Personal Data Protection Act 2012

Sections (86)

Click a section to view its full text and cited judgments.

• § 1 — Short title

  1. This Act is the Personal Data Protection Act 2012.

• § 10 — Cooperation agreements

  10.—(1) For the purposes of section 59, a cooperation agreement is an agreement for the purposes of —(a) facilitating cooperation between the Commission and another regulatory authority in the performance of their respective functions in so far as those functions relate to data protection; and (b)

• § 11 — Compliance with Act

  11.—(1) In meeting its responsibilities under this Act, an organisation must consider what a reasonable person would consider appropriate in the circumstances.(2) An organisation is responsible for personal data in its possession or under its control. (3) An organisation must designate one or more

• § 12 — Policies and practices

  12. An organisation must —(a) develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act; (b) develop a process to receive and respond to complaints that may arise with respect to the application of this Act; (c)

• § 13 — Consent required

  13. An organisation must not, on or after 2 July 2014, collect, use or disclose personal data about an individual unless —(a) the individual gives, or is deemed to have given, his or her consent under this Act to the collection, use or disclosure, as the case may be; or (b) the collection, use or d

• § 14 — Provision of consent

  14.—(1) An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless —(a) the individual has been provided with the information required under section 20; and (b) the individual provided his or

• § 15 — Deemed consent

  15.—(1) An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if —(a) the individual, without actually giving consent mentioned in section 14, voluntarily provides the personal data to the organisation for that

• § 15A — Deemed consent by notification

  15A.—(1) This section applies to the collection, use or disclosure of personal data about an individual by an organisation on or after 1 February 2021.[40/2020] (2) Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individua

• § 16 — Withdrawal of consent

  16.—(1) On giving reasonable notice to the organisation, an individual may at any time withdraw any consent given, or deemed to have been given under this Act, in respect of the collection, use or disclosure by that organisation of personal data about the individual for any purpose.(2) On receipt of

• § 17 — Collection, use and disclosure without consent

  17.—(1) An organisation may —(a) collect personal data about an individual, without the individual’s consent or from a source other than the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 1 of the Second Schedule; (b) use personal d

• § 18 — Limitation of purpose and extent

  18. An organisation may collect, use or disclose personal data about an individual only for purposes —(a) that a reasonable person would consider appropriate in the circumstances; and (b) that the individual has been informed of under section 20, if applicable.

• § 19 — Personal data collected before 2 July 2014

  19. Despite the other provisions in this Part, an organisation may use personal data about an individual collected before 2 July 2014 for the purposes for which the personal data was collected unless —(a) consent for such use is withdrawn in accordance with section 16; or (b) the individual, whethe

• § 2 — Interpretation

  2.—(1) In this Act, unless the context otherwise requires —“advisory committee” means an advisory committee appointed under section 7; “Appeal Committee” means a Data Protection Appeal Committee constituted under section 48P(4), read with the Seventh Schedule; “Appeal Panel” means the Data Protect

• § 20 — Notification of purpose

  20.—(1) For the purposes of sections 14(1)(a) and 18(b), an organisation must inform the individual of —(a) the purposes for the collection, use or disclosure of the personal data (as the case may be) on or before collecting the personal data; (b) any other purpose of the use or disclosure of the p

• § 21 — Access to personal data

  21.—(1) Subject to subsections (2), (3) and (4), on request of an individual, an organisation must, as soon as reasonably possible, provide the individual with —(a) personal data about the individual that is in the possession or under the control of the organisation; and (b) information about the w

• § 22 — Correction of personal data

  22.—(1) An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation.(2) Unless the organisation is satisfied on reasonable grounds that a correction should not be made, the orga

• § 22A — Preservation of copies of personal data

  22A.—(1) Where —(a) an individual, on or after 1 February 2021, makes a request under section 21(1)(a) to an organisation to provide personal data about the individual that is in the possession or under the control of the organisation; and (b) the organisation refuses to provide that personal data,

• § 23 — Accuracy of personal data

  23. An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data —(a) is likely to be used by the organisation to make a decision that affects the individual to whom the personal data relates;

• § 24 — Protection of personal data

  24. An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent —(a) unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and (b) the loss of any storage medium or device on

• § 25 — Retention of personal data

  25. An organisation must cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that —(a) the purpose for which that personal data was collected is no longer being ser

• § 26 — Transfer of personal data outside Singapore

  26.—(1) An organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under this Act to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection

• § 26A — Interpretation of this Part

  26A. In this Part, unless the context otherwise requires —“affected individual” means any individual to whom any personal data affected by a data breach relates; “data breach”, in relation to personal data, means —(a) the unauthorised access, collection, use, disclosure, copying, modification or di

• § 26B — Notifiable data breaches

  26B.—(1) A data breach is a notifiable data breach if the data breach —(a) results in, or is likely to result in, significant harm to an affected individual; or (b) is, or is likely to be, of a significant scale.[40/2020] (2) Without limiting subsection (1)(a), a data breach is deemed to result in

• § 26C — Duty to conduct assessment of data breach

  26C.—(1) This section applies to a data breach that occurs on or after 1 February 2021.[40/2020] (2) Subject to subsection (3), where an organisation has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, the organisation must conduct, i

• § 26D — Duty to notify occurrence of notifiable data breach

  26D.—(1) Where an organisation assesses, in accordance with section 26C, that a data breach is a notifiable data breach, the organisation must notify the Commission as soon as is practicable, but in any case no later than 3 calendar days after the day the organisation makes that assessment.[40/2020]

• § 26E — Obligations of data intermediary of public agency

  26E. Where an organisation —(a) is a data intermediary processing personal data on behalf of and for the purposes of a public agency; and (b) has reason to believe that a data breach has occurred in relation to that personal data, the organisation must, without undue delay, notify the public agenc

• § 3 — Purpose

  3. The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable

• § 36 — Interpretation of this Part

  36.—(1) In this Part, unless the context otherwise requires —“calling line identity” means the telephone number or information identifying the sender; “checker” means a person mentioned in section 43A(1); “financial services” has the meaning given by section 2 of the Consumer Protection (Fair Trad

• § 37 — Meaning of “specified message”

  37.—(1) Subject to subsection (5), for the purposes of this Part, a specified message is a message where, having regard to the following, it would be concluded that the purpose, or one of the purposes, of the message is an applicable purpose:(a) the content of the message; (b) the presentational as

• § 38 — Application of this Part

  38. This Part applies to a specified message addressed to a Singapore telephone number where —(a) the sender of the specified message is present in Singapore when the specified message is sent; or (b) the recipient of the specified message is present in Singapore when the specified message is acces

• § 39 — Register

  39.—(1) The Commission must cause to be kept and maintained one or more registers of Singapore telephone numbers, each known as a Do Not Call Register, for the purposes of this Part.(2) Each register must be kept in such form and must contain such particulars as the Commission thinks fit. (3) The C

• § 4 — Application of Act

  4.—(1) Parts 3, 4, 5, 6, 6A and 6B do not impose any obligation on —(a) any individual acting in a personal or domestic capacity; (b) any employee acting in the course of his or her employment with an organisation; (c) any public agency; or (d) any other organisations or personal data, or classes

• § 40 — Applications

  40.—(1) A subscriber may apply to the Commission, in the form and manner prescribed —(a) to add his or her Singapore telephone number to a register; or (b) to remove his or her Singapore telephone number from a register. (2) Any person may apply to the Commission, in the form and manner required b

• § 41 — Evidence

  41. A certificate purporting to be signed by the Chief Executive of the Authority or an authorised officer and stating that a Singapore telephone number was or was not listed in a register at a date specified in the certificate is admissible as evidence of its contents in any proceedings.[22/2016]

• § 42 — Information on terminated Singapore telephone number

  42.—(1) Every telecommunications service provider must report to the Commission, in the form and manner prescribed, all terminated Singapore telephone numbers.(2) A telecommunications service provider which contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to

• § 43 — Duty to check register

  43.—(1) Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless the person has, at the time the person sends the specified message, valid confirmation that the Singapore telephone number is not listed in the relevant register.[40/2020] (2

• § 43A — Duty of checkers

  43A.—(1) This section applies to a person (called the checker) that, for reward, provides to another person (P) information on whether a Singapore telephone number is listed in the relevant register (called in this section the applicable information) for the purpose of P’s compliance with section 43

• § 44 — Contact information

  44. Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless —(a) the specified message includes clear and accurate information identifying the individual or organisation that sent or authorised the sending of the specified message; (b) t

• § 45 — Calling line identity not to be concealed

  45. Subject to section 48(3), a person that makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number o

• § 46 — Consent

  46.—(1) A person must not, as a condition for supplying goods, services, land, interest or opportunity, require a subscriber or user of a Singapore telephone number to give consent for the sending of a specified message to that Singapore telephone number or any other Singapore telephone number beyon

• § 47 — Withdrawal of consent

  47.—(1) On giving notice, a subscriber or user of a Singapore telephone number may at any time withdraw any consent given to a person for the sending of any specified message to that Singapore telephone number.(2) A person must not prohibit a subscriber or user of a Singapore telephone number from w

• § 48 — Defence for employee

  48.—(1) In any proceedings for an offence under this Part brought against any employee in respect of an act or conduct alleged to have been done or engaged in (as the case may be) by the employee, it is a defence for the employee to prove that he or she did the act or engaged in the conduct in good

• § 48A — Interpretation of this Part

  48A.—(1) In this Part, unless the context otherwise requires —“address‑harvesting software” means software that is specifically designed or marketed for use for —(a) searching the Internet for telephone numbers; and (b) collecting, compiling, capturing or otherwise harvesting those telephone number

• § 48B — Prohibition on use of dictionary attacks and address‑harvesting software

  48B.—(1) Subject to subsections (2) and (3), a person must not send, cause to be sent or authorise the sending of an applicable message.[40/2020] (2) Subsection (1) does not apply to an employee (P) who sends, causes to be sent or authorises the sending of an applicable message in good faith —(a) in

• § 48C — Interpretation and application of this Part

  48C.—(1) In this Part, unless the context otherwise requires —“disclose”, in relation to personal data, includes providing access to personal data; “gain” means —(a) a gain in property or a supply of services, whether temporary or permanent; or (b) an opportunity to earn remuneration or greater re

• § 48D — Unauthorised disclosure of personal data

  48D.—(1) If —(a) an individual discloses, or the individual’s conduct causes disclosure of, personal data in the possession or under the control of an organisation or a public agency to another person; (b) the disclosure is not authorised by the organisation or public agency, as the case may be; an

• § 48E — Improper use of personal data

  48E.—(1) If —(a) an individual makes use of personal data in the possession or under the control of an organisation or a public agency; (b) the use is not authorised by the organisation or public agency, as the case may be; (c) the individual does so —(i) knowing that the use is not authorised by

• § 48F — Unauthorised re‑identification of anonymised information

  48F.—(1) If —(a) an individual takes any action to re‑identify or cause re‑identification of the person to whom anonymised information in the possession or under the control of an organisation or a public agency relates (called in this section the affected person); (b) the re‑identification is not

• § 48G — Alternative dispute resolution

  48G.—(1) If the Commission is of the opinion that any complaint by an individual (called in this section the complainant) against an organisation may more appropriately be resolved by mediation, the Commission may, without the consent of the complainant and the organisation, refer the matter to medi

• § 48H — Power to review

  48H.—(1) On the application of a complainant, the Commission may review —(a) a refusal by an organisation to provide access to personal data or other information requested by the complainant under section 21, or the organisation’s failure to provide that access within a reasonable time; (b) a refus

• § 48I — Directions for non‑compliance

  48I.—(1) The Commission may, if it is satisfied that —(a) an organisation has not complied or is not complying with any provision of Part 3, 4, 5, 6, 6A or 6B; or (b) a person has not complied or is not complying with any provision of Part 9 or section 48B(1), give the organisation or person (as t

• § 48J — Financial penalties

  48J.—(1) Subject to subsection (2), the Commission may, if it is satisfied that —(a) an organisation has intentionally or negligently contravened any provision of Part 3, 4, 5, 6, 6A or 6B; or (b) a person has intentionally or negligently contravened —(i) any provision of Part 9; or (ii) section 4

• § 48K — Procedure for giving of directions and imposing of financial penalty

  48K.—(1) Before giving any direction under section 48I or imposing a financial penalty under section 48J(1), the Commission must give written notice to the organisation or person concerned —(a) stating that the Commission intends to take action against the organisation or person under section 48I or

• § 48L — Voluntary undertakings

  48L.—(1) Without affecting sections 48I, 48J(1) and 50(1), where the Commission has reasonable grounds to believe that —(a) an organisation has not complied, is not complying or is likely not to comply with any provision of Part 3, 4, 5, 6, 6A or 6B; or (b) a person has not complied, is not complyi

• § 48M — Enforcement of directions of or written notices by Commission in District Court

  48M.—(1) For the purposes of enforcing a direction or written notice mentioned in subsection (2) —(a) the Commission may apply for the direction or written notice (as the case may be) to be registered in a District Court in accordance with the Rules of Court; and (b) the District Court is to regist

• § 48N — Reconsideration of directions or decisions

  48N.—(1) An organisation or a person (including any individual who is a complainant) aggrieved by —(a) any direction made by the Commission under section 48G(2), 48I(1) or (2) or 48L(4); or (b) any direction or decision made under section 48H(2), may make a written application to the Commission to

• § 48O — Right of private action

  48O.—(1) A person who suffers loss or damage directly as a result of a contravention —(a) by an organisation of any provision of Part 4, 5, 6, 6A or 6B; or (b) by a person of any provision of Division 3 of Part 9 or section 48B(1), has a right of action for relief in civil proceedings in a court.

• § 48P — Data Protection Appeal Panel and Data Protection Appeal Committees

  48P.—(1) There is established a Data Protection Appeal Panel.[40/2020] (2) The Minister must appoint the members of the Appeal Panel.[40/2020] (3) The Chairperson of the Appeal Panel must be appointed by the Minister from among the members of the Appeal Panel.[40/2020] (4) For the purpose of heari

• § 48Q — Appeal from direction or decision of Commission

  48Q.—(1) An organisation or a person (including an individual who is a complainant) aggrieved by —(a) any direction made by the Commission under section 48G(2), 48I(1) or (2) or 48L(4); (b) any direction or decision made by the Commission under section 48H(2); or (c) any decision made by the Commi

• § 48R — Appeals to General Division of High Court, etc.

  48R.—(1) An appeal against, or with respect to, a direction or decision of an Appeal Committee lies to the General Division of the High Court —(a) on a point of law arising from the direction or decision of the Appeal Committee; or (b) from any direction of the Appeal Committee as to the amount of

• § 49 — Advisory guidelines

  49.—(1) The Commission may issue written advisory guidelines indicating the manner in which the Commission will interpret the provisions of this Act.(2) Guidelines issued under this section may be varied, amended or revoked by the Commission. (3) The Commission must publish the guidelines in any wa

• § 5 — Personal Data Protection Commission

  5.—(1) The Info‑communications Media Development Authority is designated as the Personal Data Protection Commission.[22/2016] (2) The Personal Data Protection Commission is responsible for the administration of this Act.[22/2016] —(1) The Info‑communications Media Development Authority is designate

• § 50 — Powers of investigation

  50.—(1) The Commission may, upon complaint or of its own motion, conduct an investigation under this section to determine whether or not an organisation or a person is complying with this Act, including a voluntary undertaking given by the organisation or person under section 48L(1).[40/2020] (2) Th

• § 51 — Offences and penalties

  51.—(1) A person shall be guilty of an offence if the person —(a) makes a request under section 21(1) to obtain access to personal data about another individual without the authority of that other individual; (b) makes a request under section 22(1) to change personal data about another individual w

• § 52 — Offences by corporations

  52.—(1) Where, in a proceeding for an offence under this Act, it is necessary to prove the state of mind of a corporation in relation to a particular conduct, evidence that —(a) an officer, employee or agent of the corporation engaged in that conduct within the scope of the actual or apparent author

• § 52A — Offences by unincorporated associations or partnerships

  52A.—(1) Where, in a proceeding for an offence under this Act, it is necessary to prove the state of mind of an unincorporated association or a partnership in relation to a particular conduct, evidence that —(a) an employee or agent of the unincorporated association or partnership engaged in that co

• § 53 — Liability of employers for acts of employees

  53.—(1) Any act done or conduct engaged in by a person in the course of his or her employment (called in this section the employee) is treated for the purposes of this Act as done or engaged in by his or her employer as well as by the employee, whether or not it was done or engaged in with the emplo

• § 54 — Jurisdiction of court

  54. Despite any provision to the contrary in the Criminal Procedure Code 2010, a District Court has jurisdiction to try any offence under this Act and has power to impose the full penalty or punishment in respect of the offence.

• § 55 — Composition of offences

  55.—(1) The Commission may compound any offence under this Act (except Part 9) that is prescribed as a compoundable offence by collecting from a person reasonably suspected of having committed the offence a sum not exceeding the lower of the following:(a) one half of the amount of the maximum fine t

• § 56 — General penalties

  56. A person guilty of an offence under this Act for which no penalty is expressly provided shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both and, in the case of a continuing offence, to a further fine not exceeding $1,000 fo

• § 57 — Public servants and public officers

  57.—(1) All individuals appointed under section 8(1) —(a) are deemed to be public servants for the purposes of the Penal Code 1871; and (b) are, in relation to their administration, assessment, collection or enforcement of payment of composition sums under this Act, deemed to be public officers for

• § 58 — Evidence in proceedings

  58.—(1) The Commission, the Appeal Panel, an Appeal Committee, their members and anyone acting for or under the direction of the Commission must not give or be compelled to give evidence in a court or in any other proceedings in respect of any information obtained in performing their duties or exerc

• § 59 — Preservation of secrecy

  59.—(1) Subject to subsection (5), every specified person must preserve, and aid in the preservation of, secrecy with regard to —(a) any personal data an organisation would be required or authorised to refuse to disclose if it were contained in personal data requested under section 21; (b) whether

• § 6 — Functions of Commission

  6. The functions of the Commission are —(a) to promote awareness of data protection in Singapore; (b) to provide consultancy, advisory, technical, managerial or other specialist services relating to data protection; (c) to advise the Government on all matters relating to data protection; (d) to r

• § 60 — Protection from personal liability

  60. No liability shall be incurred by —(a) any member or officer of a relevant body; (b) any person authorised, appointed or employed to assist a relevant body; (c) any person who is on secondment or attachment to a relevant body; (d) any person authorised or appointed by a relevant body to exerc

• § 61 — Symbol of Commission

  61.—(1) The Commission has the exclusive right to the use of such symbol or representation as may be prescribed in connection with its activities or affairs.(2) A person who, without the authority of the Commission, uses a symbol or representation identical with that of the Commission, or which so r

• § 62 — Power to exempt

  62. The Commission may, with the approval of the Minister, by order in the Gazette, exempt any person or organisation or any class of persons or organisations from all or any of the provisions of this Act, subject to such terms or conditions as may be specified in the order.

• § 63 — Certificate as to national interest

  63. For the purposes of this Act, if any doubt arises as to whether anything is necessary for the purpose of, or could be contrary to, the national interest, a certificate signed by the Minister charged with responsibility for that matter is conclusive evidence of the matters stated in the certifica

• § 64 — Amendment of Schedules

  64.—(1) The Minister may, by order in the Gazette, amend any of the Schedules, except the Ninth Schedule.(2) An order under this section must be presented to Parliament as soon as possible after publication in the Gazette. —(1) The Minister may, by order in the Gazette, amend any of the Schedules,

• § 65 — Power to make regulations

  65.—(1) The Commission may, with the approval of the Minister, make such regulations as may be necessary or expedient for carrying out the purposes and provisions of this Act and for prescribing anything that may be required or authorised to be prescribed by this Act.[22/2016] (2) Without limiting s

• § 66 — Rules of Court

  66. Rules of Court may be made to provide for the practice and procedure relating to actions under section 48O and appeals under section 48R, including the requirement that the claimant notify the Commission upon commencing any such action or appeal, and for matters related thereto.[40/2020] [Act 25

• § 67 — Saving and transitional provisions

  67.—(1) Every act done by or on behalf of the Former Commission before 1 October 2016 remains valid and has effect as though it has been done by or on behalf of the Commission, until such time as the Commission invalidates, revokes, cancels or otherwise determines that act.[22/2016] (2) Where any th

• § 68 — Dissolution

  68.—(1) The Former Commission is dissolved.[22/2016] (2) In this section, “Former Commission” has the meaning given by section 67(9).[22/2016] —(1) The Former Commission is dissolved.[22/2016] (2) In this section, “Former Commission” has the meaning given by section 67(9).[22/2016]

• § 7 — Advisory committees

  7.—(1) The Minister may appoint one or more advisory committees to provide advice to the Commission with regard to the performance of any of its functions under this Act.(2) The Commission may consult such advisory committees in relation to the performance of its functions and duties and the exercis

• § 8 — Delegation

  8.—(1) The Commission may appoint, by name or office, from among public officers and the employees of the Authority —(a) the Commissioner for Personal Data Protection; and (b) such number of Deputy Commissioners for Personal Data Protection, Assistant Commissioners for Personal Data Protection and

• § 9 — Conduct of proceedings

  9.—(1) An individual appointed under section 8(1) or an employee of the Authority, who is authorised in writing by the Chief Executive of the Authority for the purpose of this section, may conduct, with the authorisation of the Public Prosecutor, proceedings in respect of an offence under this Act.[