REPUBLIC OF SINGAPORE
GOVERNMENT GAZETTE
ACTS SUPPLEMENT
Published by Authority

NO. 41]Friday, December 11 [2020

The following Act was passed by Parliament on 2 November 2020 and assented to by the President on 25 November 2020:—
Personal Data Protection
(Amendment) Act 2020

(No. 40 of 2020)


I assent.

HALIMAH YACOB,
President.
25 November 2020.
Date of Commencement: 1 February 2021 Sections 2 to 13, 15 to 23, 25 to 38, 40, 41, 43 and 46
An Act to amend the Personal Data Protection Act 2012 (Act 26 of 2012) and to make consequential and related amendments to certain other Acts.
Be it enacted by the President with the advice and consent of the Parliament of Singapore, as follows:
Short title and commencement
1.  This Act is the Personal Data Protection (Amendment) Act 2020 and comes into operation on a date that the Minister appoints by notification in the Gazette.
Amendment of section 2
2.  Section 2(1) of the Personal Data Protection Act 2012 (called in this Act the principal Act) is amended —
(a)by deleting the definitions of “Appeal Committee” and “Appeal Panel” and substituting the following definitions:
“ “Appeal Committee” means a Data Protection Appeal Committee constituted under section 48P(4), read with the Seventh Schedule;
“Appeal Panel” means the Data Protection Appeal Panel established by section 48P(1);”;
(b)by inserting, immediately after the definition of “data intermediary”, the following definition:
“ “derived personal data”  —
(a)means personal data about an individual that is derived by an organisation in the course of business from other personal data, about the individual or another individual, in the possession or under the control of the organisation; but
(b)does not include personal data derived by the organisation using any prescribed means or method;”;
(c)by deleting the words “Fourth Schedule” in the definition of “prescribed healthcare body” and substituting the words “Second Schedule”;
(d)by deleting the words “section 21(4) and the Fourth Schedule” in the definition of “prescribed law enforcement agency” and substituting the words “sections 21(4) and 26D(6) and the Second Schedule”; and
(e)by deleting the full‑stop at the end of the definition of “tribunal” and substituting a semi‑colon, and by inserting immediately thereafter the following definitions:
“ “user activity data”, in relation to an organisation, means personal data about an individual that is created in the course or as a result of the individual’s use of any product or service provided by the organisation;
“user‑provided data”, in relation to an organisation, means personal data provided by an individual to the organisation.”.
Amendment of section 4
3.  Section 4 of the principal Act is amended —
(a)by deleting the words “Parts III to VI” in subsections (1) and (6)(a) and (b) and substituting in each case the words “Parts III, IV, V, VI, VIA and VIB”;
(b)by deleting paragraph (c) of subsection (1) and substituting the following paragraph:
(c)any public agency; or”;
(c)by deleting the words “Parts III to VI (except for section 24 (protection of personal data) and section 25 (retention of personal data))” in subsection (2) and substituting the words “Parts III, IV, V, VI (except sections 24 and 25), VIA (except sections 26C(3)(a) and 26E) and VIB”; and
(d)by deleting the words “Parts III to VI” in subsection (5) and substituting the words “Parts III, IV, V, VI and VIA”.
Amendment of heading to Part III
4.  Part III of the principal Act is amended by inserting, immediately after the words “PROTECTION OF” in the Part heading, the words “AND ACCOUNTABILITY FOR”.
Amendment of section 11
5.  Section 11 of the principal Act is amended by inserting, immediately after subsection (5), the following subsection:
(5A)  Without limiting subsection (5), an organisation is deemed to have satisfied that subsection if the organisation makes available the business contact information of any individual mentioned in subsection (3) in any prescribed manner.”.
Amendment of section 15
6.  Section 15 of the principal Act is amended by inserting, immediately after subsection (2), the following subsections:
(3)  Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A:
(a)the disclosure of that personal data by A to another organisation (B);
(b)the collection and use of that personal data by B;
(c)the disclosure of that personal data by B to another organisation.
(4)  Where an organisation collects personal data disclosed to it by B under subsection (3)(c), subsection (3)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (3)(a).
(5)  Subsections (3) and (4) apply to personal data provided before the applicable date by an individual to an organisation with a view to the individual entering into a contract with the organisation —
(a)on or after the applicable date; or
(b)which contract was entered into before the applicable date and remains in force on that date,
as if subsections (3) and (4) —
(c)were in force when the personal data was so provided; and
(d)had continued in force until the applicable date.
(6)  Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following:
(a)the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary —
(i)for the performance of the contract between P and A; or
(ii)for the conclusion or performance of a contract between A and B which is entered into at P’s request, or which a reasonable person would consider to be in P’s interest;
(b)the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a);
(c)the disclosure of that personal data by B to another organisation, where the disclosure is reasonably necessary for any purpose mentioned in paragraph (a).
(7)  Where an organisation collects personal data disclosed to it by B under subsection (6)(c), subsection (6)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (6)(a).
(8)  Subsections (6) and (7) apply to personal data provided before the applicable date by an individual to an organisation in relation to a contract that the individual entered into before that date with the organisation, and which remains in force on that date, as if subsections (6) and (7) —
(a)were in force when the personal data was so provided; and
(b)had continued in force until the applicable date.
(9)  Subsections (3), (4), (5), (6), (7) and (8) do not affect any obligation under the contract between P and A that specifies or restricts —
(a)the personal data provided by P that A may disclose to another organisation; or
(b)the purposes for which A may disclose the personal data provided by P to another organisation.
(10)  In this section, “applicable date” means the date of commencement of section 6 of the Personal Data Protection (Amendment) Act 2020.”.
New section 15A
7.  The principal Act is amended by inserting, immediately after section 15, the following section:
Deemed consent by notification
15A.—(1)  This section applies to the collection, use or disclosure of personal data about an individual by an organisation on or after the date of commencement of section 7 of the Personal Data Protection (Amendment) Act 2020.
(2)  Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if —
(a)the organisation satisfies the requirements in subsection (4); and
(b)the individual does not notify the organisation, before the expiry of the period mentioned in subsection (4)(b)(iii), that the individual does not consent to the proposed collection, use or disclosure of the personal data by the organisation.
(3)  Subsection (2) does not apply to the collection, use or disclosure of personal data about the individual for any prescribed purpose.
(4)  For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual —
(a)conduct an assessment to determine that the proposed collection, use or disclosure of the personal data is not likely to have an adverse effect on the individual;
(b)take reasonable steps to bring the following information to the attention of the individual:
(i)the organisation’s intention to collect, use or disclose the personal data;
(ii)the purpose for which the personal data will be collected, used or disclosed;
(iii)a reasonable period within which, and a reasonable manner by which, the individual may notify the organisation that the individual does not consent to the organisation’s proposed collection, use or disclosure of the personal data; and
(c)satisfy any other prescribed requirements.
(5)  The organisation must, in respect of the assessment mentioned in subsection (4)(a) —
(a)identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual;
(b)identify and implement reasonable measures to —
(i)eliminate the adverse effect;
(ii)reduce the likelihood that the adverse effect will occur; or
(iii)mitigate the adverse effect; and
(c)comply with any other prescribed requirements.”.
Repeal and re-enactment of section 17
8.  Section 17 of the principal Act is repealed and the following section substituted therefor:
Collection, use and disclosure without consent
17.—(1)  An organisation may —
(a)collect personal data about an individual, without the consent of the individual or from a source other than the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 1 of the Second Schedule;
(b)use personal data about an individual without the consent of the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 2 of the Second Schedule; or
(c)disclose personal data about an individual without the consent of the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 3 of the Second Schedule.
(2)  Unless otherwise provided under this Act, an organisation may —
(a)collect personal data about an individual that the organisation receives by way of a disclosure to the organisation —
(i)on or after the specified date in accordance with subsection (1)(c); or
(ii)before the specified date in accordance with section 17(3) as in force before the specified date,
for purposes consistent with the purpose of that disclosure, or for any purpose permitted by subsection (1)(a); or
(b)use or disclose personal data about an individual that —
(i)is collected by the organisation on or after the specified date in accordance with subsection (1)(a); or
(ii)was collected by the organisation before the specified date in accordance with section 17(1) as in force before the specified date,
for purposes consistent with the purpose of that collection, or for any purpose permitted by subsection (1)(b) or (c), as the case may be.
(3)  In this section, “specified date” means the date of commencement of sections 8, 31 and 32 of the Personal Data Protection (Amendment) Act 2020.”.
Amendment of section 20
9.  Section 20 of the principal Act is amended —
(a)by inserting, immediately after the words “section 15” in subsection (3)(a), the words “or 15A”; and
(b)by deleting subsection (4) and substituting the following subsections:
(4)  Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation —
(a)entering into an employment relationship with the individual or appointing the individual to any office; or
(b)managing or terminating the employment relationship with or appointment of the individual.
(5)  For the purposes of subsection (4), the organisation must inform the individual of the following:
(a)the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual;
(b)on request by the individual, the business contact information of a person who is able to answer the individual’s questions about that collection, use or disclosure (as the case may be) on behalf of the organisation.”.
Amendment of section 21
10.  Section 21 of the principal Act is amended —
(a)by deleting the words “An organisation” in subsection (3) and substituting the words “Subject to subsection (3A), an organisation”;
(b)by inserting, immediately after subsection (3), the following subsection:
(3A)  Subsection (3)(c) and (d) does not apply to any user activity data about, or any user‑provided data from, the individual who made the request despite such data containing personal data about another individual.”;
(c)by deleting subsection (4) and substituting the following subsection:
(4)  An organisation must not inform any individual under subsection (1)(b) that the organisation has disclosed personal data about the individual to a prescribed law enforcement agency if the disclosure was made under this Act or any other written law without the consent of the individual.”; and
(d)by inserting, immediately after subsection (5), the following subsections:
(6)  Where —
(a)an individual makes a request under subsection (1) to an organisation on or after the date of commencement of section 10 of the Personal Data Protection (Amendment) Act 2020; and
(b)the organisation, by reason of subsection (2) or (3), does not provide an individual with the individual’s personal data or other information requested under subsection (1),
the organisation must, within the prescribed time and in accordance with the prescribed requirements, notify the individual of the rejection.
(7)  Where —
(a)an individual makes a request under subsection (1) to an organisation on or after the date of commencement of section 10 of the Personal Data Protection (Amendment) Act 2020; and
(b)the organisation provides the individual, in accordance with subsection (5), with the individual’s personal data or other information requested under subsection (1),
the organisation must notify the individual of the exclusion, under subsection (2) or (3), of any of the personal data or other information so requested.”.
New section 22A
11.  Part V of the principal Act is amended by inserting, immediately after section 22, the following section:
Preservation of copies of personal data
22A.—(1)  Where —
(a)an individual, on or after the date of commencement of section 11 of the Personal Data Protection (Amendment) Act 2020, makes a request under section 21(1)(a) to an organisation to provide personal data about the individual that is in the possession or under the control of the organisation; and
(b)the organisation refuses to provide that personal data,
the organisation must preserve, for not less than the prescribed period, a copy of the personal data concerned.
(2)  The organisation must ensure that the copy of the personal data it preserves for the purposes of subsection (1) is a complete and accurate copy of the personal data concerned.”.
Repeal and re-enactment of section 24
12.  Section 24 of the principal Act is repealed and the following section substituted therefor:
Protection of personal data
24.  An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent —
(a)unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and
(b)the loss of any storage medium or device on which personal data is stored.”.
New Part VIA
13.  The principal Act is amended by inserting, immediately after section 26, the following Part:
PART VIA
NOTIFICATION OF DATA BREACHES
Interpretation of this Part
26A.  In this Part, unless the context otherwise requires —
“affected individual” means any individual to whom any personal data affected by a data breach relates;
“data breach”, in relation to personal data, means —
(a)the unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data; or
(b)the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.
Notifiable data breaches
26B.—(1)  A data breach is a notifiable data breach if the data breach —
(a)results in, or is likely to result in, significant harm to an affected individual; or
(b)is, or is likely to be, of a significant scale.
(2)  Without limiting subsection (1)(a), a data breach is deemed to result in significant harm to an individual —
(a)if the data breach is in relation to any prescribed personal data or class of personal data relating to the individual; or
(b)in other prescribed circumstances.
(3)  Without limiting subsection (1)(b), a data breach is deemed to be of a significant scale —
(a)if the data breach affects not fewer than the prescribed number of affected individuals; or
(b)in other prescribed circumstances.
(4)  Despite subsections (1), (2) and (3), a data breach that relates to the unauthorised access, collection, use, disclosure, copying or modification of personal data only within an organisation is deemed not to be a notifiable data breach.
Duty to conduct assessment of data breach
26C.—(1)  This section applies to a data breach that occurs on or after the date of commencement of section 13 of the Personal Data Protection (Amendment) Act 2020.
(2)  Subject to subsection (3), where an organisation has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, the organisation must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach.
(3)  Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation —
(a)the data intermediary must, without undue delay, notify that other organisation of the occurrence of the data breach; and
(b)that other organisation must, upon notification by the data intermediary, conduct an assessment of whether the data breach is a notifiable data breach.
(4)  The organisation must carry out the assessment mentioned in subsection (2) or (3)(b) in accordance with any prescribed requirements.
Duty to notify occurrence of notifiable data breach
26D.—(1)  Where an organisation assesses, in accordance with section 26C, that a data breach is a notifiable data breach, the organisation must notify the Commission as soon as is practicable, but in any case no later than 3 calendar days after the day the organisation makes that assessment.
(2)  Subject to subsections (5), (6) and (7), on or after notifying the Commission under subsection (1), the organisation must also notify each affected individual affected by a notifiable data breach mentioned in section 26B(1)(a) in any manner that is reasonable in the circumstances.
(3)  The notification under subsection (1) or (2) must contain, to the best of the knowledge and belief of the organisation at the time it notifies the Commission or affected individual (as the case may be), all the information that is prescribed for this purpose.
(4)  The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission.
(5)  Subsection (2) does not apply to an organisation in relation to an affected individual if the organisation —
(a)on or after assessing that the data breach is a notifiable data breach, takes any action, in accordance with any prescribed requirements, that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual; or
(b)had implemented, prior to the occurrence of the notifiable data breach, any technological measure that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual.
(6)  An organisation must not notify any affected individual in accordance with subsection (2) if —
(a)a prescribed law enforcement agency so instructs; or
(b)the Commission so directs.
(7)  The Commission may, on the written application of an organisation, waive the requirement to notify an affected individual under subsection (2) subject to any conditions that the Commission thinks fit.
(8)  An organisation is not, by reason only of notifying the Commission under subsection (1) or an affected individual under subsection (2), to be regarded as being in breach of —
(a)any duty or obligation under any written law or rule of law, or any contract, as to secrecy or other restriction on the disclosure of information; or
(b)any rule of professional conduct applicable to the organisation.
(9)  Subsections (1) and (2) apply concurrently with any obligation of the organisation under any other written law to notify any other person (including any public agency) of the occurrence of a data breach, or to provide any information relating to a data breach.
Obligations of data intermediary of public agency
26E.  Where an organisation —
(a)is a data intermediary processing personal data on behalf of and for the purposes of a public agency; and
(b)has reason to believe that a data breach has occurred in relation to that personal data,
the organisation must, without undue delay, notify the public agency of the occurrence of the data breach.”.
New Part VIB
14.  The principal Act, as amended by section 13, is amended by inserting, immediately after section 26E, the following Part:
PART VIB
DATA PORTABILITY
Interpretation and application of this Part
26F.—(1)  In this Part, unless the context otherwise requires —
“applicable country” means a country or territory outside Singapore that is prescribed to be an applicable country;
“applicable data”, in relation to a porting organisation, means any personal data in the possession or under the control of the porting organisation that is, or belongs to a class of personal data that is, prescribed to be applicable data;
“data porting request” has the meaning given by section 26H(1);
“ongoing relationship” means a relationship, on an ongoing basis, between an individual and a porting organisation, arising from the carrying on or conduct of a business or an activity (whether commercial or otherwise) by the porting organisation;
“porting organisation” means an organisation that is, or belongs to a class of organisation that is, prescribed to be a porting organisation;
“receiving organisation” means an organisation that receives applicable data from a porting organisation, and that —
(a)is formed or recognised under the law of Singapore or an applicable country; or
(b)is resident, or has an office or a place of business, in Singapore or an applicable country.
(2)  This Part applies only to applicable data that —
(a)is in electronic form on the date the porting organisation receives a data porting request relating to the applicable data; and
(b)was collected or created by the porting organisation within the prescribed period before the date the porting organisation receives the data porting request relating to the applicable data.
(3)  For the purposes of subsection (2)(b), different periods may be prescribed for different applicable data or different porting organisations (which may include a period starting before the date of commencement of section 14 of the Personal Data Protection (Amendment) Act 2020).
(4)  This Part applies to applicable data that is the subject of a data porting request regardless of whether the applicable data is stored or processed in, or transmitted from, Singapore or a country or territory other than Singapore.
Purpose of this Part
26G.  The purpose of this Part is to —
(a)provide individuals with greater autonomy and control over their personal data; and
(b)facilitate the innovative and more intensive use of applicable data in the possession or under the control of organisations to support the development, enhancement and refinement of goods and services provided by other organisations located or operating in Singapore or elsewhere.
Porting of applicable data
26H.—(1)  An individual may give a porting organisation a request (called a data porting request) that the porting organisation transmits to a receiving organisation the applicable data about the individual specified in the data porting request.
(2)  Subject to subsections (3), (5) and (6), the porting organisation must, upon receiving the data porting request, transmit the applicable data specified in the data porting request to the receiving organisation in accordance with any prescribed requirements.
(3)  Subsection (2) applies only if both of the following are satisfied:
(a)the data porting request satisfies any prescribed requirements;
(b)the porting organisation, at the time it receives the data porting request, has an ongoing relationship with the individual.
(4)  For the purposes of subsection (3)(b), the porting organisation, in determining whether an ongoing relationship with the individual exists, must have regard to any matters prescribed.
(5)  A porting organisation is not required to transmit any applicable data about an individual under subsection (2) —
(a)that is specified as excluded applicable data in Part 1 of the Twelfth Schedule; or
(b)in any of the excluded circumstances specified in Part 2 of the Twelfth Schedule.
(6)  A porting organisation must not transmit any applicable data about an individual under subsection (2) if —
(a)the transmission of the applicable data can reasonably be expected to —
(i)threaten the safety, or physical or mental health, of an individual other than the individual to whom the applicable data relates;
(ii)cause immediate or grave harm to the safety, or physical or mental health, of the individual to whom the applicable data relates; or
(iii)be contrary to the national interest;
(b)the receiving organisation to which the applicable data is to be transmitted is, or belongs to a class of organisations that is, prescribed to be an excluded receiving organisation; or
(c)the Commission directs the porting organisation not to transmit the applicable data.
(7)  If a porting organisation for any reason does not transmit any applicable data about an individual under subsection (2), the porting organisation must, within the prescribed time and in accordance with the prescribed requirements, notify the individual of the refusal.
(8)  To avoid doubt, subsection (2) does not affect any prohibition or restriction on the disclosure of any personal data in the possession or under the control of the porting organisation under any other written law.
Transmission of personal data under data porting request
26I.—(1)  This section applies where giving effect to a data porting request in respect of applicable data about an individual (P) under section 26H(2) would transmit personal data about another individual (T) to a receiving organisation.
(2)  A porting organisation may disclose personal data about T to a receiving organisation without T’s consent only if the data porting request —
(a)is made in P’s personal or domestic capacity; and
(b)relates to P’s user activity data or user‑provided data.
(3)  A receiving organisation which receives from a porting organisation any personal data about T under subsection (2) must use that personal data only for the purpose of providing any goods or services to P.
(4)  A porting organisation is not, by reason only of disclosing personal data about T to a receiving organisation in accordance with subsection (2), to be regarded, in relation to that personal data, as being in breach of —
(a)any duty or obligation under any written law or rule of law, or any contract, as to secrecy or other restriction on the disclosure of information; or
(b)any rule of professional conduct applicable to the porting organisation.
Preservation of copies of applicable data
26J.—(1)  A porting organisation must preserve, for not less than the prescribed period, any applicable data that is specified in a data porting request, regardless of whether the porting organisation transmits or refuses for any reason to transmit that applicable data to a receiving organisation pursuant to the data porting request.
(2)  For the purposes of subsection (1), different periods may be prescribed for different porting organisations or different circumstances in which a porting organisation transmits or refuses to transmit applicable data.
(3)  The porting organisation must ensure that the copy of the applicable data it preserves for the purposes of this section is a complete and accurate copy of the applicable data concerned.”.
Repeal of Parts VII and VIII
15.  Parts VII and VIII of the principal Act are repealed.
Amendment of section 36
16.  Section 36(1) of the principal Act is amended —
(a)by inserting, immediately after the definition of “calling line identity”, the following definition:
“ “checker” means a person mentioned in section 43A(1);”; and
(b)by deleting the definition of “voice call” and substituting the following definition:
“ “voice call” includes —
(a)a call that involves a recorded or synthetic voice; or
(b)in the case of a recipient with a disability (for example, a hearing impairment), a call that is equivalent to a voice call.”.
Amendment of section 37
17.  Section 37 of the principal Act is amended —
(a)by deleting subsections (1) and (2) and substituting the following subsections:
(1)  Subject to subsection (5), for the purposes of this Part, a specified message is a message where, having regard to the following, it would be concluded that the purpose, or one of the purposes, of the message is an applicable purpose:
(a)the content of the message;
(b)the presentational aspects of the message;
(c)the content that can be obtained using the numbers, URLs or contact information (if any) mentioned in the message;
(d)if the telephone number from which the message is made is disclosed to the recipient (whether by calling line identity or otherwise), the content (if any) that can be obtained by calling that number.
(2)  For the purposes of subsection (1), where the applicable purpose relates to offering, supplying, advertising or promoting any goods, service, land, interest in land, business opportunity or investment opportunity, it does not matter whether or not —
(a)the goods, service, land, interest or opportunity exists; or
(b)it is lawful to acquire the goods, service, land or interest or take up the opportunity.”; and
(b)by inserting, immediately after subsection (5), the following subsection:
(6)  In this section, “applicable purpose” means a purpose specified in the Tenth Schedule.”.
Repeal and re-enactment of section 43
18.  Section 43 of the principal Act is repealed and the following section substituted therefor:
Duty to check register
43.—(1)  Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless the person has, at the time the person sends the specified message, valid confirmation that the Singapore telephone number is not listed in the relevant register.
(2)  For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances:
(a)the person has, within the prescribed duration before sending the specified message —
(i)made an application to the Commission under section 40(2) to confirm whether the Singapore telephone number is listed in the relevant register; and
(ii)received confirmation from the Commission that the Singapore telephone number is not listed in the relevant register;
(b)the person has obtained from a checker information that the Singapore telephone number is not listed in the relevant register (called in this section the relevant information) and has no reason to believe that, and is not reckless as to whether —
(i)the prescribed period in relation to the relevant information has expired; or
(ii)the relevant information is false or inaccurate.
(3)  In subsection (2)(b)(i), “prescribed period”, in relation to relevant information, means the prescribed period beginning after the date on which the checker received confirmation from the Commission, in response to the checker’s application to the Commission under section 40(2), that a Singapore telephone number is not listed in the relevant register.
(4)  A person does not contravene subsection (1) if the subscriber or user of the Singapore telephone number to which a specified message is sent —
(a)gave clear and unambiguous consent to the sending of the specified message to that Singapore telephone number; and
(b)the consent is evidenced in written or other form so as to be accessible for subsequent reference.
(5)  For the purposes of this section and section 43A —
(a)where there is only one register kept or maintained under section 39, the relevant register refers to that register; and
(b)where there are 2 or more registers kept or maintained under section 39 for different types of specified messages, the relevant register refers to the register relevant for the particular type of specified message.”.
New section 43A
19.  The principal Act is amended by inserting, immediately after section 43, the following section:
Duty of checkers
43A.—(1)  This section applies to a person (called the checker) that, for reward, provides to another person (P) information on whether a Singapore telephone number is listed in the relevant register (called in this section the applicable information) for the purpose of P’s compliance with section 43(1), other than —
(a)the Commission;
(b)an individual who is an employee of P; and
(c)an individual who is an employee or agent of a checker.
(2)  A checker must —
(a)ensure that the applicable information provided to P is accurate; and
(b)provide the applicable information to P in accordance with any prescribed requirements.
(3)  A checker is deemed to have complied with subsection (2)(a) if —
(a)the applicable information that the checker provides to P is in accordance with a reply from the Commission in response to the checker’s application under section 40(2); and
(b)the checker provides the applicable information to P before the expiry of the prescribed period mentioned in section 43(2)(b)(i).”.
Repeal and re-enactment of sections 44 and 45
20.  Sections 44 and 45 of the principal Act are repealed and the following sections substituted therefor:
Contact information
44.  Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless —
(a)the specified message includes clear and accurate information identifying the individual or organisation that sent or authorised the sending of the specified message;
(b)the specified message includes clear and accurate information about how the recipient can readily contact that individual or organisation;
(c)the specified message includes the information, and complies with the conditions, specified in the regulations, if any; and
(d)the information included in the specified message in compliance with this section is reasonably likely to be valid for at least 30 days after the message is sent.
Calling line identity not to be concealed
45.  Subject to section 48(3), a person that makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number or fax number, must not do any of the following:
(a)conceal or withhold from the recipient the calling line identity of the sender;
(b)perform any operation or issue any instruction in connection with the sending of the specified message for the purpose of, or that has the effect of, concealing or withholding from the recipient the calling line identity of the sender.”.
Amendment of section 48
21.  Section 48 of the principal Act is amended by deleting subsections (2) and (3) and substituting the following subsections:
(2)  Section 43(1) or 44 does not apply to an employee (X) who sends a specified message addressed to a Singapore telephone number in good faith —
(a)in the course of X’s employment; or
(b)in accordance with instructions given to X by or on behalf of X’s employer in the course of X’s employment.
(3)  Section 45 does not apply to an employee (Y) who makes, causes to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number or fax number, in good faith —
(a)in the course of Y’s employment; or
(b)in accordance with instructions given to Y by or on behalf of Y’s employer in the course of Y’s employment.
(4)  Subsection (1), (2) or (3) does not apply to an employee (Z) who, at the time the act was done or the conduct was engaged in, was an officer or a partner of Z’s employer and it is proved that —
(a)Z knew or ought reasonably to have known that the telephone number is a Singapore telephone number listed in the relevant register; and
(b)the specified message was sent with Z’s consent or connivance, or the sending of the specified message was attributable to any neglect on Z’s part.
(5)  In this section —
“corporation” has the meaning given by section 52(7);
“officer”  —
(a)in relation to a corporation, has the meaning given by section 52(7); or
(b)in relation to an unincorporated association (other than a partnership), has the meaning given by section 52A(7);
“partner”, in relation to a partnership, has the meaning given by section 52A(7).”.
New Parts IXA and IXB
22.  The principal Act is amended by inserting, immediately after section 48, the following Parts:
PART IXA
DICTIONARY ATTACKS AND
ADDRESS-HARVESTING SOFTWARE
Interpretation of this Part
48A.—(1)  In this Part, unless the context otherwise requires —
“address‑harvesting software” means software that is specifically designed or marketed for use for —
(a)searching the Internet for telephone numbers; and
(b)collecting, compiling, capturing or otherwise harvesting those telephone numbers;
“applicable message” means a message with a Singapore link that is sent to any applicable telephone number;
“applicable telephone number” means a telephone number that is generated or obtained through the use of —
(a)a dictionary attack; or
(b)address‑harvesting software;
“dictionary attack” means the method by which the telephone number of a recipient is obtained using an automated means that generates possible telephone numbers by combining numbers into numerous permutations;
“message”, “send”, “sender” and “Singapore telephone number” have the meanings given by section 36(1).
(2)  In this Part, an applicable message has a Singapore link in any of the following circumstances:
(a)the message originates in Singapore;
(b)the sender of the message —
(i)where the sender is an individual — is physically present in Singapore when the message is sent; or
(ii)in any other case —
(A)is formed or recognised under the law of Singapore; or
(B)has an office or a place of business in Singapore;
(c)the telephone, mobile telephone or other device that is used to access the message is located in Singapore;
(d)the recipient of the message —
(i)where the recipient is an individual — is physically present in Singapore when the message is accessed; or
(ii)in any other case — carries on business or activities in Singapore when the message is accessed;
(e)if the message cannot be delivered because the telephone number to which the message is sent has ceased to exist (assuming that the telephone number existed), it is reasonably likely that the message would have been accessed using a telephone, mobile telephone or other device located in Singapore.
(3)  For the purposes of the definition of “applicable message” in subsection (1), it does not matter —
(a)whether the telephone number to which the message is sent is a Singapore telephone number;
(b)whether that telephone number exists; or
(c)whether the message reaches its intended destination.
(4)  For the purposes of this Part, a telecommunications service provider that merely provides a service that enables an applicable message to be sent is, unless the contrary is proved, presumed not to have sent, caused to be sent or authorised the sending of the applicable message.
(5)  For the purposes of this Part, if, at the time an applicable message is sent, the telecommunications device, service or network from which it was sent was controlled by a person without the knowledge of the owner or authorised user of the telecommunications device, service or network (as the case may be), the owner or authorised user (as the case may be) is, unless the contrary is proved, presumed not to have sent, caused to be sent or authorised the sending of the applicable message.
(6)  In subsection (5), “control” means —
(a)physical control; or
(b)control through the use of software or other means.
Prohibition on use of dictionary attacks and address‑harvesting software
48B.—(1)  Subject to subsections (2) and (3), a person must not send, cause to be sent or authorise the sending of an applicable message.
(2)  Subsection (1) does not apply to an employee (P) who sends, causes to be sent or authorises the sending of an applicable message in good faith —
(a)in the course of P’s employment; or
(b)in accordance with instructions given to P by or on behalf of P’s employer in the course of P’s employment.
(3)  However, subsection (2) does not apply to a person (P) who, at the time the applicable message was sent, was an officer or a partner of the sender and it is proved that —
(a)P knew or ought reasonably to have known that the telephone number is an applicable telephone number; and
(b)the applicable message was sent with P’s consent or connivance, or the sending of the applicable message was attributable to any neglect on P’s part.
(4)  In this section —
“corporation” has the meaning given by section 52(7);
“officer”  —
(a)in relation to a corporation, has the meaning given by section 52(7); or
(b)in relation to an unincorporated association (other than a partnership), has the meaning given by section 52A(7);
“partner”, in relation to a partnership, has the meaning given by section 52A(7).
PART IXB
OFFENCES AFFECTING PERSONAL DATA AND
ANONYMISED INFORMATION
Interpretation and application of this Part
48C.—(1)  In this Part, unless the context otherwise requires —
“disclose”, in relation to personal data, includes providing access to personal data;
“gain” means —
(a)a gain in property or a supply of services, whether temporary or permanent; or
(b)an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of remuneration;
“harm”, in relation to an individual, means —
(a)any physical harm; or
(b)harassment, alarm or distress caused to the individual;
“loss” means —
(a)a loss in property or a supply of services, whether temporary or permanent; or
(b)a loss of an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of remuneration,
but excludes, in relation to an individual, the loss of personal data about the individual;
“Monetary Authority of Singapore” means the Monetary Authority of Singapore established by section 3 of the Monetary Authority of Singapore Act (Cap. 186);
“relevant public official” has the meaning given by section 7(5) of the Public Sector (Governance) Act 2018 (Act 5 of 2018);
“Singapore public sector agency” has the meaning given by section 2(1) of the Public Sector (Governance) Act 2018.
(2)  This Part does not apply to an individual who —
(a)at the time of the commission of any offence under section 48D(1), 48E(1) or 48F(1), is a relevant public official in a Singapore public sector agency; or
(b)is or has been a director or an officer or employee of the Monetary Authority of Singapore in respect of the disclosure, use or re‑identification of information acquired in the performance of the individual’s duties or the exercise of the individual’s functions.
Unauthorised disclosure of personal data
48D.—(1)  If —
(a)an individual discloses, or the individual’s conduct causes disclosure of, personal data in the possession or under the control of an organisation or a public agency to another person;
(b)the disclosure is not authorised by the organisation or public agency, as the case may be; and
(c)the individual does so —
(i)knowing that the disclosure is not authorised by the organisation or public agency, as the case may be; or
(ii)reckless as to whether the disclosure is or is not authorised by the organisation or public agency, as the case may be,
the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both.
(2)  In proceedings for an offence under subsection (1), it is a defence to the charge for the accused to prove, on a balance of probabilities, any of the following:
(a)that —
(i)the personal data in the possession or under the control of the organisation or public agency (as the case may be) that was disclosed was, at the time of the disclosure, publicly available; and
(ii)where the personal data was publicly available solely because of an applicable contravention, the accused did not know, and was not reckless as to whether, that was the case;
(b)the accused disclosed, or caused the disclosure of, personal data in the possession or under the control of the organisation or public agency, as the case may be —
(i)as permitted or required by or under an Act or other law (apart from this Act);
(ii)as authorised or required by an order of court;
(iii)in the reasonable belief that, and was not reckless as to whether, the accused had the legal right to do so; or
(iv)in any other circumstances, or for any other purpose, prescribed.
(3)  To avoid doubt, subsection (2) does not affect any obligation or limitation imposed on, or prohibition of, the disclosure of personal data in the possession or under the control of an organisation or a public agency (as the case may be) by or under any other written law or other law.
(4)  In this section, “applicable contravention” means a contravention of any of the following:
(a)subsection (1);
(b)section 48F(1);
(c)section 7(1) or 8(1) of the Public Sector (Governance) Act 2018;
(d)section 14A(1) or 14C(1) of the Monetary Authority of Singapore Act.
Improper use of personal data
48E.—(1)  If —
(a)an individual makes use of personal data in the possession or under the control of an organisation or a public agency;
(b)the use is not authorised by the organisation or public agency, as the case may be;
(c)the individual does so —
(i)knowing that the use is not authorised by the organisation or public agency, as the case may be; or
(ii)reckless as to whether the use is or is not authorised by the organisation or public agency, as the case may be; and
(d)the individual, as a result of that use —
(i)obtains a gain for the individual or another person;
(ii)causes harm to another individual; or
(iii)causes a loss to another person,
the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both.
(2)  In proceedings for an offence under subsection (1), it is a defence to the charge for the accused to prove, on a balance of probabilities, any of the following:
(a)that —
(i)the personal data in the possession or under the control of the organisation or public agency (as the case may be) that was used was, at the time of the use, publicly available; and
(ii)where the personal data was publicly available solely because of an applicable contravention, the accused did not know, and was not reckless as to whether, that was the case;
(b)the accused used the personal data in the possession or under the control of the organisation or public agency, as the case may be —
(i)as permitted or required by or under an Act or other law (apart from this Act);
(ii)as authorised or required by an order of court;
(iii)in the reasonable belief that, and was not reckless as to whether, the accused had the legal right to do so; or
(iv)in any other circumstances, or for any other purpose, prescribed.
(3)  To avoid doubt, subsection (2) does not affect any obligation or limitation imposed on, or prohibition of, the use of personal data in the possession or under the control of an organisation or a public agency (as the case may be) by or under any other written law or other law.
(4)  In this section, “applicable contravention” means a contravention of any of the following:
(a)section 48D(1) or 48F(1);
(b)section 7(1) or 8(1) of the Public Sector (Governance) Act 2018;
(c)section 14A(1) or 14C(1) of the Monetary Authority of Singapore Act.
Unauthorised re-identification of anonymised information
48F.—(1)  If —
(a)an individual takes any action to re-identify or cause re‑identification of the person to whom anonymised information in the possession or under the control of an organisation or a public agency relates (called in this section the affected person);
(b)the re‑identification is not authorised by the organisation or public agency, as the case may be; and
(c)the individual does so —
(i)knowing that the re‑identification is not authorised by the organisation or public agency, as the case may be; or
(ii)reckless as to whether the re‑identification is or is not authorised by the organisation or public agency, as the case may be,
the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both.
(2)  In proceedings for an offence under subsection (1), it is a defence to the charge for the accused to prove, on a balance of probabilities, any of the following:
(a)that —
(i)the information on the identity of the affected person is publicly available; and
(ii)where that information was publicly available solely because of an applicable contravention, the accused did not know, and was not reckless as to whether, that was the case;
(b)the action to re-identify or cause re-identification is —
(i)permitted or required by or under an Act or other law (apart from this Act); or
(ii)authorised or required by an order of court;
(c)the accused —
(i)reasonably believed that the re‑identification was for a specified purpose; and
(ii)notified the Commission or the organisation or public agency (as the case may be) of the re‑identification as soon as was practicable;
(d)the accused took the action to re‑identify or cause re‑identification in the reasonable belief that, and was not reckless as to whether, the accused had the legal right to do so, other than for a specified purpose;
(e)in any other circumstances, or for any other purpose, prescribed.
(3)  To avoid doubt, subsection (2) does not affect any obligation or limitation imposed on, or prohibition of, the re‑identification of the affected person by or under any other written law or other law.
(4)  In this section —
“applicable contravention” means a contravention of any of the following:
(a)subsection (1);
(b)section 8(1) of the Public Sector (Governance) Act 2018;
(c)section 14C(1) of the Monetary Authority of Singapore Act;
“specified purpose” means any purpose specified in the Eleventh Schedule.”.
New Parts IXC and IXD
23.  The principal Act is amended by inserting, immediately before Part X, the following Parts:
PART IXC
ENFORCEMENT
Alternative dispute resolution
48G.—(1)  If the Commission is of the opinion that any complaint by an individual (called in this section the complainant) against an organisation may more appropriately be resolved by mediation, the Commission may, without the consent of the complainant and the organisation, refer the matter to mediation under a dispute resolution scheme.
(2)  Subject to subsection (1), the Commission may, with or without the consent of the complainant and the organisation, direct the complainant or the organisation or both to attempt to resolve the complaint of the complainant in the way directed by the Commission.
(3)  For the purposes of subsection (1), the Commission may establish or approve one or more dispute resolution schemes for the resolution of complaints by individuals against organisations.
(4)  The Commission may, with the approval of the Minister, make regulations under section 65 to provide for matters relating to the operation by an operator of a dispute resolution scheme, including —
(a)the standards or requirements of the services provided under the dispute resolution scheme;
(b)the fees that the operator may charge for the services provided under the dispute resolution scheme;
(c)the records that the operator must keep, and the period of retention of those records;
(d)the reports that the operator must submit to the Commission, and the manner and time for those submissions;
(e)matters relating to the administration of the dispute resolution scheme; and
(f)generally to give effect to or for carrying out the purposes of subsections (1) and (3).
Power to review
48H.—(1)  On the application of a complainant, the Commission may review —
(a)a refusal by an organisation to provide access to personal data or other information requested by the complainant under section 21, or the organisation’s failure to provide that access within a reasonable time;
(b)a refusal by an organisation to correct personal data in accordance with a request by the complainant under section 22, or the organisation’s failure to make the correction within a reasonable time;
(c)a refusal by a porting organisation to transmit any applicable data pursuant to a data porting request under section 26H, or the porting organisation’s failure to transmit the applicable data within a reasonable time;
(d)a fee required from the complainant by an organisation in relation to a request by the complainant under section 21 or 22; or
(e)a fee required from the complainant or a receiving organisation by a porting organisation in relation to a data porting request by the complainant under section 26H.
(2)  Upon completion of its review under subsection (1), the Commission may —
(a)confirm the refusal to provide access to the personal data or other information, or direct the organisation to provide access to the personal data or other information within the time specified by the Commission;
(b)confirm the refusal to correct the personal data, or direct the organisation to correct the personal data in the manner and within the time specified by the Commission;
(c)confirm the refusal to transmit the applicable data, or direct the porting organisation to transmit the applicable data in the manner and within the time specified by the Commission; or
(d)confirm, reduce or disallow a fee, or direct the organisation or porting organisation (as the case may be) to make a refund to the complainant or receiving organisation, as the case may be.
Directions for non-compliance
48I.—(1)  The Commission may, if it is satisfied that —
(a)an organisation has not complied or is not complying with any provision of Part III, IV, V, VI, VIA or VIB; or
(b)a person has not complied or is not complying with any provision of Part IX or section 48B(1),
give the organisation or person (as the case may be) any direction that the Commission thinks fit in the circumstances to ensure compliance with that provision.
(2)  Without limiting subsection (1), the Commission may, if it thinks fit in the circumstances to ensure compliance with any provision of Part III, IV, V, VI, VIA or VIB, give an organisation all or any of the following directions:
(a)to stop collecting, using or disclosing personal data in contravention of this Act;
(b)to destroy personal data collected in contravention of this Act;
(c)to comply with any direction of the Commission under section 48H(2).
Financial penalties
48J.—(1)  Subject to subsection (2), the Commission may, if it is satisfied that —
(a)an organisation has intentionally or negligently contravened any provision of Part III, IV, V, VI, VIA or VIB; or
(b)a person has intentionally or negligently contravened —
(i)any provision of Part IX; or
(ii)section 48B(1),
require, by written notice, the organisation or person (as the case may be) to pay a financial penalty.
(2)  Subsection (1) does not apply in relation to any contravention of a provision of this Act, the breach of which is an offence under this Act.
(3)  A financial penalty imposed on an organisation under subsection (1)(a) must not exceed the maximum amount to be prescribed, which in no case may be more than $1 million.
(4)  A financial penalty imposed on a person under subsection (1)(b) must not exceed the maximum amount to be prescribed, which in no case may be more than the following:
(a)in the case of an individual — $200,000;
(b)in any other case — $1 million.
(5)  For the purposes of subsections (3) and (4), different maximum amounts may be prescribed in respect of contraventions of different provisions of this Act.
(6)  The Commission must, in determining the amount of a financial penalty imposed under subsection (1), have regard to, and give such weight as the Commission considers appropriate to, all of the following matters:
(a)the nature, gravity and duration of the non‑compliance by the organisation or person, as the case may be;
(b)the type and nature of the personal data affected by the non‑compliance by the organisation or person, as the case may be;
(c)whether the organisation or person (as the case may be), as a result of the non‑compliance, gained any financial benefit or avoided any financial loss;
(d)whether the organisation or person (as the case may be) took any action to mitigate the effects and consequences of the non‑compliance, and the timeliness and effectiveness of that action;
(e)whether the organisation or person (as the case may be) had, despite the non‑compliance, implemented adequate and appropriate measures for compliance with the requirements under this Act;
(f)whether the organisation or person (as the case may be) had previously failed to comply with this Act;
(g)the compliance of the organisation or person (as the case may be) with any direction given under section 48I or 48L(4) in relation to remedying or mitigating the effect of the non‑compliance;
(h)whether the financial penalty to be imposed is proportionate and effective, having regard to achieving compliance and deterring non‑compliance with this Act;
(i)the likely impact of the imposition of the financial penalty on the organisation or person (as the case may be), including the ability of the organisation or person to continue the usual activities of the organisation or person;
(j)any other matter that may be relevant.
Procedure for giving of directions and imposing of financial penalty
48K.—(1)  Before giving any direction under section 48I or imposing a financial penalty under section 48J(1), the Commission must give written notice to the organisation or person concerned —
(a)stating that the Commission intends to take action against the organisation or person under section 48I or 48J(1), as the case may be;
(b)where the Commission intends to give any direction under section 48I, specifying the direction the Commission proposes to give;
(c)specifying each instance of non‑compliance that is the subject of the proposed action, or the reason or reasons for the proposed action; and
(d)subject to subsections (2) and (3), specifying the time within which written representations may be made to the Commission with respect to the proposed action.
(2)  Where the Commission intends to impose a financial penalty under section 48J(1) on an organisation or a person, the time specified in the notice within which written representations may be made to the Commission must be at least 14 days after the date the notice is served on that organisation or person.
(3)  The Commission may, on written application by the organisation or person concerned (whether before, on or after the expiry of the time specified in the notice), extend the time for the organisation or person to make written representations to the Commission if the Commission is satisfied that the extension should be granted by reason of exceptional circumstances in the particular case.
(4)  The Commission may decide to give the direction under section 48I or impose the financial penalty under section 48J(1), as the case may be —
(a)after considering any written representation made to the Commission pursuant to the notice mentioned in subsection (1); or
(b)upon the expiry of the time specified in the notice under subsection (1)(d), or as extended by the Commission under subsection (3), where no representation is so made or any written representation made is subsequently withdrawn.
(5)  Subsection (1) does not apply where the organisation or person (as the case may be) has died, is adjudged bankrupt, has been dissolved or wound up or has otherwise ceased to exist.
(6)  Where the Commission decides to give the direction under section 48I or impose the financial penalty under section 48J(1) (as the case may be), the Commission must serve a notice of the decision on the following persons:
(a)the organisation or person concerned;
(b)the complainant whose complaint against the organisation or person concerned resulted in the giving of the direction or the imposition of the financial penalty (as the case may be), if any.
(7)  A direction given under section 48I or the imposition of a financial penalty under section 48J(1) takes effect only when the Commission serves the notice in subsection (6)(a) on the organisation or person concerned.
(8)  Where the Commission imposes a financial penalty under section 48J(1) on an organisation or a person, the written notice issued by the Commission to the organisation or person must specify the date before which the financial penalty is to be paid, being a date not earlier than 28 days after the notice is issued.
(9)  The Commission may, on written application by an organisation or a person on whom a financial penalty under section 48J(1) is imposed —
(a)extend the time for the organisation or person to pay the financial penalty; or
(b)allow the financial penalty to be paid by instalments.
(10)  The interest payable —
(a)on the outstanding amount of any financial penalty imposed under section 48J(1); and
(b)for payment by instalments (as the Commission may allow) of any financial penalty imposed under section 48J(1),
must be at such rate as the Commission may direct, which must not exceed the rate prescribed in the Rules of Court in respect of judgment debts.
Voluntary undertakings
48L.—(1)  Without affecting sections 48I, 48J(1) and 50(1), where the Commission has reasonable grounds to believe that —
(a)an organisation has not complied, is not complying or is likely not to comply with any provision of Part III, IV, V, VI, VIA or VIB; or
(b)a person has not complied, is not complying or is likely not to comply with any provision of Part IX or section 48B(1),
the organisation or person concerned may give, and the Commission may accept, a written voluntary undertaking.
(2)  Without limiting the matters to which the voluntary undertaking may relate, the voluntary undertaking may include any of the following undertakings by the organisation or person concerned:
(a)an undertaking to take specified action within a specified time;
(b)an undertaking to refrain from taking specified action;
(c)an undertaking to publicise the voluntary undertaking.
(3)  Subject to subsection (4), the Commission may, after accepting the voluntary undertaking and with the agreement of the organisation or person who gave the voluntary undertaking —
(a)vary the terms of any undertaking included in the voluntary undertaking; or
(b)include, in the voluntary undertaking, any additional undertaking mentioned in subsection (2).
(4)  Where an organisation or a person fails to comply with any undertaking in a voluntary undertaking —
(a)the Commission may give the organisation or person concerned any direction that the Commission thinks fit in the circumstances to ensure the compliance of the organisation or person with that undertaking; and
(b)section 48K(1), (3), (4), (5), (6) and (7) applies to the direction given under paragraph (a) as if the direction were given under section 48I.
(5)  In addition, where an organisation or a person fails to comply with an undertaking mentioned in subsection (2)(c), the Commission may publicise the voluntary undertaking in accordance with the undertaking, and recover the costs and expenses so incurred from the organisation or person as a debt due to the Commission.
Enforcement of directions of or written notices by Commission in District Court
48M.—(1)  For the purposes of enforcing a direction or written notice mentioned in subsection (2) —
(a)the Commission may apply for the direction or written notice (as the case may be) to be registered in a District Court in accordance with the Rules of Court; and
(b)the District Court is to register the direction or written notice in accordance with the Rules of Court.
(2)  Subsection (1) applies to any of the following:
(a)a direction made by the Commission under section 48H(2), 48I or 48L(4);
(b)a written notice by the Commission for the payment of any sum comprising —
(i)a financial penalty imposed under section 48J(1); and
(ii)any interest payable under section 48K(10) on that financial penalty.
(3)  From the date of registration of a direction or written notice under subsection (1), the direction or written notice (as the case may be) has the same force and effect, and all proceedings may be taken on the direction or written notice (as the case may be), for the purposes of enforcement, as if it had been an order originally obtained in the District Court which has power to enforce it accordingly.
(4)  A District Court may, for the purpose of enforcing a direction in accordance with subsection (3), make any order —
(a)to secure compliance with the direction; or
(b)to require any person to do anything to remedy, mitigate or eliminate any effects arising from —
(i)anything done which ought not, under the direction, to have been done; or
(ii)anything not done which ought, under the direction, to have been done,
which would not have occurred had the direction been complied with.
(5)  A District Court has jurisdiction to enforce a written notice in accordance with subsection (3) regardless of the amount of the sum mentioned in subsection (2)(b).
Reconsideration of directions or decisions
48N.—(1)  An organisation or a person (including any individual who is a complainant) aggrieved by —
(a)any direction made by the Commission under section 48G(2), 48I(1) or (2) or 48L(4); or
(b)any direction or decision made under section 48H(2),
may make a written application to the Commission to reconsider the direction or decision in accordance with this section.
(2)  An organisation or a person aggrieved by a financial penalty imposed by the Commission under section 48J(1) on the organisation or person may make a written application to the Commission to reconsider the decision to impose the financial penalty or the amount of the financial penalty so imposed in accordance with this section.
(3)  Unless the Commission decides otherwise in any particular case, an application for reconsideration does not suspend the effect of the direction or decision to be reconsidered except in the case of an application for reconsideration under subsection (2).
(4)  The application for reconsideration —
(a)subject to subsection (5), must be submitted to the Commission within the prescribed period;
(b)must be made in the form and manner required by the Commission; and
(c)must set out the grounds on which the applicant is requesting the reconsideration.
(5)  The Commission may, on written application by the organisation or person concerned (whether before, on or after the expiry of the prescribed period mentioned in subsection (4)(a)), extend the time for the organisation or person to make the application for reconsideration if the Commission is satisfied that the extension should be granted by reason of exceptional circumstances in the particular case.
(6)  If an application for reconsideration is made in accordance with this section, the Commission must —
(a)reconsider the direction or decision;
(b)take any of the following actions as the Commission thinks fit:
(i)affirm, revoke or vary the direction or decision;
(ii)affirm or revoke, or vary the amount of, the financial penalty; and
(c)notify the applicant in writing of the result of the reconsideration.
(7)  There is to be no application for reconsideration of a decision made under subsection (6)(b).
Right of private action
48O.—(1)  A person who suffers loss or damage directly as a result of a contravention —
(a)by an organisation of any provision of Part IV, V, VI, VIA or VIB; or
(b)by a person of any provision of Division 3 of Part IX or Part IXA,
has a right of action for relief in civil proceedings in a court.
(2)  If the Commission has made a decision under this Act in respect of a contravention specified in subsection (1), an action accruing under subsection (1) may not be brought in respect of that contravention until after the decision has become final as a result of there being no further right of appeal.
(3)  The court may grant to the plaintiff in an action under subsection (1) all or any of the following:
(a)relief by way of injunction or declaration;
(b)damages;
(c)any other relief as the court thinks fit.
PART IXD
APPEALS
Data Protection Appeal Panel and Data Protection Appeal Committees
48P.—(1)  There is established a Data Protection Appeal Panel.
(2)  The Minister must appoint the members of the Appeal Panel.
(3)  The Chairman of the Appeal Panel must be appointed by the Minister from among the members of the Appeal Panel.
(4)  For the purpose of hearing any appeal under section 48Q, the Chairman of the Appeal Panel may nominate a Data Protection Appeal Committee comprising 3 or more members of the Appeal Panel.
(5)  The Seventh Schedule has effect with respect to the Appeal Panel, Appeal Committees and their members and the proceedings of Appeal Committees, as the case may be.
Appeal from direction or decision of Commission
48Q.—(1)  An organisation or a person (including an individual who is a complainant) aggrieved by —
(a)any direction made by the Commission under section 48G(2), 48I(1) or (2) or 48L(4);
(b)any direction or decision made by the Commission under section 48H(2); or
(c)any decision made by the Commission under section 48N(6)(b),
may, within the prescribed period, appeal to the Chairman of the Appeal Panel against that direction or decision.
(2)  An organisation or a person aggrieved by a financial penalty imposed by the Commission under section 48J(1) on the organisation or person may, within the prescribed period, appeal to the Chairman of the Appeal Panel against the decision to impose the financial penalty or the amount of the financial penalty so imposed.
(3)  Where an application for reconsideration has been made under section 48N, every appeal in respect of the same direction or decision which is the subject of the application for reconsideration is deemed to be withdrawn.
(4)  Unless the Appeal Committee decides otherwise in any particular case, the making of an appeal under this section does not suspend the effect of the direction or decision to which the appeal relates except in the case of an appeal under subsection (2).
(5)  An Appeal Committee hearing an appeal may confirm, vary or set aside the direction or decision which is the subject of the appeal and, in particular, may —
(a)remit the matter to the Commission;
(b)impose or revoke, or vary the amount of, a financial penalty;
(c)give any direction, or take any other step, that the Commission could itself have given or taken; or
(d)make any other direction or decision that the Commission could itself have made.
(6)  A direction or decision of an Appeal Committee on an appeal has the same effect, and may be enforced in the same manner, as a direction or decision of the Commission, except that there is to be no application for further reconsideration under section 48N and no further appeal under this section from the direction or decision of the Appeal Committee.
(7)  If an Appeal Committee confirms the direction or decision which is the subject of the appeal, it may nevertheless set aside any finding of fact on which the direction or decision was based.
Appeals to High Court, etc.
48R.—(1)  An appeal against, or with respect to, a direction or decision of an Appeal Committee lies to the High Court —
(a)on a point of law arising from the direction or decision of the Appeal Committee; or
(b)from any direction of the Appeal Committee as to the amount of a financial penalty.
(2)  An appeal under this section may be made within the prescribed time only at the instance of —
(a)the organisation or person aggrieved by the direction or decision of the Appeal Committee;
(b)if the decision relates to a complaint, the complainant; or
(c)the Commission.
(3)  The High Court is to hear and determine any appeal under this section and may —
(a)confirm, modify or reverse the direction or decision of the Appeal Committee; and
(b)make any further or other order on the appeal, whether as to costs or otherwise, as the High Court thinks fit.
(4)  There is such further right of appeal from decisions of the High Court under this section as exists in the case of decisions made by the High Court in the exercise of its original civil jurisdiction.
(5)  A reference in this section to the High Court is, on or after the date of commencement of the Supreme Court of Judicature (Amendment) Act 2019 (Act 40 of 2019), a reference to the General Division of the High Court.”.
Amendment of section 48J
24.  Section 48J of the principal Act, as inserted by section 23, is amended —
(a)by deleting subsection (3) and substituting the following subsection:
(3)  A financial penalty imposed on an organisation under subsection (1)(a) must not exceed the maximum amount to be prescribed, which in no case may be more than the following:
(a)in the case of a contravention on or after the date of commencement of section 24 of the Personal Data Protection (Amendment) Act 2020 by an organisation whose annual turnover in Singapore exceeds $10 million — 10% of the annual turnover in Singapore of the organisation;
(b)in any other case — $1 million.”;
(b)by deleting the words “subsection (1)(b)” in subsection (4) and substituting the words “subsection (1)(b)(i)”;
(c)by inserting, immediately after subsection (4), the following subsection:
(4A)  A financial penalty imposed on a person under subsection (1)(b)(ii) must not exceed the maximum amount to be prescribed, which in no case may be more than the following:
(a)in the case of an individual — $200,000;
(b)in the case of a contravention on or after the date of commencement of section 24 of the Personal Data Protection (Amendment) Act 2020 by a person whose annual turnover in Singapore exceeds $20 million — 5% of the annual turnover of the person in Singapore;
(c)in any other case — $1 million.”; and
(d)by inserting, immediately after subsection (5), the following subsection:
(5A)  For the purposes of subsections (3)(a) and (4A)(b), the annual turnover in Singapore of an organisation or a person (as the case may be) is the amount ascertained from the most recent audited accounts of the organisation or person available at the time the financial penalty is imposed on that organisation or person.”.
Amendment of section 48R
25.  Section 48R of the principal Act, as inserted by section 23, is amended —
(a)by deleting the words “High Court” wherever they appear in subsections (1), (3) and (4) and substituting in each case the words “General Division of the High Court”;
(b)by deleting subsection (5); and
(c)by deleting the words “High Court” in the section heading and substituting the words “General Division of High Court”.
Amendment of section 50
26.  Section 50 of the principal Act is amended —
(a)by deleting the words “whether an organisation is not complying with this Act” in subsection (1) and substituting the words “whether or not an organisation or a person is complying with this Act, including a voluntary undertaking given by the organisation or person under section 48L(1)”;
(b)by deleting the words “section 27(2)” in subsection (3)(a) and substituting the words “section 48G(2)”;
(c)by inserting, immediately after paragraph (c) of subsection (3), the following paragraph:
(ca)the Commission accepts a voluntary undertaking given by an organisation or a person under section 48L(1) in relation to the matter;”; and
(d)by inserting, immediately after subsection (3), the following subsection:
(3A)  To avoid doubt, despite subsection (3)(ca), the Commission may conduct or resume an investigation under this section at any time if an organisation or a person fails to comply with a voluntary undertaking given by the organisation or person under section 48L(1) in relation to any matter.”.
Amendment of section 51
27.  Section 51 of the principal Act is amended —
(a)by deleting subsection (1) and substituting the following subsections:
(1)  A person shall be guilty of an offence if the person —
(a)makes a request under section 21(1) to obtain access to personal data about another individual without the authority of that other individual;
(b)makes a request under section 22(1) to change personal data about another individual without the authority of that other individual; or
(c)subject to subsection (1A), gives a porting organisation a data porting request under section 26H(1) to transmit personal data about another individual to a receiving organisation without the authority of that other individual.
(1A)  Subsection (1)(c) does not apply to an individual who gives a data porting request under section 26H(1), in the individual’s personal or domestic capacity, to transmit any user activity data or user‑provided data about the individual even though the user activity data or user‑provided data (as the case may be) includes personal data about another individual.”;
(b)by deleting the word “or” at the end of paragraph (b) of subsection (3), and by inserting immediately thereafter the following paragraphs:
(ba)without reasonable excuse, neglects or refuses to provide any information or produce any document which the organisation or person is required by or under this Act to provide or produce to the Commission or an inspector;
(bb)without reasonable excuse, neglects or refuses to attend before the Commission or an inspector as required by or under this Act; or”;
(c)by inserting, immediately after “$5,000” in subsection (4)(a), the words “or to imprisonment for a term not exceeding 12 months or to both”; and
(d)by inserting, immediately after subsection (5), the following subsection:
(6)  An organisation or a person that commits an offence under subsection (3)(ba) or (bb) is liable —
(a)in the case of an individual — to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 6 months or to both; and
(b)in any other case — to a fine not exceeding $10,000.”.
Repeal and re-enactment of section 52 and new section 52A
28.  Section 52 of the principal Act is repealed and the following sections substituted therefor:
Offences by corporations
52.—(1)  Where, in a proceeding for an offence under this Act, it is necessary to prove the state of mind of a corporation in relation to a particular conduct, evidence that —
(a)an officer, employee or agent of the corporation engaged in that conduct within the scope of the actual or apparent authority of the officer, employee or agent, as the case may be; and
(b)the officer, employee or agent had that state of mind,
is evidence that the corporation had that state of mind.
(2)  Where a corporation commits an offence under this Act, a person —
(a)who is —
(i)an officer of the corporation; or
(ii)an individual involved in the management of the corporation and in a position to influence the conduct of the corporation in relation to the commission of the offence; and
(b)who —
(i)consented or connived, or conspired with others, to effect the commission of the offence;
(ii)is in any other way, whether by act or omission, knowingly concerned in, or is party to, the commission of the offence by the corporation; or
(iii)knew or ought reasonably to have known that the offence by the corporation (or an offence of the same type) would be or is being committed, and failed to take all reasonable steps to prevent or stop the commission of that offence,
shall be guilty of that same offence as is the corporation, and shall be liable on conviction to be punished accordingly.
(3)  A person mentioned in subsection (2) may rely on a defence that would be available to the corporation if it were charged with the offence with which the person is charged and, in doing so, the person bears the same burden of proof that the corporation would bear.
(4)  To avoid doubt, this section does not affect the application of —
(a)Chapters V and VA of the Penal Code (Cap. 224); or
(b)the Evidence Act (Cap. 97) or any other law or practice regarding the admissibility of evidence.
(5)  To avoid doubt, subsection (2) also does not affect the liability of the corporation for an offence under this Act, and applies whether or not the corporation is convicted of the offence.
(6)  The Minister may make regulations to provide for the application of any provision of this section, with such modifications as the Minister considers appropriate, to any corporation formed or recognised under the law of a territory outside Singapore.
(7)  In this section —
“corporation” includes a limited liability partnership within the meaning of section 2(1) of the Limited Liability Partnerships Act (Cap. 163A);
“officer”, in relation to a corporation, means any director, partner, chief executive, manager, secretary or other similar officer of the corporation, and includes —
(a)any person purporting to act in any such capacity; and
(b)for a corporation whose affairs are managed by its members, any of those members as if the member were a director of the corporation;
“state of mind” of a person includes —
(a)the knowledge, intention, opinion, belief or purpose of the person; and
(b)the person’s reasons for the intention, opinion, belief or purpose.
Offences by unincorporated associations or partnerships
52A.—(1)  Where, in a proceeding for an offence under this Act, it is necessary to prove the state of mind of an unincorporated association or a partnership in relation to a particular conduct, evidence that —
(a)an employee or agent of the unincorporated association or partnership engaged in that conduct within the scope of the actual or apparent authority of the employee or agent, as the case may be; and
(b)the employee or agent had that state of mind,
is evidence that the unincorporated association or partnership had that state of mind.
(2)  Where an unincorporated association or a partnership commits an offence under this Act, a person —
(a)who is —
(i)an officer of the unincorporated association or a member of its governing body;
(ii)a partner in the partnership; or
(iii)an individual involved in the management of the unincorporated association or partnership and in a position to influence the conduct of the unincorporated association or partnership (as the case may be) in relation to the commission of the offence; and
(b)who —
(i)consented or connived, or conspired with others, to effect the commission of the offence;
(ii)is in any other way, whether by act or omission, knowingly concerned in, or is party to, the commission of the offence by the unincorporated association or partnership; or
(iii)knew or ought reasonably to have known that the offence by the unincorporated association or partnership (or an offence of the same type) would be or is being committed, and failed to take all reasonable steps to prevent or stop the commission of that offence,
shall be guilty of the same offence as is the unincorporated association or partnership (as the case may be), and shall be liable on conviction to be punished accordingly.
(3)  A person mentioned in subsection (2) may rely on a defence that would be available to the unincorporated association or partnership if it were charged with the offence with which the person is charged and, in doing so, the person bears the same burden of proof that the unincorporated association or partnership would bear.
(4)  To avoid doubt, this section does not affect the application of —
(a)Chapters V and VA of the Penal Code; or
(b)the Evidence Act or any other law or practice regarding the admissibility of evidence.
(5)  To avoid doubt, subsection (2) also does not affect the liability of an unincorporated association or a partnership for an offence under this Act, and applies whether or not the unincorporated association or partnership is convicted of the offence.
(6)  The Minister may make regulations to provide for the application of any provision of this section, with such modifications as the Minister considers appropriate, to any unincorporated association or partnership formed or recognised under the law of a territory outside Singapore.
(7)  In this section —
“officer”, in relation to an unincorporated association (other than a partnership), means the president, the secretary or any member of the committee of the unincorporated association, and includes —
(a)any person holding a position analogous to that of president, secretary or member of the committee of the unincorporated association; and
(b)any person purporting to act in any such capacity;
“partner” includes a person purporting to act as a partner;
“state of mind” of a person includes —
(a)the knowledge, intention, opinion, belief or purpose of the person; and
(b)the person’s reasons for the intention, opinion, belief or purpose.”.
Amendment of section 65
29.  Section 65(2) of the principal Act is amended —
(a)by inserting, immediately after paragraph (b), the following paragraphs:
(ba)the assessment and notification of notifiable data breaches, including —
(i)the steps and measures that an organisation must take in relation to the investigation and assessment of data breaches; and
(ii)the form and manner in which the Commission and affected individuals must be notified of notifiable data breaches;
(bb)the form, manner and procedures relating to data porting requests, including —
(i)the information and particulars that must be provided for such requests;
(ii)the time for and content of a porting organisation’s responses to such requests;
(iii)the steps that a receiving organisation must take to confirm the accessibility and completeness of any applicable data transmitted by a porting organisation; and
(iv)the fees that a porting organisation may charge in respect of such requests;”;
(b)by deleting the words “section 28” in paragraph (e) and substituting the words “section 48H”;
(c)by deleting the words “section 31” in paragraph (f) and substituting the words “section 48N”;
(d)by deleting the words “to confirm whether a Singapore telephone number is listed in the relevant register for the purposes of section 43(1)(a)” in paragraph (m) and substituting the words “made under section 40(2)”; and
(e)by deleting the full‑stop at the end of paragraph (m) and substituting a semi‑colon, and by inserting immediately thereafter the following paragraph:
(n)the requirements that checkers must comply with for the purposes of this Act.”.
Amendment of section 66
30.  Section 66 of the principal Act is amended —
(a)by deleting the words “section 32” and substituting the words “section 48O”; and
(b)by deleting the words “section 35” and substituting the words “section 48R”.
New First Schedule
31.  The principal Act is amended by inserting, immediately after section 68, the following Schedule:
FIRST SCHEDULE
Section 17(1) and Fifth and Twelfth Schedules
COLLECTION, USE AND DISCLOSURE OF
PERSONAL DATA WITHOUT CONSENT
Part 1
VITAL INTERESTS OF INDIVIDUALS
1.—(1)  Subject to sub‑paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any purpose which is clearly in the interests of the individual, and —
(a)consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; or
(b)the individual would not reasonably be expected to withhold consent.
(2)  Where the organisation collects, uses or discloses (as the case may be) personal data about the individual under sub‑paragraph (1), the organisation must, as soon as is practicable, notify the individual of the collection, use or disclosure (as the case may be) and the purpose for the collection, use or disclosure, as the case may be.
2.  The collection, use or disclosure (as the case may be) of personal data about an individual is necessary to respond to an emergency that threatens the life, health or safety of the individual or another individual.
3.  The collection, use or disclosure (as the case may be) of personal data about an individual, where —
(a)consent for the collection, use or disclosure (as the case may be) cannot be obtained in a timely way; and
(b)there are reasonable grounds to believe that the health or safety of the individual or another individual will be seriously affected.
4.  The collection, use or disclosure of personal data is for the purpose of contacting the next‑of‑kin or a friend of any injured, ill or deceased individual.
Part 2
MATTERS AFFECTING PUBLIC
1.  The collection, use or disclosure (as the case may be) of personal data about an individual that is publicly available.
2.  The collection, use or disclosure (as the case may be) of personal data about an individual is in the national interest.
3.  The collection, use or disclosure (as the case may be) of personal data about an individual is solely for artistic or literary purposes.
4.  The collection, use or disclosure (as the case may be) of personal data about an individual is solely for archival or historical purposes, if a reasonable person would not consider the personal data to be too sensitive to the individual to be collected, used or disclosed (as the case may be) at the proposed time.
5.  The personal data about an individual is collected, used or disclosed (as the case may be) by a news organisation solely for its news activity.
6.  In this Part —
“broadcasting service” has the meaning given by section 2(1) of the Broadcasting Act (Cap. 28);
“news activity” means —
(a)the gathering of news, or the preparation or compilation of articles or programmes of or concerning news, observations on news, or current affairs, for the purposes of dissemination to the public or any section of the public; or
(b)the dissemination, to the public or any section of the public, of any article or programme of or concerning —
(i)news;
(ii)observations on news; or
(iii)current affairs;
“news organisation” means —
(a)any organisation —
(i)the business of which consists, in whole or in part, of news activity carried out in relation to a relevant broadcasting service, a newswire service or the publication of a newspaper; and
(ii)which, if the organisation publishes a newspaper in Singapore which is not exempted from the provisions of Part III of the Newspaper and Printing Presses Act (Cap. 206), is a newspaper company defined in section 2(1) of that Act; or
(b)any organisation which provides a broadcasting service in or from Singapore and holds a broadcasting licence granted under section 8 of the Broadcasting Act;
“newspaper” has the meaning given by section 2(1) of the Newspaper and Printing Presses Act;
“relevant broadcasting service” means any of the following licensable broadcasting services within the meaning of the Broadcasting Act:
(a)free‑to‑air nationwide television services;
(b)free‑to‑air localised television services;
(c)free‑to‑air international television services;
(d)subscription nationwide television services;
(e)subscription localised television services;
(f)subscription international television services;
(g)special interest television services;
(h)free‑to‑air nationwide radio services;
(i)free‑to‑air localised radio services;
(j)free‑to‑air international radio services;
(k)subscription nationwide radio services;
(l)subscription localised radio services;
(m)subscription international radio services;
(n)special interest radio services.
Part 3
LEGITIMATE INTERESTS
1.—(1)  Subject to sub‑paragraphs (2), (3) and (4) —
(a)the collection, use or disclosure (as the case may be) of personal data about an individual is in the legitimate interests of the organisation or another person; and
(b)the legitimate interests of the organisation or other person outweigh any adverse effect on the individual.
(2)  For the purposes of sub‑paragraph (1), the organisation must —
(a)conduct an assessment, before collecting, using or disclosing the personal data (as the case may be), to determine whether sub‑paragraph (1) is satisfied; and
(b)provide the individual with reasonable access to information about the organisation’s collection, use or disclosure of personal data (as the case may be) in accordance with sub‑paragraph (1).
(3)  The organisation must, in respect of the assessment mentioned in sub‑paragraph (2)(a) —
(a)identify any adverse effect that the proposed collection, use or disclosure (as the case may be) of personal data about an individual is likely to have on the individual;
(b)identify and implement reasonable measures —
(i)to eliminate the adverse effect;
(ii)to reduce the likelihood that the adverse effect will occur; or
(iii)to mitigate the adverse effect; and
(c)comply with any other prescribed requirements.
(4)  Sub‑paragraph (1) does not apply to the collection, use or disclosure of personal data about an individual for the purpose of sending to that individual or any other individual a message for an applicable purpose within the meaning given by section 37(6).
2.  The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for evaluative purposes.
3.  The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for any investigation or proceedings.
4.  The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the organisation —
(a)to recover a debt owed by the individual to the organisation; or
(b)to pay to the individual a debt owed by the organisation.
5.  The collection, use or disclosure (as the case may be) of personal data about an individual is necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services.
6.—(1)  Subject to sub‑paragraph (2), the collection, use or disclosure (as the case may be) of personal data about an individual —
(a)is for the purpose of the preparation by a credit bureau of a credit report; or
(b)relates to a credit report provided by a credit bureau to a member of the credit bureau in relation to a transaction between the member and the individual.
(2)  Sub‑paragraph (1) does not apply to a credit bureau that, being required to obtain a licence under any other written law, does not hold such a licence.
7.  The collection, use or disclosure (as the case may be) of personal data about an individual is to —
(a)confer an interest or a benefit on the individual under a private trust or benefit plan; and
(b)administer that trust or benefit plan, at the request of the settlor or the person establishing the benefit plan, as the case may be.
8.  The personal data about an individual —
(a)is provided to the organisation by another individual to enable the organisation to provide a service for the personal or domestic purposes of that other individual; and
(b)is collected, used or disclosed (as the case may be) by the organisation solely for the purpose in sub‑paragraph (a).
9.  The personal data about an individual —
(a)is included in a document produced in the course, and for the purposes, of the individual’s employment, business or profession; and
(b)is collected, used or disclosed (as the case may be) for purposes consistent with the purpose for which the document was produced.
10.  The personal data about an individual is collected, used or disclosed (as the case may be) by the organisation, and the collection, use or disclosure (as the case may be) of the personal data is reasonable for the purpose of or in relation to the organisation —
(a)entering into an employment relationship with the individual or appointing the individual to any office; or
(b)managing or terminating the employment relationship with or appointment of the individual.
Part 4
BUSINESS ASSET TRANSACTIONS
1.—(1)  Subject to the conditions in sub‑paragraphs (2), (3), (4) and (5), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y), personal data about an applicable individual of Y —
(a)is collected from Y by X for the purposes of the business asset transaction;
(b)is used or disclosed by X in relation to the business asset transaction; or
(c)is disclosed by Y to X for the purposes of the business transaction.
(2)  Where the business asset transaction concerns any part of Y or Y’s business assets, the personal data mentioned in sub‑paragraph (1) must relate directly to that part of Y or Y’s business assets, as the case may be.
(3)  If X is a prospective party to the business asset transaction, the following conditions apply:
(a)X may collect, and Y may disclose, only personal data that is necessary for X to determine whether to proceed with the business asset transaction;
(b)X and Y must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the business asset transaction.
(4)  If X enters into the business asset transaction, the following conditions apply:
(a)X may use or disclose the personal data X collected from Y only for the same purposes for which Y would have been permitted to use or disclose the personal data;
(b)if any personal data X collects from Y does not relate directly to the part of Y or Y’s business assets with which the business asset transaction entered into is concerned, X must destroy, or return to Y, that personal data;
(c)X or Y must notify the applicable individuals of Y whose personal data is disclosed that —
(i)the business asset transaction has taken place; and
(ii)the personal data about them has been disclosed to X.
(5)  If the business asset transaction does not proceed or is not completed, X must destroy, or return to Y, all personal data collected.
2.—(1)  Subject to the conditions in sub‑paragraphs (2), (3) and (4), where an organisation (X) is a party or a prospective party to a business asset transaction with another organisation (Y) in respect of Y’s interest in a third organisation (Z) (called in this paragraph the relevant transaction), personal data about an applicable individual of Z —
(a)is collected from Y or Z by X, or from Z by Y, for the purposes of the relevant transaction;
(b)is used or disclosed by X or Y in relation to the relevant transaction; or
(c)is disclosed by Y or Z (as the case may be) to X, or by Z to Y, for the purposes of the relevant transaction.
(2)  If X is a prospective party to the relevant transaction, the following conditions apply:
(a)where X collects the personal data mentioned in sub‑paragraph (1) from Y or Z —
(i)X may collect, and Y or Z (as the case may be) may disclose, only personal data that is necessary for X to determine whether to proceed with the relevant transaction; and
(ii)X and Y or Z (as the case may be) must have entered into an agreement that requires X to use or disclose the personal data solely for purposes related to the relevant transaction;
(b)where Y collects the personal data mentioned in sub‑paragraph (1) from Z —
(i)Y may collect, and Z may disclose, only personal data that is necessary for X or Y (as the case may be) to determine whether to proceed with the relevant transaction; and
(ii)Y and Z must have entered into an agreement that requires Y to use or disclose the personal data solely for purposes related to the relevant transaction.
(3)  If X enters into the relevant transaction, the following conditions apply:
(a)X may use or disclose the personal data collected from Y or Z (as the case may be) only for the same purposes for which Y or Z (as the case may be) would have been permitted to use or disclose the personal data;
(b)Y may use or disclose the personal data collected from Z only for the same purposes for which Z would have been permitted to use or disclose the personal data;
(c)X, Y or Z must notify the applicable individuals of Z whose personal data is disclosed that —
(i)the relevant transaction has taken place; and
(ii)the personal data about them has been disclosed to X.
(4)  If the relevant transaction does not proceed or is not completed —
(a)X must destroy, or return to Y or Z (as the case may be), all personal data collected; and
(b)Y must destroy, or return to Z, all personal data collected.
3.  In this Part —
“applicable individual”, in relation to an organisation, includes a contractor, a customer, a director, an employee, an officer or a shareholder of the organisation;
“business asset transaction” —
(a)means the purchase, sale, lease, merger or amalgamation or any other acquisition, disposal or financing of —
(i)an organisation or a portion of an organisation;
(ii)an interest in an organisation; or
(iii)any of the business or assets of an organisation, other than any personal data to be disclosed under paragraph 1(1) or 2(1), as the case may be; and
(b)includes —
(i)the amalgamation of a corporation with one or more related corporations; and
(ii)the transfer or disposal of any of the business or assets of a corporation to a related corporation;
“business trust” has the meaning given by section 2 of the Business Trusts Act (Cap. 31A);
“corporation” and “related corporation” have the meanings given by section 4(1) of the Companies Act (Cap. 50);
“interest” means —
(a)in relation to a corporation — a share in that corporation;
(b)in relation to an entity other than a corporation — any right or interest (whether legal or equitable) in that entity, by whatever name called;
(c)in relation to a business trust — a unit in that business trust; and
(d)in relation to a trust other than a business trust — any right or interest (whether legal or equitable) in that trust, by whatever name called.
Part 5
BUSINESS IMPROVEMENT PURPOSES
1.—(1)  Subject to the conditions in sub‑paragraphs (3), (4) and (5), personal data about an individual (P) —
(a)is collected by an organisation (X) that is a corporation from a related corporation (Y) for a purpose specified in sub‑paragraph (2) (called the relevant purpose);
(b)is used by X for a relevant purpose; or
(c)is disclosed by Y to X for a relevant purpose.
(2)  The relevant purposes mentioned in sub‑paragraph (1) are the following:
(a)improving or enhancing any goods or services provided, or developing new goods or services to be provided, by X or Y;
(b)improving or enhancing the methods or processes, or developing new methods or processes, for the operations of X or Y;
(c)learning about and understanding the behaviour and preferences of P or another individual in relation to the goods or services provided by X or Y;
(d)identifying any goods or services provided by X or Y that may be suitable for P or another individual, or personalising or customising any such goods or services for P or another individual.
(3)  Sub‑paragraph (1)(a) and (c) applies only if —
(a)the relevant purpose for which X collects, or Y discloses, personal data about P cannot reasonably be achieved without the collection, use or disclosure (as the case may be) of the personal data in an individually identifiable form;
(b)a reasonable person would consider the collection or disclosure of personal data about P for the relevant purpose to be appropriate in the circumstances; and
(c)X and Y are bound by any contract or other agreement or binding corporate rules requiring the recipient of personal data about P to implement and maintain appropriate safeguards for the personal data.
(4)  Sub‑paragraph (1)(b) applies only if —
(a)the relevant purpose for which X uses personal data about P cannot reasonably be achieved without the use of the personal data in an individually identifiable form; and
(b)a reasonable person would consider the use of personal data about P for the relevant purpose to be appropriate in the circumstances.
(5)  Where X collects from Y, and Y discloses to X, personal data about P for a purpose mentioned in sub‑paragraph (2)(c) or (d), P must be, at the time of the collection or disclosure, as the case may be —
(a)an existing customer of Y; and
(b)an existing customer or a prospective customer of X.
(6)  To avoid doubt, sub‑paragraph (1) does not apply to the collection, use or disclosure of personal data about P for the purpose of sending to P or another individual a message for an applicable purpose within the meaning given by section 37(6).
2.  In this Part —
“corporation” and “related corporation” have the meanings given by section 4(1) of the Companies Act;
“existing customer”, in relation to a corporation, means an individual who purchases, hires or uses, or has purchased, hired or used, any goods or services provided by the corporation;
“prospective customer of X” means an individual who, at the time mentioned in paragraph 1(5) —
(a)has informed X of the individual’s interest in purchasing, hiring or using any goods or services provided by X; or
(b)is conducting negotiations with X that lead or may lead to an agreement between the individual and X for the purchase, hire or use of any goods or services provided by X.”.
Repeal of Second, Third and Fourth Schedules and re‑enactment of Second Schedule
32.  The Second, Third and Fourth Schedules to the principal Act are repealed and the following Schedule substituted therefor:
SECOND SCHEDULE
Sections 2(1) and 17(1)
ADDITIONAL BASES FOR COLLECTION, USE AND
DISCLOSURE OF PERSONAL DATA WITHOUT CONSENT
Part 1
COLLECTION OF PERSONAL DATA
1.  The collection of personal data about an individual, if —
(a)the personal data was disclosed by a public agency; and
(b)the collection of the personal data by the organisation is consistent with the purpose of the disclosure by the public agency.
Part 2
USE OF PERSONAL DATA
Division 1Public interest
1.  The use of personal data about an individual, if —
(a)the personal data was disclosed by a public agency; and
(b)the use of the personal data by the organisation is consistent with the purpose of the disclosure by the public agency.
Division 2Business improvement purpose
1.—(1)  Subject to the conditions in sub‑paragraph (2), personal data about an individual (P) is used by the organisation for any of the following purposes:
(a)improving or enhancing any goods or services provided, or developing new goods or services to be provided, by the organisation;
(b)improving or enhancing the methods or processes, or developing new methods or processes, for the operations of the organisation;
(c)learning about and understanding the behaviour and preferences of P or another individual in relation to the goods or services provided by the organisation;
(d)identifying any goods or services provided by the organisation that may be suitable for P or another individual, or personalising or customising any such goods or services for P or another individual.
(2)  Sub‑paragraph (1) applies only if —
(a)the purpose for which the organisation uses personal data about P cannot reasonably be achieved without the use of the personal data in an individually identifiable form; and
(b)a reasonable person would consider the use of personal data about P for that purpose to be appropriate in the circumstances.
(3)  To avoid doubt, sub‑paragraph (1) does not apply to the use of personal data about P for the purpose of sending to P or another individual a message for an applicable purpose within the meaning given by section 37(6).
(4)  In this paragraph, “organisation” excludes a corporation within the meaning given by section 4(1) of the Companies Act.
Division 3Research
1.  The use of personal data about an individual for a research purpose (including historical or statistical research), if —
(a)the research purpose cannot reasonably be accomplished unless the personal data is used in an individually identifiable form;
(b)there is a clear public benefit to using the personal data for the research purpose;
(c)the results of the research will not be used to make any decision that affects the individual; and
(d)in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual.
Part 3
DISCLOSURE OF PERSONAL DATA WITHOUT CONSENT
Division 1Public interest
1.  The disclosure of personal data about an individual to a public agency, where the disclosure is necessary in the public interest.
2.  The disclosure of personal data about an individual who is a current or former student of an educational institution to a public agency for the purposes of policy formulation or review.
3.  The disclosure of personal data about an individual who is a current or former patient of any of the following to a public agency for the purposes of policy formulation or review:
(a)a healthcare institution licensed under the Private Hospitals and Medical Clinics Act (Cap. 248);
(b)a licensee under the Healthcare Services Act 2020 (Act 3 of 2020);
(c)a prescribed healthcare body.
4.  The disclosure of personal data about any individual to any officer of a prescribed law enforcement agency, upon production of written authorisation signed by the head or director of that prescribed law enforcement agency or a person of a similar rank, certifying that the personal data is necessary for the purposes of the functions or duties of the officer.
Division 2Research
1.  The disclosure of personal data about an individual for a research purpose (including historical or statistical research), if —
(a)the research purpose cannot reasonably be accomplished unless the personal data is disclosed in an individually identifiable form;
(b)it is impracticable for the organisation to seek the consent of the individual for the disclosure;
(c)there is a clear public benefit to disclosing the personal data for the research purpose;
(d)the results of the research will not be used to make a decision that affects the individual; and
(e)in the event that the results of the research are published, the organisation publishes the results in a form that does not identify the individual.”.
Amendment of Fifth Schedule
33.  The Fifth Schedule to the principal Act is amended —
(a)by deleting the words “paragraph 1(e) of the Second Schedule, paragraph 1(e) of the Third Schedule or paragraph 1(f) of the Fourth Schedule, respectively” in paragraph 1(h) and substituting the words “paragraph 3 of Part 3 of the First Schedule”; and
(b)by inserting, immediately after paragraph 1, the following paragraph:
2.  For the purposes of paragraph 1(j)(i), the organisation may have regard to the number and frequency of requests received.”.
Amendment of Sixth Schedule
34.  Paragraph 1 of the Sixth Schedule to the principal Act is amended —
(a)by deleting the word “or” at the end of sub‑paragraph (d); and
(b)by deleting the full‑stop at the end of sub‑paragraph (e) and substituting the word “; or”, and by inserting immediately thereafter the following sub‑paragraph:
(f)derived personal data.”.
Amendment of Seventh Schedule
35.  The Seventh Schedule to the principal Act is amended —
(a)by deleting the Schedule reference and substituting the following Schedule reference:
Section 48P(5)”;
(b)by deleting the words “appeal proceedings under section 34” in paragraph 2A(3)(a) and substituting the words “proceedings relating to appeals”;
(c)by deleting the words “under section 34” in paragraphs 2A(3)(b), 2B(1) and 4(6);
(d)by deleting the words “appeal proceeding” in paragraph 6 and substituting the words “proceedings relating to any appeal”; and
(e)by inserting, immediately after paragraph 6, the following paragraph:
Definition
7.  In this Schedule, “appeal” means an appeal under —
(a)section 34 as in force immediately before the date of commencement of section 15 of the Personal Data Protection (Amendment) Act 2020; or
(b)section 48Q.”.
Amendment of Eighth Schedule
36.  The Eighth Schedule to the principal Act is amended —
(a)by deleting sub‑paragraph (e) of paragraph 1 and substituting the following sub‑paragraph:
(e)any message, other than a message mentioned in sub‑paragraph (d) —
(i)that is sent while the sender is in an ongoing relationship with the recipient of the message; and
(ii)the sole purpose of which relates to the subject matter of the ongoing relationship;”; and
(b)by renumbering paragraph 1 as sub‑paragraph (1) of that paragraph, and by inserting immediately thereafter the following sub‑paragraph:
(2)  In sub‑paragraph (1)(e), “ongoing relationship” means a relationship, on an ongoing basis, between the sender and the recipient of the message, arising from the carrying on or conduct of a business or an activity (commercial or otherwise) by the sender.”.
Amendment of Ninth Schedule
37.  The Ninth Schedule to the principal Act is amended by inserting, immediately after paragraph 1, the following paragraph:
Power to require provision of information, etc.
1A.—(1)  For the purposes of an investigation under section 50, the Commission or an inspector may do all or any of the following:
(a)require, by written notice, any person whom the Commission or inspector reasonably believes has any information, or any document in the person’s custody or control, that is relevant to the investigation, to provide that information or produce that document, within the time and in the manner specified in the written notice;
(b)require, by written notice, any person within the limits of Singapore, who appears to be acquainted with the facts or circumstances of the matter, to attend before the Commission or inspector;
(c)examine orally any person who appears to be acquainted with the facts or circumstances of the matter.
(2)  A person examined under sub‑paragraph (1)(c) is bound to state truly the facts and circumstances with which the person is acquainted concerning the matter except that the person need not say anything that might expose the person to a criminal charge, penalty or forfeiture.
(3)  A statement made by a person examined under sub‑paragraph (1)(c) must —
(a)be reduced to writing;
(b)be read over to the person;
(c)if the person does not understand English, be interpreted in a language that the person understands; and
(d)after correction (if necessary), be signed by the person.”.
New Tenth and Eleventh Schedules
38.  The principal Act is amended by inserting, immediately after the Ninth Schedule, the following Schedules:
TENTH SCHEDULE
Section 37(6)
APPLICABLE PURPOSES
1.Offering to supply goods or services.
2.Advertising or promoting goods or services.
3.Advertising or promoting a supplier, or prospective supplier, of goods or services.
4.Offering to supply land or an interest in land.
5.Advertising or promoting land or an interest in land.
6.Advertising or promoting a supplier, or prospective supplier, of land or an interest in land.
7.Offering to provide a business opportunity or an investment opportunity.
8.Advertising or promoting a business opportunity or an investment opportunity.
9.Advertising or promoting a provider, or prospective provider, of a business opportunity or an investment opportunity.
ELEVENTH SCHEDULE
Section 48F(4)
SPECIFIED PURPOSES
1.  Testing the effectiveness of the anonymisation of personal data in the possession or under the control of an organisation or a public agency, as the case may be.
2.  Testing the integrity and confidentiality of anonymised information in the possession or under the control of an organisation or a public agency, as the case may be.
3.  Assessing, testing or evaluating the systems and processes of an organisation or a public agency for ensuring or safeguarding the integrity and confidentiality of anonymised information —
(a)in the possession or under the control of the organisation or public agency; or
(b)transmitted or received by the organisation or public agency.”.
New Twelfth Schedule
39.  The principal Act, as amended by section 38, is amended by inserting, immediately after the Eleventh Schedule, the following Schedule:
TWELFTH SCHEDULE
Section 26H(5)
EXCEPTIONS TO DATA PORTABILITY
Part 1
EXCLUDED APPLICABLE DATA
1.  A porting organisation is not required to transmit under section 26H(2) any of the following applicable data:
(a)opinion data kept solely for an evaluative purpose;
(b)a document related to a prosecution if all proceedings related to the prosecution have not been completed;
(c)personal data which is subject to legal privilege;
(d)personal data which, if disclosed, would reveal confidential commercial information that could, in the opinion of a reasonable person, harm the competitive position of the organisation;
(e)personal data collected, used or disclosed without consent, under paragraph 3 of Part 3 of the First Schedule for the purposes of an investigation if the investigation and associated proceedings and appeals have not been completed;
(f)derived personal data.
Part 2
EXCLUDED CIRCUMSTANCES
1.  A porting organisation is not required to transmit any applicable data under section 26H(2) in any of the following circumstances:
(a)transmitting the applicable data will unreasonably interfere with the operations of the porting organisation because of the repetitious or systematic nature of the data porting request;
(b)the burden or expense of transmitting the applicable data is unreasonable to the porting organisation or disproportionate to the individual’s interests;
(c)the data porting request relates to applicable data that —
(i)does not exist or cannot be found; or
(ii)is trivial;
(d)the data porting request is frivolous or vexatious.
2.  For the purposes of paragraph 1(a), the organisation may have regard to the number and frequency of data porting requests received in respect of the applicable data.”.
Related amendments to Monetary Authority of Singapore Act
40.  Section 14 of the Monetary Authority of Singapore Act (Cap. 186, 1999 Ed.) is repealed and the following sections substituted therefor:
Interpretation of sections 14A, 14B and 14C
14.  In sections 14A, 14B and 14C —
“gain” means —
(a)a gain in property or a supply of services, whether temporary or permanent; or
(b)an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of remuneration;
“generally available information” means information that consists of readily observable matter, including information that consists of deductions, conclusions or inferences made or drawn from readily observable matter;
“harm”, in relation to an individual, means —
(a)any physical harm; or
(b)harassment, alarm or distress caused to the individual;
“loss” means —
(a)a loss in property or a supply of services, whether temporary or permanent; or
(b)a loss of an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of remuneration,
but excludes, in relation to an individual, the loss of personal data about the individual;
“personal data” has the meaning given by section 2(1) of the Personal Data Protection Act 2012 (Act 26 of 2012);
“prescribed circumstances” or “prescribed purpose” means any circumstances or purpose prescribed in regulations made under section 14D.
Preservation of secrecy
14A.—(1)  Subject to subsection (3), an individual who is or has been a director or an officer or employee of the Authority must not disclose to any person any information which the individual acquired in the performance of the individual’s duties or the exercise of the individual’s functions.
(2)  Subject to subsection (3), a person who is or has been —
(a)a contractor supplying goods or services to the Authority;
(b)a consultant or an agent of the Authority; or
(c)an employee of a person mentioned in paragraph (a) or (b),
must not disclose to any other person any information (other than personal data about an individual) which the firstmentioned person acquired in the performance of that person’s duties or the exercise of that person’s functions.
(3)  Subsection (1) or (2) does not apply if the individual or person (as the case may be) (P) discloses the information concerned —
(a)for the purpose of performing P’s duties or exercising P’s functions;
(b)as authorised by the Authority;
(c)as permitted or required by or under any written law;
(d)as authorised or required under an order of court; or
(e)in any other prescribed circumstances or for any other prescribed purpose.
(4)  To avoid doubt, subsection (3) does not affect any obligation or limitation imposed on, or prohibition of, the disclosure of personal data in the possession or under the control of the Authority by or under any other written law or other law.
(5)  An individual who contravenes subsection (1), or a person who contravenes subsection (2), shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 2 years or to both.
Improper use of information
14B.—(1)  If —
(a)an individual makes use of any information in the possession or under the control of the Authority which the individual acquired in the performance of the individual’s duties or the exercise of the individual’s functions;
(b)the use is not authorised by the Authority;
(c)the individual is or has been a director or an officer or employee of the Authority;
(d)the individual does so —
(i)knowing that the use is not authorised by the Authority; or
(ii)reckless as to whether the use is or is not authorised by the Authority; and
(e)the individual, as a result of that use —
(i)obtains a gain for the individual or another person;
(ii)causes harm to another individual; or
(iii)causes a loss to another person,
the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 2 years or to both.
(2)  If —
(a)a person makes use of information (other than personal data about an individual) in the possession or under the control of the Authority which the person acquired in the performance of the person’s duties or the exercise of the person’s functions;
(b)the use is not authorised by the Authority;
(c)the person is or has been —
(i)a contractor supplying goods or services to the Authority;
(ii)a consultant or an agent of the Authority; or
(iii)an individual who is an employee of a person mentioned in sub‑paragraph (i) or (ii);
(d)the person does so —
(i)knowing that the use is not authorised by the Authority; or
(ii)reckless as to whether the use is or is not authorised by the Authority; and
(e)the person, as a result of that use —
(i)obtains a gain for the person or another person;
(ii)causes harm to an individual; or
(iii)causes a loss to another person,
the person shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 2 years or to both.
(3)  In proceedings for an offence under subsection (1) or (2), it is a defence to the charge for the defendant to prove, on a balance of probabilities, any of the following:
(a)that the information in the possession or under the control of the Authority was, at the time of its use by the defendant, generally available information;
(b)the defendant used the information in the possession or under the control of the Authority —
(i)as permitted or required by or under an Act or other law;
(ii)as authorised or required by an order of court; or
(iii)in any other prescribed circumstances or for any other prescribed purpose.
(4)  To avoid doubt, subsection (3) does not affect any obligation or limitation imposed on, or prohibition of, the use of personal data in the possession or under the control of the Authority by or under any other written law or other law.
Unauthorised re-identification of anonymised information
14C.—(1)  If —
(a)an individual takes any action to re-identify or cause re‑identification of a person to whom anonymised information in the possession of or under the control of the Authority relates (called in this section the affected person);
(b)the re‑identification is not authorised by the Authority;
(c)the individual is or has been a director or an officer or employee of the Authority; and
(d)the individual does so —
(i)knowing that the re-identification is not authorised by the Authority; or
(ii)reckless as to whether the re-identification is or is not authorised by the Authority,
the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 2 years or to both.
(2)  In proceedings for an offence under subsection (1), it is a defence to the charge for the defendant to prove, on a balance of probabilities, any of the following:
(a)that the information on the identity of the affected person is publicly available;
(b)the action to re‑identify or cause re‑identification is —
(i)permitted or required by or under an Act or other law;
(ii)authorised or required by an order of court; or
(iii)in any other prescribed circumstances or for any other prescribed purpose;
(c)the defendant —
(i)reasonably believed that the re‑identification was for a specified purpose; and
(ii)notified the Authority of the re‑identification as soon as was practicable.
(3)  To avoid doubt, subsection (2) does not affect any obligation or limitation imposed on, or prohibition of, the re‑identification of the affected person by or under any other written law or other law.
(4)  In this section —
“anonymised information” means any information which is in anonymised or de-identified form;
“specified purpose” means any purpose specified in the Eleventh Schedule to the Personal Data Protection Act 2012.
Power of Authority to make regulations for sections 14A, 14B and 14C
14D.  The Authority may make regulations to prescribe anything which may be prescribed for the purposes of sections 14A, 14B and 14C.”.
Related amendments to Spam Control Act
41.  The Spam Control Act (Cap. 311A, 2008 Ed.) is amended —
(a)by inserting, immediately after the words “electronic mail address” in the definition of “electronic address” in section 2, the words “, an instant messaging account”;
(b)by inserting, immediately after the definition of “electronic address” in section 2, the following definitions:
“ “instant messaging account” means an account of a user of an instant messaging service;
“instant messaging service” means a messaging service that allows a user to exchange messages with other users who are using the service concurrently;”;
(c)by inserting, immediately after section 4, the following section:
Electronic messages sent to instant messaging accounts
4A.  For the purposes of this Act —
(a)where an electronic message is sent to an instant messaging account; and
(b)the name used to identify, or which is associated with, that instant messaging account is an electronic mail address or a mobile telephone number,
the electronic message is not a message sent to the electronic mail address or mobile telephone number (as the case may be) mentioned in paragraph (b).”;
(d)by deleting sub‑paragraph (ii) of section 7(2)(b) and substituting the following sub‑paragraph:
(ii)an entity —
(A)which is formed or recognised under the law of Singapore; or
(B)which has an office or a place of business in Singapore;”;
(e)by repealing section 8 and substituting the following section:
Application of this Part
8.—(1)  Subject to subsection (2), this Part applies to all electronic messages, whether or not they are unsolicited commercial electronic messages.
(2)  This Part does not apply to any electronic message sent to a mobile telephone number.”;
(f)by deleting the word “Every” in paragraph 3(1) of the Second Schedule and substituting the words “Subject to sub‑paragraph (3), every”; and
(g)by inserting, immediately after sub‑paragraph (2) of paragraph 3 of the Second Schedule, the following sub‑paragraph:
(3)  Sub‑paragraph (1) does not apply to any unsolicited commercial electronic message that is sent to an instant messaging account.”.
Consequential amendment to Supreme Court of Judicature Act
42.  The Sixth Schedule to the Supreme Court of Judicature Act (Cap. 322, 2007 Ed.), as amended by section 23 of the Supreme Court of Judicature (Amendment) Act 2019 (Act 40 of 2019), is amended by deleting sub‑paragraph (vii) of paragraph 1(i) and substituting the following sub‑paragraph:
(vii)section 35(4) of the Personal Data Protection Act 2012 (Act 26 of 2012) before the date of commencement of section 15 of the Personal Data Protection (Amendment) Act 2020, or section 48R(4) of the Personal Data Protection Act 2012;”.
Related amendments to Public Sector (Governance) Act 2018
43.—(1)  Section 7 of the Public Sector (Governance) Act 2018 (Act 5 of 2018) is amended —
(a)by deleting subsection (2) and substituting the following subsection:
(2)  In proceedings for an offence under subsection (1), it is a defence for the defendant to prove, on a balance of probabilities, any of the following:
(a)the information under the control of the Singapore public sector agency was, at the time of its disclosure by the defendant, generally available information;
(b)the defendant disclosed or caused the disclosure of information under the control of a Singapore public sector agency —
(i)as permitted or required by or under an Act or other law (apart from this Act);
(ii)as authorised or required by an order of court; or
(iii)in any other circumstances, or for any other purpose, prescribed.”;
(b)by deleting subsections (3) and (4) and substituting the following subsections:
(3)  If —
(a)an individual makes use of information under the control of a Singapore public sector agency (A);
(b)the use is not authorised by any data sharing direction given to A;
(c)the individual is a relevant public official of A or another Singapore public sector agency at the time of the use;
(d)the individual does so —
(i)knowing that the use is not in accordance with such a data sharing direction; or
(ii)reckless as to whether the use is or is not in accordance with such a data sharing direction; and
(e)the individual as a result of that use —
(i)obtains a gain for the individual or another person;
(ii)causes harm to another individual; or
(iii)causes a loss to another person,
the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both.
(3A)  If —
(a)an individual makes use of information (other than personal data) under the control of a Singapore public sector agency (A);
(b)the use is not authorised by A;
(c)the individual is —
(i)a contractor supplying goods or services to A or to another Singapore public sector agency; or
(ii)an employee of a person who is a contractor supplying goods or services to A or to another Singapore public sector agency;
(d)the individual does so —
(i)knowing that the use is not authorised by A; or
(ii)reckless as to whether the use is or is not authorised by A; and
(e)the individual, as a result of that use —
(i)obtains a gain for the individual or another person;
(ii)causes harm to another individual; or
(iii)causes a loss to another person,
the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both.
(4)  In proceedings for an offence under subsection (3) or (3A), it is a defence for the defendant to prove, on a balance of probabilities, any of the following:
(a)that the information under the control of A that was used was, at the time of its use, generally available information;
(b)the defendant used the information under the control of A —
(i)as permitted or required by or under an Act or other law (apart from this Act);
(ii)as authorised or required by an order of court; or
(iii)in any other circumstances, or for any other purpose, prescribed.
(4A)  To avoid doubt, subsection (2) or (4) does not affect any obligation or limitation imposed on, or prohibition of, the disclosure or use of information under the control of a Singapore public sector agency by or under any other written law or other law.”; and
(c)by inserting, immediately after the definition of “generally available information” in subsection (5), the following definitions:
“ “harm”, in relation to an individual, means —
(a)any physical harm; or
(b)harassment, alarm or distress caused to the individual;
“loss” means —
(a)a loss in property or a supply of services, whether temporary or permanent; or
(b)a loss of an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of remuneration,
but excludes, in relation to an individual, the loss of personal data about the individual;
“personal data” has the meaning given by section 2(1) of the Personal Data Protection Act 2012 (Act 26 of 2012);”.
(2)  Section 8 of the Public Sector (Governance) Act 2018 is amended —
(a)by deleting the word “or” at the end of subsection (2)(a);
(b)by deleting the word “or” at the end of subsection (2)(b)(i);
(c)by deleting the full‑stop at the end of sub‑paragraph (ii) of subsection (2)(b) and substituting the word “; or”, and by inserting immediately thereafter the following sub‑paragraph:
(iii)in any other circumstances, or for any other purpose, prescribed; or”;
(d)by inserting, immediately after paragraph (b) of subsection (2), the following paragraph:
(c)the accused —
(i)reasonably believed that the re‑identification was for a specified purpose; and
(ii)notified either of the following agencies of the re‑identification as soon as was practicable:
(A)the Singapore public sector agency;
(B)the Government Technology Agency.”;
(e)by inserting, immediately after subsection (2), the following subsection:
(2A)  To avoid doubt, subsection (2) does not affect any obligation or limitation imposed on, or prohibition of, the re‑identification of anonymised information under the control of a Singapore public sector agency by or under any other written law or other law.”;
(f)by inserting, immediately after the definition of “anonymised information” in subsection (3), the following definitions:
“ “Government Technology Agency” means the Government Technology Agency established by section 3 of the Government Technology Agency Act 2016 (Act 23 of 2016);
“personal data” has the meaning given by section 2(1) of the Personal Data Protection Act 2012;”; and
(g)by deleting the full‑stop at the end of the definition of “relevant public official” in subsection (3) and substituting a semi‑colon, and by inserting immediately thereafter the following definition:
“ “specified purpose” means any purpose specified in the Eleventh Schedule to the Personal Data Protection Act 2012.”.
Consequential amendment to Healthcare Services Act 2020
44.  Section 59 of the Healthcare Services Act 2020 (Act 3 of 2020) is amended by deleting subsection (8).
Consequential amendment to Supreme Court of Judicature (Amendment) Act 2019
45.  Item 115 of the Schedule to the Supreme Court of Judicature (Amendment) Act 2019 (Act 40 of 2019) is deleted.
Saving and transitional provisions
46.—(1)  A specified direction given by the Commission before the appointed day, and which is not withdrawn before the appointed day, continues to be in force as if sections 15 and 23 had not been enacted.
(2)  Parts VII and VIII of the principal Act as in force immediately before the appointed day continue to apply to or in relation to a specified direction as if sections 15 and 23 had not been enacted.
(3)  Section 31 of the principal Act as in force immediately before the appointed day continues to apply as if sections 15 and 23 had not been enacted, where an application is made (whether before, on or after the appointed day) to the Commission to reconsider any of the following:
(a)a direction made by the Commission under section 27(2) or 29(1) or (2) of the principal Act before the appointed day;
(b)a direction or decision made by the Commission under section 28(2) of the principal Act before the appointed day.
(4)  Section 34 of the principal Act as in force immediately before the appointed day continues to apply as if sections 15 and 23 had not been enacted, where an appeal to an Appeal Committee is made (whether before, on or after the appointed day) against any of the following:
(a)a direction made by the Commission under section 27(2) or 29(1) or (2) of the principal Act before the appointed day;
(b)a direction or decision made by the Commission under section 28(2) of the principal Act before the appointed day;
(c)a decision made by the Commission under section 31(4)(b) of the principal Act (whether before, on or after the appointed day) in relation to any direction or decision mentioned in paragraph (a) or (b).
(5)  Section 35 of the principal Act as in force immediately before the appointed day continues to apply as if sections 15 and 23 had not been enacted, where an appeal is made (whether before, on or after the appointed day) against or with respect to a direction or decision of an Appeal Committee made under section 34(4) of the principal Act before the appointed day or under section 34(4) as continued by subsection (4).
(6)  For the purposes of subsections (4) and (5), in relation to an appeal made on or after the appointed day under section 34 of the principal Act as in force immediately before the appointed day (as applied by subsection (4)) —
(a)a reference to the Chairman of the Appeal Panel is a reference to the Chairman of the Appeal Panel mentioned in subsection (8) or appointed under section 48P(3) of the principal Act as amended by this Act; and
(b)a reference to the Appeal Committee is a reference to an Appeal Committee constituted before the appointed day under section 33(4) of, read with the Seventh Schedule to, the principal Act as in force immediately before that day or under section 48P(4) of, read with the Seventh Schedule to, the principal Act as amended by this Act.
(7)  A person who is a member of the Appeal Panel immediately before the appointed day continues to be a member of the Appeal Panel as if the person were appointed under section 48P(2) of the principal Act as amended by this Act, until the expiry, or earlier revocation of or resignation from, that appointment.
(8)  The person who is the Chairman of the Appeal Panel immediately before the appointed day continues to be the Chairman of the Appeal Panel as if the person were appointed under section 48P(3) of the principal Act as amended by this Act, until the expiry, or earlier revocation of or resignation from, that appointment.
(9)  An Appeal Committee constituted to hear an appeal before the appointed day continues on and after the appointed day as the Appeal Committee for that appeal, in accordance with the Seventh Schedule to the principal Act as in force immediately before that day.
(10)  Where no Appeal Committee has been constituted before the appointed day for the purpose of hearing an appeal mentioned in subsection (4), an Appeal Committee may be constituted on or after the appointed day under section 48P(4) of the principal Act as amended by this Act for that purpose.
(11)  A reference in section 58, 59 and 60 of the principal Act, on or after the appointed day —
(a)to the Appeal Panel includes a reference to the Appeal Panel validly established before the appointed day; and
(b)to an Appeal Committee includes a reference to an Appeal Committee validly constituted before the appointed day.
(12)  For a period of 2 years after the date of commencement of any provision of this Act, the Minister may, by regulations, prescribe such additional provisions of a saving or transitional nature consequent on the enactment of that provision as the Minister may consider necessary or expedient.
(13)  In this section —
“appointed day” means the date of commencement of sections 15 and 23 of the Personal Data Protection (Amendment) Act 2020;
“specified direction” means —
(a)a direction made by the Commission under section 27(2) or 29(1) or (2) of the principal Act before the appointed day;
(b)a direction or decision made by the Commission under section 28(2) of the principal Act before the appointed day; or
(c)a decision made by the Commission under section 31(4)(b) of the principal Act before the appointed day.