Division 1 - Consent
13. - Consent required14. - Provision of consent15. - Deemed consent16. - Withdrawal of consent17. - Collection, use and disclosure without consentDivision 2 - Purpose
18. - Limitation of purpose and extent19. - Personal data collected before appointed day20. - Notification of purposeDivision 1 - Preliminary
36. - Interpretation of this Part37. - Meaning of “specified message”38. - Application of this PartDivision 2 - Administration
39. - Register40. - Applications41. - Evidence42. - Information on terminated Singapore telephone numberDivision 3 - Specified message to Singapore telephone number
43. - Duty to check register44. - Contact information45. - Calling line identity not to be concealed46. - Consent47. - Withdrawal of consent48. - Defence for employee49. - Advisory guidelines50. - Powers of investigation51. - Offences and penalties52. - Offences by bodies corporate, etc.53. - Liability of employers for acts of employees54. - Jurisdiction of court55. - Composition of offences56. - General penalties57. - Public servants and public officers58. - Evidence in proceedings59. - Preservation of secrecy60. - Protection from personal liability61. - Symbol of Commission62. - Power to exempt63. - Certificate as to national interest64. - Amendment of Schedules65. - Power to make regulations66. - Rules of Court67. - Saving and transitional provisions68. - Dissolution
1. - An organisation may collect personal data about an individual without the consent of the individual or from a source other2. - In this paragraph and paragraph 1(h) —3. - (1) The conditions in this paragraph shall apply if the personal data is collected under paragraph 1(p).4. - For the avoidance of doubt, personal data disclosed before the appointed day in the circumstances and conditions set out in
1. - An organisation may disclose personal data about an individual without the consent of the individual in any of the following2. - In the case of disclosure under paragraph 1(c), the organisation shall, as soon as may be practicable, notify the individual3. - (1) The conditions in this paragraph shall apply to personal data disclosed under paragraph 1(p).4. - Paragraph 1(q) shall not apply unless —5. - For the avoidance of doubt, personal data collected before the appointed day in the circumstances and conditions set out in
This Act may be cited as the Personal Data Protection Act 2012 and shall come into operation on such date as the Minister may, by notification in the Gazette, appoint.
(1) Parts III to VI shall not impose any obligation on —
(2) Parts III to VI (except for section 24 (protection of personal data) and section 25 (retention of personal data)) shall not impose any obligation on a data intermediary in respect of its processing of personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing.
(3) An organisation shall have the same obligation under this Act in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself.
(4) This Act shall not apply in respect of —
(b) personal data about a deceased individual, except that the provisions relating to the disclosure of personal data and section 24 (protection of personal data) shall apply in respect of personal data about an individual who has been dead for 10 years or fewer.
(5) Except where business contact information is expressly referred to, Parts III to VI shall not apply to business contact information.
(a) nothing in Parts III to VI shall affect any authority, right, privilege or immunity conferred, or obligation or limitation imposed, by or under the law, including legal privilege, except that the performance of a contractual obligation shall not be an excuse for contravening this Act; and
(b) the provisions of other written law shall prevail to the extent that any provision of Parts III to VI is inconsistent with the provisions of that other written law.
The functions of the Commission shall be —
(2) The Commission may consult such advisory committees in relation to the performance of its functions and duties and the exercise of its powers under this Act but shall not be bound by such consultation.
(3) In exercising any of the powers of enforcement under this Act, an authorised officer shall on demand produce to the person against whom he is acting the authority issued to him by the Commission.
(3) The Commission shall not furnish any information to a foreign data protection body pursuant to a co-operation agreement unless it requires of, and obtains from, that body an undertaking in writing by it that it will comply with terms specified in that requirement, including terms that correspond to the provisions of any written law concerning the disclosure of that information by the Commission.
(1) In meeting its responsibilities under this Act, an organisation shall consider what a reasonable person would consider appropriate in the circumstances.
(3) An organisation shall designate one or more individuals to be responsible for ensuring that the organisation complies with this Act.
(5) An organisation shall make available to the public the business contact information of at least one of the individuals designated under subsection (3) or delegated under subsection (4).
(6) The designation of an individual by an organisation under subsection (3) shall not relieve the organisation of any of its obligations under this Act.
An organisation shall —
An organisation shall not, on or after the appointed day, collect, use or disclose personal data about an individual unless —
(2) An organisation shall not —
(4) In this Act, references to consent given, or deemed to have been given, by an individual for the collection, use or disclosure of personal data about the individual shall include consent given, or deemed to have been given, by any person validly acting on behalf of that individual for the collection, use or disclosure of such personal data.
(2) On receipt of the notice referred to in subsection (1), the organisation concerned shall inform the individual of the likely consequences of withdrawing his consent.
(3) An organisation shall not prohibit an individual from withdrawing his consent to the collection, use or disclosure of personal data about the individual, but this section shall not affect any legal consequences arising from such withdrawal.
(4) Subject to section 25, if an individual withdraws consent to the collection, use or disclosure of personal data about the individual by an organisation for any purpose, the organisation shall cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the personal data, as the case may be, unless such collection, use or disclosure, as the case may be, without the consent of the individual is required or authorised under this Act or other written law.
(1) For the purposes of sections 14(1)(a) and 18(b), an organisation shall inform the individual of —
(2) An organisation, on or before collecting personal data about an individual from another organisation without the consent of the individual, shall provide the other organisation with sufficient information regarding the purpose of the collection to allow that other organisation to determine whether the disclosure would be in accordance with this Act.
(3) Subsection (1) shall not apply if —
(4) Notwithstanding subsection (3), an organisation, on or before collecting, using or disclosing the personal data about an individual for the purpose of managing or terminating an employment relationship between the organisation and that individual, shall inform the individual of —
(1) Subject to subsections (2), (3) and (4), on request of an individual, an organisation shall, as soon as reasonably possible, provide the individual with —
(3) An organisation shall not provide an individual with the individual’s personal data or other information under subsection (1) if the provision of that personal data or other information, as the case may be, could reasonably be expected to —
(4) An organisation shall not inform any individual under subsection (1) that it has disclosed personal data to a prescribed law enforcement agency if the disclosure was made without the consent of the individual pursuant to paragraph 1(f) or (n) of the Fourth Schedule or under any other written law.
(5) If an organisation is able to provide the individual with the individual’s personal data and other information requested under subsection (1) without the personal data or other information excluded under subsections (2), (3) and (4), the organisation shall provide the individual with access to the personal data and other information without the personal data or other information excluded under subsections (2), (3) and (4).
(2) Unless the organisation is satisfied on reasonable grounds that a correction should not be made, the organisation shall —
(4) When an organisation is notified under subsection (2)(b) or (3) of a correction of personal data, the organisation shall correct the personal data in its possession or under its control unless the organisation is satisfied on reasonable grounds that the correction should not be made.
(5) If no correction is made under subsection (2)(a) or (4), the organisation shall annotate the personal data in its possession or under its control with the correction that was requested but not made.
(6) Nothing in this section shall require an organisation to correct or otherwise alter an opinion, including a professional or an expert opinion.
An organisation shall make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data —
An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
An organisation shall cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that —
(1) An organisation shall not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under this Act to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under this Act.
(3) Subsection (2)(d) shall not apply in relation to any failure to comply with a provision of this Act, the breach of which is an offence under this Act.
(4) The Commission shall, in any direction requiring the payment of a financial penalty, specify the date before which the financial penalty is to be paid, being a date not earlier than the end of the period within which an application for reconsideration of the direction, or an appeal against the direction, may be brought under section 31 or 34, respectively.
(5) The interest payable on the outstanding amount of any financial penalty imposed under subsection (2)(d) and for payment by instalment (as may be directed by the Commission in its discretion) of any financial penalty imposed under subsection (2)(d) shall be at such rate as the Commission may direct, which shall not exceed the rate prescribed in the Rules of Court in respect of judgment debts.
(6) Any interest ordered to be paid under subsection (5) shall form part of the penalty payable and be enforced in accordance with section 30.
(1) For the purposes of enforcement of any direction made by the Commission under section 28(2) or 29, the Commission may apply for the direction to be registered in a District Court in accordance with the Rules of Court and the District Court shall register the direction in accordance with the Rules of Court.
(2) From the date of registration of any direction under subsection (1), the direction shall be of the same force and effect, and all proceedings may be taken on the direction, for the purposes of enforcement as if it had been an order originally obtained in the District Court which shall have power to enforce it accordingly.
(3) A District Court shall have jurisdiction to enforce any direction in accordance with subsection (2) regardless of the monetary amount involved and may, for the purpose of enforcing such direction, make any order —
(2) Unless the Commission decides otherwise in any particular case, an application for reconsideration shall not suspend the effect of the direction or decision to be reconsidered except in the case of an application for reconsideration of a direction to pay a financial penalty or of the amount thereof.
(3) The application for reconsideration shall be made in such form and manner as the Commission may require and shall set out the grounds on which the applicant is requesting the reconsideration.
(4) If any application for reconsideration is made in accordance with this section, the Commission shall —
(5) There shall be no application for reconsideration of a decision made under subsection (4)(b).
(1) Any person who suffers loss or damage directly as a result of a contravention of any provision in Part IV, V or VI by an organisation shall have a right of action for relief in civil proceedings in a court.
(1) There shall be established a Data Protection Appeal Panel.
(2) The Minister shall appoint the members of the Appeal Panel.
(3) The Chairman of the Appeal Panel shall be appointed by the Minister from among the members of the Appeal Panel.
(5) The Seventh Schedule shall have effect with respect to the Appeal Panel, Appeal Committees and their members and the proceedings of Appeal Committees, as the case may be.
(2) Where any application for reconsideration has been made under section 31, every appeal in respect of the same direction or decision which is the subject of the application for reconsideration shall be deemed to be withdrawn.
(3) Unless the Appeal Committee decides otherwise in any particular case, the making of an appeal under this section shall not suspend the effect of the direction or decision to which the appeal relates except in the case of an appeal against the imposition of a financial penalty or the amount thereof.
(5) Any direction or decision of an Appeal Committee on an appeal has the same effect, and may be enforced in the same manner, as a direction or decision of the Commission, except that there shall be no application for further reconsideration under section 31 and no further appeal under this section from any direction or decision of the Appeal Committee.
(1) An appeal against, or with respect to, a direction or decision of an Appeal Committee shall lie to the High Court —
(3) The High Court shall hear and determine any such appeal and may —
(4) There shall be such further right of appeal from decisions of the High Court under this section as exists in the case of decisions made by that Court in the exercise of its original civil jurisdiction.
“goods” means any personal property, whether tangible or intangible, and shall be deemed to include —
(2) For the purposes of this Part, a telecommunications service provider who merely provides a service that enables a specified message to be sent shall, unless the contrary is proved, be presumed not to have sent the message and not to have authorised the message to be sent.
(3) For the purposes of this Part, if a specified message is sent and at the relevant time the telecommunications device, service or network from which it was sent was controlled by a person without the knowledge of the owners or authorised users of the telecommunications device, service or network, the owners or authorised users shall, unless the contrary is proved, be presumed not to have sent the message and not to have authorised the sending of the message.
(3) Subject to subsection (4), a person who authorises another person to offer, advertise or promote the first person’s goods, services, land, interest or opportunity shall be deemed to have authorised the sending of any message sent by the second person that offers, advertises or promotes that first person’s goods, services, land, interest or opportunity.
(4) For the purposes of subsection (3), a person who takes reasonable steps to stop the sending of any message referred to in that subsection shall be deemed not to have authorised the sending of the message.
(5) For the purposes of this Part, a specified message shall not include any message referred to in the Eighth Schedule.
This Part shall apply to a specified message addressed to a Singapore telephone number where —
(1) The Commission shall cause to be kept and maintained one or more registers of Singapore telephone numbers, each known as a Do Not Call Register, for the purposes of this Part.
(2) Each register shall be kept in such form and shall contain such particulars as the Commission thinks fit.
A certificate purporting to be signed by the Chief Executive of the Authority or an authorised officer and stating that a Singapore telephone number was or was not listed in a register at a date specified in the certificate shall be admissible as evidence of its contents in any proceedings.
(1) Every telecommunications service provider shall report to the Commission, in the form and manner prescribed, all terminated Singapore telephone numbers.
(2) A telecommunications service provider which contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000.
it shall be the responsibility of the first provider to satisfy subsection (1).
(5) Without prejudice to the obligations of the telecommunications service provider under subsections (1) to (4), the Commission shall pay the prescribed fees to the telecommunications service provider for each terminated Singapore telephone number reported to the Commission in accordance with this section.
(1) No person shall, on or after the prescribed date, send a specified message addressed to a Singapore telephone number unless the person had within the prescribed duration (which may include a duration before the prescribed date) before sending the specified message —
(2) Any person who contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000.
(3) In any proceedings for an offence under subsection (1), it shall be a defence for the person charged to prove that the subscriber or user of the telephone number —
(a) where there is only one register kept or maintained under section 39, the relevant register shall refer to that one register; and
(b) where there are 2 or more registers kept or maintained under section 39 for different types of specified messages, the relevant register shall refer to the register relevant for the particular type of specified message.
(1) No person shall, on or after the prescribed date, send a specified message addressed to a Singapore telephone number unless —
(2) Any person who contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000.
(1) A person who, on or after the prescribed date, makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number from a telephone number or facsimile number, shall not do any of the following:
(2) Any person who contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000.
(1) A person shall not, as a condition for supplying goods, services, land, interest or opportunity, require a subscriber or user of a Singapore telephone number to give consent for the sending of a specified message to that Singapore telephone number or any other Singapore telephone number beyond what is reasonable to provide the goods, services, land, interest or opportunity to that subscriber or user, and any consent given in such circumstance is not validly given.
(2) A person shall not prohibit a subscriber or user of a Singapore telephone number from withdrawing his consent to the sending of a specified message to that Singapore telephone number, but this section shall not affect any legal consequences arising from such withdrawal.
(3) If a subscriber or user of a Singapore telephone number gives notice withdrawing consent given to a person for the sending of any specified message to that Singapore telephone number, the person shall cease (and cause its agent to cease) sending any specified message to that Singapore telephone number after the expiry of the prescribed period.
(4) For the purposes of this Part, a subscriber or user of a Singapore telephone number shall be deemed to have given his consent to a person to send a specified message to that Singapore telephone number if the subscriber or user —
the application to add or the addition of that Singapore telephone number shall not be regarded as a withdrawal of the consent.
(3) The Commission shall publish the guidelines in any way the Commission thinks fit, but failure to comply with this subsection in respect of any guidelines shall not invalidate the guidelines.
(2) The powers of investigation under this section of the Commission and the inspectors shall be as set out in the Ninth Schedule.
(4) An organisation shall retain records relating to an investigation under this section for one year after the conclusion of the investigation or any longer period specified in writing by the Commission.
(1) A person shall be guilty of an offence if he makes a request under section 21 or 22, as the case may be, to obtain access to or to change the personal data about another individual without the authority of that individual.
(2) Any person guilty of an offence under subsection (1) shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 12 months or to both.
the officer as well as the body corporate shall be guilty of the offence and shall be liable to be proceeded against and punished accordingly.
(2) Where the affairs of a body corporate are managed by its members, subsection (1) shall apply in relation to the acts and defaults of a member in connection with his functions of management as if he were a director of the body corporate.
the partner as well as the partnership shall be guilty of the offence and shall be liable to be proceeded against and punished accordingly.
the officer or member as well as the unincorporated association shall be guilty of the offence and shall be liable to be proceeded against and punished accordingly.
(1) Any act done or conduct engaged in by a person in the course of his employment (referred to in this section as the employee) shall be treated for the purposes of this Act as done or engaged in by his employer as well as by him, whether or not it was done or engaged in with the employer’s knowledge or approval.
Notwithstanding any provision to the contrary in the Criminal Procedure Code (Cap. 68), a District Court shall have jurisdiction to try any offence under this Act and shall have power to impose the full penalty or punishment in respect of the offence.
(3) On payment of such sum of money, no further proceedings shall be taken against that person in respect of the offence.
Any person guilty of an offence under this Act for which no penalty is expressly provided shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both and, in the case of a continuing offence, to a further fine not exceeding $1,000 for every day or part thereof during which the offence continues after conviction.
(1) The Commission, the Appeal Panel, an Appeal Committee, their members and anyone acting for or under the direction of the Commission shall not give or be compelled to give evidence in a court or in any other proceedings in respect of any information obtained in performing their duties or exercising their powers or functions under this Act, except —
(1) Subject to subsection (5), every specified person shall preserve, and aid in the preservation of, secrecy with regard to —
that may come to his knowledge in the performance of his functions and discharge of his duties under this Act and shall not communicate any such matter to any person, except in so far as such communication —
(2) Any person who fails to comply with subsection (1) shall be guilty of an offence.
(4) Every claim made under subsection (3) shall be supported by a written statement giving reasons why the information is confidential.
No liability shall be incurred by —
(1) The Commission shall have the exclusive right to the use of such symbol or representation as may be prescribed in connection with its activities or affairs.
(2) Any person who, without the authority of the Commission, uses a symbol or representation identical with that of the Commission, or which so resembles the symbol or representation of the Commission as to deceive or cause confusion, or to be likely to deceive or to cause confusion, shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $2,000 or to imprisonment for a term not exceeding 6 months or to both.
For the purposes of this Act, if any doubt arises as to whether anything is necessary for the purpose of, or could be contrary to, the national interest, a certificate signed by the Minister charged with responsibility for that matter shall be conclusive evidence of the matters stated therein.
(2) An order under this section shall be presented to Parliament as soon as possible after publication in the Gazette.
(1) The conditions in this paragraph shall apply if the personal data is collected under paragraph 1(p).
(a) the organisation shall only use or disclose the personal data collected for the same purposes for which the other organisation would have been permitted to use or disclose the data;
(b) if any of the personal data collected does not relate directly to the part of the other organisation or its business assets with which the business asset transaction entered into is concerned, the organisation shall destroy, or return to the other organisation, any such personal data; and
(c) the employees, customers, directors, officers and shareholders whose personal data is disclosed shall be notified that —
(4) If a business asset transaction does not proceed or is not completed, the organisation shall destroy, or return to the other organisation, all the personal data collected.
For the avoidance of doubt, personal data disclosed before the appointed day in the circumstances and conditions set out in the Fourth Schedule shall satisfy paragraph 1(r), notwithstanding that section 17(3) was not in force at the time of the disclosure.
Paragraph 1(i) shall not apply unless —
For the avoidance of doubt, personal data collected before the appointed day in the circumstances and conditions set out in the Second Schedule shall satisfy paragraph 1(j) notwithstanding that section 17(1) was not in force at the time of the collection.
In the case of disclosure under paragraph 1(c), the organisation shall, as soon as may be practicable, notify the individual whose personal data is disclosed of the disclosure and the purposes of the disclosure.
(1) The conditions in this paragraph shall apply to personal data disclosed under paragraph 1(p).
(3) If the organisation enters into the business asset transaction, the employees, customers, directors, officers and shareholders whose personal data is disclosed shall be notified that —
Paragraph 1(q) shall not apply unless —
For the avoidance of doubt, personal data collected before the appointed day in the circumstances and conditions set out in the Second Schedule shall satisfy paragraph 1(s) notwithstanding that section 17(1) was not in force at the time of the collection.
Section 22 shall not apply in respect of —
(1) The Data Protection Appeal Panel shall consist of not more than 30 members appointed, from time to time, by the Minister on the basis of their ability and experience in industry, commerce or administration or their professional qualifications or their suitability otherwise for appointment.
(2) Members of the Appeal Panel shall be appointed for such period as may be determined by the Minister and shall be eligible for re-appointment.
(1) The Chairman of the Appeal Panel, unless his appointment is revoked by the Minister or unless he resigns during his term of office, shall hold office for such period as the Minister may determine and shall be eligible for re appointment.
(1) An Appeal Committee shall have all the powers and duties of the Commission that are necessary to perform its functions and discharge its duties under this Act.
(2) An Appeal Committee shall have the powers, rights and privileges vested in a District Court on the hearing of an action, including —
(3) A summons signed by such member of an Appeal Committee as may be authorised by the Appeal Committee shall be equivalent to any formal procedure capable of being issued in an action for enforcing the attendance of witnesses and compelling the production of documents.
(4) Where any person being duly summoned to attend before an Appeal Committee does not so attend, that person shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 6 months or to both.
(5) A witness before an Appeal Committee shall be entitled to the same immunities and privileges as if he were a witness before a District Court.
(6) All appeals under section 34 shall be determined, having regard to the nature and complexity of the appeal, as soon as reasonably practicable.
(7) An Appeal Committee shall inform the Commission and the parties to the appeal of the date on and the place at which the appeal shall be heard.
(8) An Appeal Committee shall inform the Commission and the parties to the appeal of its decision in respect of the appeal and the reasons for its decision.
For the purposes of Part IX, a specified message shall not include any of the following:
(2) A notice under sub-paragraph (1) shall indicate the purpose for which the specified document or specified information is required by the Commission.
(2) No inspector or person assisting the inspector shall enter any premises in exercise of the powers under this paragraph unless the inspector has given the occupier of the premises a written notice which —
(3) Sub-paragraph (2) shall not apply if the inspector has reasonable grounds for suspecting that the premises are, or have been, occupied by an organisation which is being investigated in relation to a contravention of this Act and if the inspector has taken all such steps as are reasonably practicable to give written notice under that sub-paragraph but has not been able to do so.
(4) Where sub-paragraph (3) applies, the power of entry conferred by sub paragraph (1) shall be exercised upon production of —
(2) A warrant under this paragraph shall authorise a named officer, and such other persons as the inspector may require to assist him, to do all or any of the following:
(3) If, in the case of a warrant under sub-paragraph (1)(b), the court is satisfied that it is reasonable to suspect that there are also on the premises other documents relating to the investigation concerned, the warrant shall also authorise the actions mentioned in sub-paragraph (2) to be taken in relation to any such document.
(6) A warrant issued under this paragraph shall —
(7) The powers conferred by this paragraph shall not be exercised except upon production of a warrant issued under this paragraph.
(9) If there is no one at the premises when the named officer proposes to execute such a warrant, he shall, before executing it —
(10) If the named officer is unable to inform the occupier of the intended entry, he shall, when executing the warrant, leave a copy of the warrant in a prominent place on the premises.
(11) On leaving any premises which he has entered by virtue of a warrant under this paragraph, the named officer shall, if the premises are unoccupied or the occupier is temporarily absent, leave them as effectively secured as he found them.