PART I Short title and commencement |
1. This Act may be cited as the Personal Data Protection Act 2012 and shall come into operation on such date as the Minister may, by notification in the Gazette, appoint. |
2.—(1) In this Act, unless the context otherwise requires —“Administration Body” means the Administration Body appointed under section 9; |
“advisory committee” means an advisory committee appointed under section 7; |
“Appeal Committee” means a Data Protection Appeal Committee nominated under section 33(4); |
“Appeal Panel” means the Data Protection Appeal Panel established under section 33(1); |
“appointed day” means the date of commencement of Parts III to VI; |
“authorised officer”, in relation to the exercise of any power or performance of any function or duty under any provision of this Act, means a person to whom the exercise of that power or performance of that function or duty under that provision has been delegated under section 8(2); |
“benefit plan” means an insurance policy, a pension plan, an annuity, a provident fund plan or other similar plan; |
“business” includes the activity of any organisation, whether or not carried on for purposes of gain, or conducted on a regular, repetitive or continuous basis, but does not include an individual acting in his personal or domestic capacity; |
“business contact information” means an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes; |
“Chairman” means the Chairman of the Commission appointed under paragraph 1(1) of the First Schedule; |
“Commission” means the Personal Data Protection Commission established under section 5; |
“credit bureau” means an organisation which —(a) | provides credit reports for gain or profit; or | (b) | provides credit reports on a routine, non-profit basis as an ancillary part of a business carried on for gain or profit; |
|
“credit report” means a communication, whether in written, oral or other form, provided to an organisation to assess the creditworthiness of an individual in relation to a transaction between the organisation and the individual; |
“data intermediary” means an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation; |
“document” includes information recorded in any form; |
“domestic” means related to home or family; |
“education institution” means any organisation that provides education, including instruction, training or teaching, whether by itself or in association or collaboration with or by affiliation with any other person; |
“employee” includes a volunteer; |
“employment” includes working under an unpaid volunteer work relationship; |
“evaluative purpose” means —(a) | for the purpose of determining the suitability, eligibility or qualifications of the individual to whom the data relates —(i) | for employment or for appointment to office; | (ii) | for promotion in employment or office or for continuance in employment or office; | (iii) | for removal from employment or office; | (iv) | for admission to an education institution; | (v) | for the awarding of contracts, awards, bursaries, scholarships, honours or other similar benefits; | (vi) | for selection for an athletic or artistic purpose; or | (vii) | for grant of financial or social assistance, or the delivery of appropriate health services, under any scheme administered by a public agency; |
| (b) | for the purpose of determining whether any contract, award, bursary, scholarship, honour or other similar benefit should be continued, modified or cancelled; | (c) | for the purpose of deciding whether to insure any individual or property or to continue or renew the insurance of any individual or property; or | (d) | for such other similar purposes as may be prescribed by the Minister; |
|
“individual” means a natural person, whether living or deceased; |
“investigation” means an investigation relating to —(a) | a breach of an agreement; | (b) | a contravention of any written law, or any rule of professional conduct or other requirement imposed by any regulatory authority in exercise of its powers under any written law; or | (c) | a circumstance or conduct that may result in a remedy or relief being available under any law; |
|
“national interest” includes national defence, national security, public security, the maintenance of essential services and the conduct of international affairs; |
“organisation” includes any individual, company, association or body of persons, corporate or unincorporated, whether or not —(a) | formed or recognised under the law of Singapore; or | (b) | resident, or having an office or a place of business, in Singapore; |
|
“personal data” means data, whether true or not, about an individual who can be identified —(a) | from that data; or | (b) | from that data and other information to which the organisation has or is likely to have access; |
|
“prescribed healthcare body” means a healthcare body, prescribed for the purposes of the Fourth Schedule by the Minister charged with the responsibility for health; |
“prescribed law enforcement agency” means an authority charged with the duty of investigating offences or charging offenders under written law, prescribed for the purposes of section 21(4) and the Fourth Schedule by the Minister charged with the responsibility for that authority; |
“private trust” means a trust for the benefit of one or more designated individuals who are friends, or members of the family, of the settlor; |
“proceedings” means any civil, criminal or administrative proceedings by or before a court, tribunal or regulatory authority that is related to the allegation of —(a) | a breach of an agreement; | (b) | a contravention of any written law or any rule of professional conduct or other requirement imposed by any regulatory authority in exercise of its powers under any written law; or | (c) | a wrong or a breach of a duty for which a remedy is claimed under any law; |
|
“processing”, in relation to personal data, means the carrying out of any operation or set of operations in relation to the personal data, and includes any of the following:(a) | recording; | (b) | holding; | (c) | organisation, adaptation or alteration; | (d) | retrieval; | (e) | combination; | (f) | transmission; | (g) | erasure or destruction; |
|
“public agency” includes —(a) | the Government, including any ministry, department, agency, or organ of State; | (b) | any tribunal appointed under any written law; or | (c) | any statutory body specified under subsection (2); |
|
“publicly available”, in relation to personal data about an individual, means personal data that is generally available to the public, and includes personal data which can be observed by reasonably expected means at a location or an event —(a) | at which the individual appears; and | (b) | that is open to the public; |
|
“relevant body” means the Commission, the Administration Body, the Appeal Panel or any Appeal Committee; |
“tribunal” includes a judicial or quasi-judicial body or a disciplinary, an arbitral or a mediatory body. |
(2) The Minister may, by notification in the Gazette, specify any statutory body established under a public Act for a public function to be a public agency for the purposes of this Act. |
|
3. The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances. |
4.—(1) Parts III to VI shall not impose any obligation on —(a) | any individual acting in a personal or domestic capacity; | (b) | any employee acting in the course of his employment with an organisation; | (c) | any public agency or an organisation in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of the personal data; or | (d) | any other organisations or personal data, or classes of organisations or personal data, prescribed for the purposes of this provision. |
(2) Parts III to VI (except for section 24 (protection of personal data) and section 25 (retention of personal data)) shall not impose any obligation on a data intermediary in respect of its processing of personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing. |
(3) An organisation shall have the same obligation under this Act in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself. |
(4) This Act shall not apply in respect of —(a) | personal data about an individual that is contained in a record that has been in existence for at least 100 years; or | (b) | personal data about a deceased individual, except that the provisions relating to the disclosure of personal data and section 24 (protection of personal data) shall apply in respect of personal data about an individual who has been dead for 10 years or fewer. |
|
(5) Except where business contact information is expressly referred to, Parts III to VI shall not apply to business contact information. |
(6) Unless otherwise expressly provided in this Act —(a) | nothing in Parts III to VI shall affect any authority, right, privilege or immunity conferred, or obligation or limitation imposed, by or under the law, including legal privilege, except that the performance of a contractual obligation shall not be an excuse for contravening this Act; and | (b) | the provisions of other written law shall prevail to the extent that any provision of Parts III to VI is inconsistent with the provisions of that other written law. |
|
|
|