Personal Data Protection
Act 2012
2020 REVISED EDITION
This revised edition incorporates all amendments up to and including 1 December 2021 and comes into operation on 31 December 2021
An Act to govern the collection, use and disclosure of personal data by organisations, and to establish the Do Not Call Register and to provide for its administration, and for matters connected therewith.
[22/2016]
[2 January 2013: Parts I, II, VIII, IX (except sections 36 to 38, 41 and 43 to 48) and X (except section 67(1)), and the First, Seventh and Ninth Schedules ;
2 December 2013: Sections 36, 37, 38 and 41 ;
2 January 2014: Sections 43 to 48 and 67(1) and the Eighth Schedule ;
2 July 2014: Parts III to VII, and the Second to Sixth Schedules ]
PART 1
PRELIMINARY
Short title
1.  This Act is the Personal Data Protection Act 2012.
Interpretation
2.—(1)  In this Act, unless the context otherwise requires —
“advisory committee” means an advisory committee appointed under section 7;
“Appeal Committee” means a Data Protection Appeal Committee constituted under section 48P(4), read with the Seventh Schedule;
“Appeal Panel” means the Data Protection Appeal Panel established by section 48P(1);
“authorised officer”, in relation to the exercise of any power or performance of any function or duty under any provision of this Act, means a person to whom the exercise of that power or performance of that function or duty under that provision has been delegated under section 38 of the Info‑communications Media Development Authority Act 2016;
“Authority” means the Info‑communications Media Development Authority established by section 3 of the Info‑communications Media Development Authority Act 2016;
“benefit plan” means an insurance policy, a pension plan, an annuity, a provident fund plan or other similar plan;
“business” includes the activity of any organisation, whether or not carried on for purposes of gain, or conducted on a regular, repetitive or continuous basis, but does not include an individual acting in his or her personal or domestic capacity;
“business contact information” means an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes;
“Chief Executive”, in relation to the Authority, means the Chief Executive of the Authority appointed under section 40(2) of the Info‑communications Media Development Authority Act 2016, and includes any individual acting in that capacity;
“Commission” means the person designated as the Personal Data Protection Commission under section 5 to be responsible for the administration of this Act;
“Commissioner” means the Commissioner for Personal Data Protection appointed under section 8(1)(a), and includes any Deputy Commissioner for Personal Data Protection or Assistant Commissioner for Personal Data Protection appointed under section 8(1)(b);
“credit bureau” means an organisation which —
(a)provides credit reports for gain or profit; or
(b)provides credit reports on a routine, non‑profit basis as an ancillary part of a business carried on for gain or profit;
“credit report” means a communication, whether in written, oral or other form, provided to an organisation to assess the creditworthiness of an individual in relation to a transaction between the organisation and the individual;
“data intermediary” means an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation;
“derived personal data”  —
(a)means personal data about an individual that is derived by an organisation in the course of business from other personal data, about the individual or another individual, in the possession or under the control of the organisation; but
(b)does not include personal data derived by the organisation using any prescribed means or method;
“document” includes information recorded in any form;
“domestic” means related to home or family;
“education institution” means an organisation that provides education, including instruction, training or teaching, whether by itself or in association or collaboration with, or by affiliation with, any other person;
“employee” includes a volunteer;
“employment” includes working under an unpaid volunteer work relationship;
“evaluative purpose” means —
(a)the purpose of determining the suitability, eligibility or qualifications of the individual to whom the data relates —
(i)for employment or for appointment to office;
(ii)for promotion in employment or office or for continuance in employment or office;
(iii)for removal from employment or office;
(iv)for admission to an education institution;
(v)for the awarding of contracts, awards, bursaries, scholarships, honours or other similar benefits;
(vi)for selection for an athletic or artistic purpose; or
(vii)for grant of financial or social assistance, or the delivery of appropriate health services, under any scheme administered by a public agency;
(b)the purpose of determining whether any contract, award, bursary, scholarship, honour or other similar benefit should be continued, modified or cancelled;
(c)the purpose of deciding whether to insure any individual or property or to continue or renew the insurance of any individual or property; or
(d)such other similar purposes as the Minister may prescribe;
“individual” means a natural person, whether living or deceased;
“inspector” means an individual appointed as an inspector under section 8(1)(b);
“investigation” means an investigation relating to —
(a)a breach of an agreement;
(b)a contravention of any written law, or any rule of professional conduct or other requirement imposed by any regulatory authority in exercise of its powers under any written law; or
(c)a circumstance or conduct that may result in a remedy or relief being available under any law;
“national interest” includes national defence, national security, public security, the maintenance of essential services and the conduct of international affairs;
“organisation” includes any individual, company, association or body of persons, corporate or unincorporated, whether or not —
(a)formed or recognised under the law of Singapore; or
(b)resident, or having an office or a place of business, in Singapore;
“personal data” means data, whether true or not, about an individual who can be identified —
(a)from that data; or
(b)from that data and other information to which the organisation has or is likely to have access;
“prescribed healthcare body” means a healthcare body prescribed for the purposes of the Second Schedule by the Minister charged with the responsibility for health;
“prescribed law enforcement agency” means an authority charged with the duty of investigating offences or charging offenders under written law, prescribed for the purposes of sections 21(4) and 26D(6) and the Second Schedule by the Minister charged with the responsibility for that authority;
“private trust” means a trust for the benefit of one or more designated individuals who are the settlor’s friends or family members;
“proceedings” means any civil, criminal or administrative proceedings by or before a court, tribunal or regulatory authority that is related to the allegation of —
(a)a breach of an agreement;
(b)a contravention of any written law or any rule of professional conduct or other requirement imposed by any regulatory authority in exercise of its powers under any written law; or
(c)a wrong or a breach of a duty for which a remedy is claimed under any law;
“processing”, in relation to personal data, means the carrying out of any operation or set of operations in relation to the personal data, and includes any of the following:
(a)recording;
(b)holding;
(c)organisation, adaptation or alteration;
(d)retrieval;
(e)combination;
(f)transmission;
(g)erasure or destruction;
“public agency” includes —
(a)the Government, including any ministry, department, agency, or organ of State;
(b)any tribunal appointed under any written law; or
(c)any statutory body specified under subsection (2);
“publicly available”, in relation to personal data about an individual, means personal data that is generally available to the public, and includes personal data which can be observed by reasonably expected means at a location or an event —
(a)at which the individual appears; and
(b)that is open to the public;
“relevant body” means the Commission, the Appeal Panel or any Appeal Committee;
“tribunal” includes a judicial or quasi‑judicial body or a disciplinary, an arbitral or a mediatory body;
“user activity data”, in relation to an organisation, means personal data about an individual that is created in the course or as a result of the individual’s use of any product or service provided by the organisation;
“user‑provided data”, in relation to an organisation, means personal data provided by an individual to the organisation.
[22/2016; 40/2020]
(2)  The Minister may, by notification in the Gazette, specify any statutory body established under a public Act for a public function to be a public agency for the purposes of this Act.
Purpose
3.  The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
Application of Act
4.—(1)  Parts 3, 4, 5, 6, 6A and 6B do not impose any obligation on —
(a)any individual acting in a personal or domestic capacity;
(b)any employee acting in the course of his or her employment with an organisation;
(c)any public agency; or
(d)any other organisations or personal data, or classes of organisations or personal data, prescribed for the purposes of this provision.
[40/2020]
(2)  Parts 3, 4, 5, 6 (except sections 24 and 25), 6A (except sections 26C(3)(a) and 26E) and 6B do not impose any obligation on a data intermediary in respect of its processing of personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing.
[40/2020]
(3)  An organisation has the same obligation under this Act in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself.
(4)  This Act does not apply in respect of —
(a)personal data about an individual that is contained in a record that has been in existence for at least 100 years; or
(b)personal data about a deceased individual, except that the provisions relating to the disclosure of personal data and section 24 (protection of personal data) apply in respect of personal data about an individual who has been dead for 10 years or less.
(5)  Except where business contact information is expressly mentioned, Parts 3, 4, 5, 6 and 6A do not apply to business contact information.
[40/2020]
(6)  Unless otherwise expressly provided in this Act —
(a)nothing in Parts 3, 4, 5, 6, 6A and 6B affects any authority, right, privilege or immunity conferred, or obligation or limitation imposed, by or under the law, including legal privilege, except that the performance of a contractual obligation is not an excuse for contravening this Act; and
(b)the provisions of other written law prevail to the extent that any provision of Parts 3, 4, 5, 6, 6A and 6B is inconsistent with the provisions of that other written law.
[40/2020]