PART I
PRELIMINARY
Short title and commencement
1.  This Act may be cited as the Personal Data Protection Act 2012 and shall come into operation on such date as the Minister may, by notification in the Gazette, appoint.
Interpretation
2.—(1)  In this Act, unless the context otherwise requires —
[Deleted by Act 22 of 2016 wef 01/10/2016]
“advisory committee” means an advisory committee appointed under section 7;
“Appeal Committee” means a Data Protection Appeal Committee constituted under section 48P(4), read with the Seventh Schedule;
[Act 40 of 2020 wef 01/02/2021]
“Appeal Panel” means the Data Protection Appeal Panel established by section 48P(1);
[Act 40 of 2020 wef 01/02/2021]
“appointed day” means the date of commencement of Parts III to VI;
“authorised officer”, in relation to the exercise of any power or performance of any function or duty under any provision of this Act, means a person to whom the exercise of that power or performance of that function or duty under that provision has been delegated under section 38 of the Info-communications Media Development Authority Act 2016;
[Act 22 of 2016 wef 01/10/2016]
“Authority” means the Info-communications Media Development Authority established by section 3 of the Info-communications Media Development Authority Act 2016;
[Act 22 of 2016 wef 01/10/2016]
“benefit plan” means an insurance policy, a pension plan, an annuity, a provident fund plan or other similar plan;
“business” includes the activity of any organisation, whether or not carried on for purposes of gain, or conducted on a regular, repetitive or continuous basis, but does not include an individual acting in his personal or domestic capacity;
“business contact information” means an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his personal purposes;
[Deleted by Act 22 of 2016 wef 01/10/2016]
“Chief Executive”, in relation to the Authority, means the Chief Executive of the Authority appointed under section 40(2) of the Info-communications Media Development Authority Act 2016, and includes any individual acting in that capacity;
[Act 22 of 2016 wef 01/10/2016]
“Commission” means the person designated as the Personal Data Protection Commission under section 5 to be responsible for the administration of this Act;
[Act 22 of 2016 wef 01/10/2016]
“Commissioner” means the Commissioner for Personal Data Protection appointed under section 8(1)(a), and includes any Deputy Commissioner for Personal Data Protection or Assistant Commissioner for Personal Data Protection appointed under section 8(1)(b);
[Act 22 of 2016 wef 01/10/2016]
“credit bureau” means an organisation which —
(a)provides credit reports for gain or profit; or
(b)provides credit reports on a routine, non-profit basis as an ancillary part of a business carried on for gain or profit;
“credit report” means a communication, whether in written, oral or other form, provided to an organisation to assess the creditworthiness of an individual in relation to a transaction between the organisation and the individual;
“data intermediary” means an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation;
“derived personal data”  —
(a)means personal data about an individual that is derived by an organisation in the course of business from other personal data, about the individual or another individual, in the possession or under the control of the organisation; but
(b)does not include personal data derived by the organisation using any prescribed means or method;
[Act 40 of 2020 wef 01/02/2021]
“document” includes information recorded in any form;
“domestic” means related to home or family;
“education institution” means any organisation that provides education, including instruction, training or teaching, whether by itself or in association or collaboration with or by affiliation with any other person;
“employee” includes a volunteer;
“employment” includes working under an unpaid volunteer work relationship;
“evaluative purpose” means —
(a)for the purpose of determining the suitability, eligibility or qualifications of the individual to whom the data relates —
(i)for employment or for appointment to office;
(ii)for promotion in employment or office or for continuance in employment or office;
(iii)for removal from employment or office;
(iv)for admission to an education institution;
(v)for the awarding of contracts, awards, bursaries, scholarships, honours or other similar benefits;
(vi)for selection for an athletic or artistic purpose; or
(vii)for grant of financial or social assistance, or the delivery of appropriate health services, under any scheme administered by a public agency;
(b)for the purpose of determining whether any contract, award, bursary, scholarship, honour or other similar benefit should be continued, modified or cancelled;
(c)for the purpose of deciding whether to insure any individual or property or to continue or renew the insurance of any individual or property; or
(d)for such other similar purposes as may be prescribed by the Minister;
“individual” means a natural person, whether living or deceased;
“inspector” means an individual appointed as an inspector under section 8(1)(b);
[Act 22 of 2016 wef 01/10/2016]
“investigation” means an investigation relating to —
(a)a breach of an agreement;
(b)a contravention of any written law, or any rule of professional conduct or other requirement imposed by any regulatory authority in exercise of its powers under any written law; or
(c)a circumstance or conduct that may result in a remedy or relief being available under any law;
“national interest” includes national defence, national security, public security, the maintenance of essential services and the conduct of international affairs;
“organisation” includes any individual, company, association or body of persons, corporate or unincorporated, whether or not —
(a)formed or recognised under the law of Singapore; or
(b)resident, or having an office or a place of business, in Singapore;
“personal data” means data, whether true or not, about an individual who can be identified —
(a)from that data; or
(b)from that data and other information to which the organisation has or is likely to have access;
“prescribed healthcare body” means a healthcare body, prescribed for the purposes of the Second Schedule by the Minister charged with the responsibility for health;
[Act 40 of 2020 wef 01/02/2021]
“prescribed law enforcement agency” means an authority charged with the duty of investigating offences or charging offenders under written law, prescribed for the purposes of sections 21(4) and 26D(6) and the Second Schedule by the Minister charged with the responsibility for that authority;
[Act 40 of 2020 wef 01/02/2021]
“private trust” means a trust for the benefit of one or more designated individuals who are friends, or members of the family, of the settlor;
“proceedings” means any civil, criminal or administrative proceedings by or before a court, tribunal or regulatory authority that is related to the allegation of —
(a)a breach of an agreement;
(b)a contravention of any written law or any rule of professional conduct or other requirement imposed by any regulatory authority in exercise of its powers under any written law; or
(c)a wrong or a breach of a duty for which a remedy is claimed under any law;
“processing”, in relation to personal data, means the carrying out of any operation or set of operations in relation to the personal data, and includes any of the following:
(a)recording;
(b)holding;
(c)organisation, adaptation or alteration;
(d)retrieval;
(e)combination;
(f)transmission;
(g)erasure or destruction;
“public agency” includes —
(a)the Government, including any ministry, department, agency, or organ of State;
(b)any tribunal appointed under any written law; or
(c)any statutory body specified under subsection (2);
“publicly available”, in relation to personal data about an individual, means personal data that is generally available to the public, and includes personal data which can be observed by reasonably expected means at a location or an event —
(a)at which the individual appears; and
(b)that is open to the public;
“relevant body” means the Commission, the Appeal Panel or any Appeal Committee;
[Act 22 of 2016 wef 01/10/2016]
“tribunal” includes a judicial or quasi-judicial body or a disciplinary, an arbitral or a mediatory body;
[Act 40 of 2020 wef 01/02/2021]
“user activity data”, in relation to an organisation, means personal data about an individual that is created in the course or as a result of the individual’s use of any product or service provided by the organisation;
[Act 40 of 2020 wef 01/02/2021]
“user-provided data”, in relation to an organisation, means personal data provided by an individual to the organisation.
[Act 40 of 2020 wef 01/02/2021]
(2)  The Minister may, by notification in the Gazette, specify any statutory body established under a public Act for a public function to be a public agency for the purposes of this Act.
Purpose
3.  The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
Application of Act
4.—(1)  Parts III, IV, V, VI, VIA and VIB shall not impose any obligation on —
(a)any individual acting in a personal or domestic capacity;
(b)any employee acting in the course of his employment with an organisation;
(c)any public agency; or
[Act 40 of 2020 wef 01/02/2021]
(d)any other organisations or personal data, or classes of organisations or personal data, prescribed for the purposes of this provision.
[Act 40 of 2020 wef 01/02/2021]
(2)  Parts III, IV, V, VI (except sections 24 and 25), VIA (except sections 26C(3)(a) and 26E) and VIB shall not impose any obligation on a data intermediary in respect of its processing of personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing.
[Act 40 of 2020 wef 01/02/2021]
(3)  An organisation shall have the same obligation under this Act in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself.
(4)  This Act shall not apply in respect of —
(a)personal data about an individual that is contained in a record that has been in existence for at least 100 years; or
(b)personal data about a deceased individual, except that the provisions relating to the disclosure of personal data and section 24 (protection of personal data) shall apply in respect of personal data about an individual who has been dead for 10 years or fewer.
(5)  Except where business contact information is expressly referred to, Parts III, IV, V, VI and VIA shall not apply to business contact information.
[Act 40 of 2020 wef 01/02/2021]
(6)  Unless otherwise expressly provided in this Act —
(a)nothing in Parts III, IV, V, VI, VIA and VIB shall affect any authority, right, privilege or immunity conferred, or obligation or limitation imposed, by or under the law, including legal privilege, except that the performance of a contractual obligation shall not be an excuse for contravening this Act; and
[Act 40 of 2020 wef 01/02/2021]
(b)the provisions of other written law shall prevail to the extent that any provision of Parts III, IV, V, VI, VIA and VIB is inconsistent with the provisions of that other written law.
[Act 40 of 2020 wef 01/02/2021]