Consent required
13.  An organisation must not, on or after 2 July 2014, collect, use or disclose personal data about an individual unless —
(a)the individual gives, or is deemed to have given, his or her consent under this Act to the collection, use or disclosure, as the case may be; or
(b)the collection, use or disclosure (as the case may be) without the individual’s consent is required or authorised under this Act or any other written law.
Provision of consent
14.—(1)  An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless —
(a)the individual has been provided with the information required under section 20; and
(b)the individual provided his or her consent for that purpose in accordance with this Act.
(2)  An organisation must not —
(a)as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual; or
(b)obtain or attempt to obtain consent for collecting, using or disclosing personal data by providing false or misleading information with respect to the collection, use or disclosure of the personal data, or using deceptive or misleading practices.
(3)  Any consent given in any of the circumstances in subsection (2) is not validly given for the purposes of this Act.
(4)  In this Act, references to consent given, or deemed to have been given, by an individual for the collection, use or disclosure of personal data about the individual include consent given, or deemed to have been given, by any person validly acting on that individual’s behalf for the collection, use or disclosure of such personal data.
Deemed consent
15.—(1)  An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if —
(a)the individual, without actually giving consent mentioned in section 14, voluntarily provides the personal data to the organisation for that purpose; and
(b)it is reasonable that the individual would voluntarily provide the data.
(2)  If an individual gives, or is deemed to have given, consent to the disclosure of personal data about the individual by one organisation to another organisation for a particular purpose, the individual is deemed to consent to the collection, use or disclosure of the personal data for that particular purpose by that other organisation.
(3)  Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A:
(a)the disclosure of that personal data by A to another organisation (B);
(b)the collection and use of that personal data by B;
(c)the disclosure of that personal data by B to another organisation.
[40/2020]
(4)  Where an organisation collects personal data disclosed to it by B under subsection (3)(c), subsection (3)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (3)(a).
[40/2020]
(5)  Subsections (3) and (4) apply to personal data provided before 1 February 2021 by an individual to an organisation with a view to the individual entering into a contract with the organisation —
(a)on or after 1 February 2021; or
(b)which contract was entered into before 1 February 2021 and remains in force on that date,
as if subsections (3) and (4) —
(c)were in force when the personal data was so provided; and
(d)had continued in force until 1 February 2021.
[40/2020]
(6)  Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following:
(a)the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary —
(i)for the performance of the contract between P and A; or
(ii)for the conclusion or performance of a contract between A and B which is entered into at P’s request, or which a reasonable person would consider to be in P’s interest;
(b)the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a);
(c)the disclosure of that personal data by B to another organisation, where the disclosure is reasonably necessary for any purpose mentioned in paragraph (a).
[40/2020]
(7)  Where an organisation collects personal data disclosed to it by B under subsection (6)(c), subsection (6)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (6)(a).
[40/2020]
(8)  Subsections (6) and (7) apply to personal data provided before 1 February 2021 by an individual to an organisation in relation to a contract that the individual entered into before that date with the organisation, and which remains in force on that date, as if subsections (6) and (7) —
(a)were in force when the personal data was so provided; and
(b)had continued in force until 1 February 2021.
[40/2020]
(9)  Subsections (3), (4), (5), (6), (7) and (8) do not affect any obligation under the contract between P and A that specifies or restricts —
(a)the personal data provided by P that A may disclose to another organisation; or
(b)the purposes for which A may disclose the personal data provided by P to another organisation.
[40/2020]
Withdrawal of consent
16.—(1)  On giving reasonable notice to the organisation, an individual may at any time withdraw any consent given, or deemed to have been given under this Act, in respect of the collection, use or disclosure by that organisation of personal data about the individual for any purpose.
(2)  On receipt of the notice mentioned in subsection (1), the organisation concerned must inform the individual of the likely consequences of withdrawing his or her consent.
(3)  An organisation must not prohibit an individual from withdrawing his or her consent to the collection, use or disclosure of personal data about the individual, but this section does not affect any legal consequences arising from such withdrawal.
(4)  Subject to section 25, if an individual withdraws consent to the collection, use or disclosure of personal data about the individual by an organisation for any purpose, the organisation must cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the personal data (as the case may be) unless such collection, use or disclosure (as the case may be) without the individual’s consent is required or authorised under this Act or other written law.
Collection, use and disclosure without consent
17.—(1)  An organisation may —
(a)collect personal data about an individual, without the individual’s consent or from a source other than the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 1 of the Second Schedule;
(b)use personal data about an individual without the individual’s consent, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 2 of the Second Schedule; or
(c)disclose personal data about an individual without the individual’s consent, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 3 of the Second Schedule.
[40/2020]
(2)  Unless otherwise provided under this Act, an organisation may —
(a)collect personal data about an individual that the organisation receives by way of a disclosure to the organisation —
(i)on or after 1 February 2021 in accordance with subsection (1)(c); or
(ii)before 1 February 2021 in accordance with section 17(3) as in force before that date,
for purposes consistent with the purpose of that disclosure, or for any purpose permitted by subsection (1)(a); or
(b)use or disclose personal data about an individual that —
(i)is collected by the organisation on or after 1 February 2021 in accordance with subsection (1)(a); or
(ii)was collected by the organisation before 1 February 2021 in accordance with section 17(1) as in force before that date,
for purposes consistent with the purpose of that collection, or for any purpose permitted by subsection (1)(b) or (c), as the case may be.
[40/2020]
Singapore Statutes Online
© 2024 Attorney-General's Chambers of Singapore,
Last updated 28 Jul 2024
Singapore Statutes Online is provided by the Legislation Division of the Attorney-General's Chambers of Singapore.