 or 22, as the case may be, to obtain access to or to change the personal data about another individual without the authority of that individual.
(2) Any person guilty of an offence under subsection (1) shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 12 months or to both.
(a) with an intent to evade a request under section 21 or 22, disposes of, alters, falsifies, conceals or destroys, or directs another person to dispose of, alter, falsify, conceal or destroy, a record containing —
(4) An organisation or person that commits an offence under subsection (3)(a) is liable —
(5) An organisation or person that commits an offence under subsection (3)(b) or (c) is liable —
(2) Where the affairs of a body corporate are managed by its members, subsection (1) shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director of the body corporate.
(5) In this section —
(6) Regulations may be made to provide for the application of any provision of this section, with such modifications as the Minister considers appropriate, to any body corporate or unincorporated association formed or recognised under the law of a territory outside Singapore.
(1) Any act done or conduct engaged in by a person in the course of his employment (referred to in this section as the employee) shall be treated for the purposes of this Act as done or engaged in by his employer as well as by him, whether or not it was done or engaged in with the employer’s knowledge or approval.
(1) All individuals appointed under section 8(1) —
(b) are, in relation to their administration, assessment, collection or enforcement of payment of composition sums under this Act, deemed to be public officers for the purposes of the Financial Procedure Act (Cap. 109); and section 20 of that Act applies to these individuals even though they are not or were not in the employment of the Government.
(2) Subsection (1) applies also in respect of evidence of the existence of proceedings conducted before the Commission.
(1) Subject to subsection (5), every specified person shall preserve, and aid in the preservation of, secrecy with regard to —
(a) any personal data an organisation would be required or authorised to refuse to disclose if it were contained in personal data requested under section 21;
(b) whether information exists, if an organisation in refusing to provide access under section 21 does not indicate whether the information exists;
(c) all matters that have been identified as confidential under subsection (3); and
(2) Any person who fails to comply with subsection (1) shall be guilty of an offence.
(4) Every claim made under subsection (3) shall be supported by a written statement giving reasons why the information is confidential.
(5) Notwithstanding subsection (1), the Commission may disclose, or authorise any specified person to disclose, any information relating to any matter referred to in subsection (1) in any of the following circumstances:
(d) for the purposes of a prosecution, an application or an appeal referred to in section 58(1)(a), (b) or (c);
(e) to comply with any provision of a co-operation agreement entered into under section 10, where the conditions specified in subsection (6) are satisfied; or
(6) The conditions referred to in subsection (5)(e) are —
(7) In this section, “specified person” means a person who is or has been —
(2) An order under this section shall be presented to Parliament as soon as possible after publication in the Gazette.
(2) Without prejudice to the generality of subsection (1), the Commission may, with the approval of the Minister, make regulations for or with respect to all or any of the following matters:
(b) the form, manner and procedures, relating to the making and responding to requests under section 21 or 22, including the content of responses to such requests, the period for such responses, the circumstances in which an organisation may refuse to provide a response or refuse to confirm or deny the existence of any matter and the fees that an organisation may charge in respect of such requests;
(e) the conduct of reviews by the Commission under section 28;
(f) the form, manner and procedures for applications for reconsideration by the Commission under section 31, including the fees to be paid in respect of such applications;
(m) the fees to be paid in respect of applications, and services provided by or on behalf of the Commission, under this Act, including applications to confirm whether a Singapore telephone number is listed in the relevant register for the purposes of section 43(1)(a).
(3) Regulations made under this section may provide differently for different organisations, individuals, classes of organisations or classes of individuals.
Rules of Court may be made to provide for the practice and procedure relating to actions under section 32 and appeals under section 35, including the requirement that the plaintiff notify the Commission upon commencing any such action or appeal, and for matters related thereto.
(7) For a period of 2 years after the date of commencement of any provision of section 96 of the Info communications Media Development Authority Act 2016, the Minister may, by regulations, prescribe such additional provisions of a saving or transitional nature consequent on the enactment of that provision, as the Minister may consider necessary or expedient.
(8) This section does not affect the operation of section 16 of the Interpretation Act (Cap. 1).
(9) In this section —
“appointed date” means the date of commencement of section 96(i) of the Info communications Media Development Authority Act 2016;
“Former Commission” means the Personal Data Protection Commission established by section 5(1) as in force immediately before the appointed date.
(2) In this section, “Former Commission” has the same meaning as in section 67(9).
(i) was disclosed to the organisation in accordance with section 17(3); and
“broadcasting service” has the same meaning as in section 2 of the Broadcasting Act (Cap. 28);
(a) the gathering of news, or the preparation or compilation of articles or programmes of or concerning news, observations on news, or current affairs, for the purposes of dissemination to the public or any section of the public; or
(b) the dissemination, to the public or any section of the public, of any article or programme of or concerning —
(ii) which, if the organisation publishes a newspaper in Singapore within the meaning of section 8(1) of the Newspaper and Printing Presses Act (Cap. 206), is required to be a newspaper company within the meaning of Part III of that Act; or
(b) any organisation which provides a broadcasting service in or from Singapore and holds a broadcasting licence granted under section 8 of the Broadcasting Act;
“newspaper” has the same meaning as in section 2 of the Newspaper and Printing Presses Act;
For the avoidance of doubt, personal data disclosed before the appointed day in the circumstances and conditions set out in the Fourth Schedule shall satisfy paragraph 1(r), notwithstanding that section 17(3) was not in force at the time of the disclosure.
(j) the data was collected by the organisation in accordance with section 17(1), and is used by the organisation for purposes consistent with the purpose of that collection.
For the avoidance of doubt, personal data collected before the appointed day in the circumstances and conditions set out in the Second Schedule shall satisfy paragraph 1(j) notwithstanding that section 17(1) was not in force at the time of the collection.
(i) was collected by the organisation in accordance with section 17(1); and
For the avoidance of doubt, personal data collected before the appointed day in the circumstances and conditions set out in the Second Schedule shall satisfy paragraph 1(s) notwithstanding that section 17(1) was not in force at the time of the collection.
An organisation is not required to provide information under section 21(1) in respect of —
Section 22 shall not apply in respect of —
(a) the acceptance, transmission, service and custody of documents relating to the Appeal Panel, Appeal Committees and appeal proceedings under section 34; and
(b) keeping the records of proceedings relating to appeals under section 34 in such form as the Chairman may direct.
(1) Where an appeal under section 34 is made, the Chairman of the Appeal Panel is to nominate 3 or more members of the Appeal Panel (which may include himself) to constitute an Appeal Committee to hear the appeal.
(c) the award of such costs or expenses as may be prescribed under section 65.
(6) All appeals under section 34 shall be determined, having regard to the nature and complexity of the appeal, as soon as reasonably practicable.
(1) For the purposes of an investigation under section 50, the Commission or an inspector may, by notice in writing to any organisation, require the organisation to produce to the Commission or the inspector a specified document or specified information, which the Commission or inspector considers relates to any matter relevant to such investigation.
(1) In connection with an investigation under section 50, an inspector, and such other persons as the inspector may require to assist him, may enter any premises.