Personal Data Protection Act 2012

Source: Singapore Statutes Online | Archived by Legal Wires

Personal Data Protection
Act 2012
2020 REVISED EDITION
This revised edition incorporates all amendments up to and including 1 December 2021 and comes into operation on 31 December 2021
An Act to govern the collection, use and disclosure of personal data by organisations, and to establish the Do Not Call Register and to provide for its administration, and for matters connected therewith.
[22/2016]
[2 January 2013: Parts I, II, VIII, IX (except sections 36 to 38, 41 and 43 to 48) and X (except section 67(1)), and the First, Seventh and Ninth Schedules ;
2 December 2013: Sections 36, 37, 38 and 41 ;
2 January 2014: Sections 43 to 48 and 67(1) and the Eighth Schedule ;
2 July 2014: Parts III to VII, and the Second to Sixth Schedules ]
PART 1
PRELIMINARY
Short title
1.  This Act is the Personal Data Protection Act 2012.
Interpretation
2.—(1)  In this Act, unless the context otherwise requires —
“advisory committee” means an advisory committee appointed under section 7;
“Appeal Committee” means a Data Protection Appeal Committee constituted under section 48P(4), read with the Seventh Schedule;
“Appeal Panel” means the Data Protection Appeal Panel established by section 48P(1);
“authorised officer”, in relation to the exercise of any power or performance of any function or duty under any provision of this Act, means a person to whom the exercise of that power or performance of that function or duty under that provision has been delegated under section 38 of the Info‑communications Media Development Authority Act 2016;
“Authority” means the Info‑communications Media Development Authority established by section 3 of the Info‑communications Media Development Authority Act 2016;
“benefit plan” means an insurance policy, a pension plan, an annuity, a provident fund plan or other similar plan;
“business” includes the activity of any organisation, whether or not carried on for purposes of gain, or conducted on a regular, repetitive or continuous basis, but does not include an individual acting in his or her personal or domestic capacity;
“business contact information” means an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes;
“Chief Executive”, in relation to the Authority, means the Chief Executive of the Authority appointed under section 40(2) of the Info‑communications Media Development Authority Act 2016, and includes any individual acting in that capacity;
“Commission” means the person designated as the Personal Data Protection Commission under section 5 to be responsible for the administration of this Act;
“Commissioner” means the Commissioner for Personal Data Protection appointed under section 8(1)(a), and includes any Deputy Commissioner for Personal Data Protection or Assistant Commissioner for Personal Data Protection appointed under section 8(1)(b);
“credit bureau” means an organisation which —
(a)provides credit reports for gain or profit; or
(b)provides credit reports on a routine, non‑profit basis as an ancillary part of a business carried on for gain or profit;
“credit report” means a communication, whether in written, oral or other form, provided to an organisation to assess the creditworthiness of an individual in relation to a transaction between the organisation and the individual;
“data intermediary” means an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation;
“derived personal data”  —
(a)means personal data about an individual that is derived by an organisation in the course of business from other personal data, about the individual or another individual, in the possession or under the control of the organisation; but
(b)does not include personal data derived by the organisation using any prescribed means or method;
“document” includes information recorded in any form;
“domestic” means related to home or family;
“education institution” means an organisation that provides education, including instruction, training or teaching, whether by itself or in association or collaboration with, or by affiliation with, any other person;
“employee” includes a volunteer;
“employment” includes working under an unpaid volunteer work relationship;
“evaluative purpose” means —
(a)the purpose of determining the suitability, eligibility or qualifications of the individual to whom the data relates —
(i)for employment or for appointment to office;
(ii)for promotion in employment or office or for continuance in employment or office;
(iii)for removal from employment or office;
(iv)for admission to an education institution;
(v)for the awarding of contracts, awards, bursaries, scholarships, honours or other similar benefits;
(vi)for selection for an athletic or artistic purpose; or
(vii)for grant of financial or social assistance, or the delivery of appropriate health services, under any scheme administered by a public agency;
(b)the purpose of determining whether any contract, award, bursary, scholarship, honour or other similar benefit should be continued, modified or cancelled;
(c)the purpose of deciding whether to insure any individual or property or to continue or renew the insurance of any individual or property; or
(d)such other similar purposes as the Minister may prescribe;
“individual” means a natural person, whether living or deceased;
“inspector” means an individual appointed as an inspector under section 8(1)(b);
“investigation” means an investigation relating to —
(a)a breach of an agreement;
(b)a contravention of any written law, or any rule of professional conduct or other requirement imposed by any regulatory authority in exercise of its powers under any written law; or
(c)a circumstance or conduct that may result in a remedy or relief being available under any law;
“national interest” includes national defence, national security, public security, the maintenance of essential services and the conduct of international affairs;
“organisation” includes any individual, company, association or body of persons, corporate or unincorporated, whether or not —
(a)formed or recognised under the law of Singapore; or
(b)resident, or having an office or a place of business, in Singapore;
“personal data” means data, whether true or not, about an individual who can be identified —
(a)from that data; or
(b)from that data and other information to which the organisation has or is likely to have access;
“prescribed healthcare body” means a healthcare body prescribed for the purposes of the Second Schedule by the Minister charged with the responsibility for health;
“prescribed law enforcement agency” means an authority charged with the duty of investigating offences or charging offenders under written law, prescribed for the purposes of sections 21(4) and 26D(6) and the Second Schedule by the Minister charged with the responsibility for that authority;
“private trust” means a trust for the benefit of one or more designated individuals who are the settlor’s friends or family members;
“proceedings” means any civil, criminal or administrative proceedings by or before a court, tribunal or regulatory authority that is related to the allegation of —
(a)a breach of an agreement;
(b)a contravention of any written law or any rule of professional conduct or other requirement imposed by any regulatory authority in exercise of its powers under any written law; or
(c)a wrong or a breach of a duty for which a remedy is claimed under any law;
“processing”, in relation to personal data, means the carrying out of any operation or set of operations in relation to the personal data, and includes any of the following:
(a)recording;
(b)holding;
(c)organisation, adaptation or alteration;
(d)retrieval;
(e)combination;
(f)transmission;
(g)erasure or destruction;
“public agency” includes —
(a)the Government, including any ministry, department, agency, or organ of State;
(b)any tribunal appointed under any written law; or
(c)any statutory body specified under subsection (2);
“publicly available”, in relation to personal data about an individual, means personal data that is generally available to the public, and includes personal data which can be observed by reasonably expected means at a location or an event —
(a)at which the individual appears; and
(b)that is open to the public;
“relevant body” means the Commission, the Appeal Panel or any Appeal Committee;
“tribunal” includes a judicial or quasi‑judicial body or a disciplinary, an arbitral or a mediatory body;
“user activity data”, in relation to an organisation, means personal data about an individual that is created in the course or as a result of the individual’s use of any product or service provided by the organisation;
“user‑provided data”, in relation to an organisation, means personal data provided by an individual to the organisation.
[22/2016; 40/2020]
(2)  The Minister may, by notification in the Gazette, specify any statutory body established under a public Act for a public function to be a public agency for the purposes of this Act.
Purpose
3.  The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.
Application of Act
4.—(1)  Parts 3, 4, 5, 6, 6A and 6B do not impose any obligation on —
(a)any individual acting in a personal or domestic capacity;
(b)any employee acting in the course of his or her employment with an organisation;
(c)any public agency; or
(d)any other organisations or personal data, or classes of organisations or personal data, prescribed for the purposes of this provision.
[40/2020]
(2)  Parts 3, 4, 5, 6 (except sections 24 and 25), 6A (except sections 26C(3)(a) and 26E) and 6B do not impose any obligation on a data intermediary in respect of its processing of personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing.
[40/2020]
(3)  An organisation has the same obligation under this Act in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself.
(4)  This Act does not apply in respect of —
(a)personal data about an individual that is contained in a record that has been in existence for at least 100 years; or
(b)personal data about a deceased individual, except that the provisions relating to the disclosure of personal data and section 24 (protection of personal data) apply in respect of personal data about an individual who has been dead for 10 years or less.
(5)  Except where business contact information is expressly mentioned, Parts 3, 4, 5, 6 and 6A do not apply to business contact information.
[40/2020]
(6)  Unless otherwise expressly provided in this Act —
(a)nothing in Parts 3, 4, 5, 6, 6A and 6B affects any authority, right, privilege or immunity conferred, or obligation or limitation imposed, by or under the law, including legal privilege, except that the performance of a contractual obligation is not an excuse for contravening this Act; and
(b)the provisions of other written law prevail to the extent that any provision of Parts 3, 4, 5, 6, 6A and 6B is inconsistent with the provisions of that other written law.
[40/2020]
PART 2
PERSONAL DATA PROTECTION COMMISSION
AND ADMINISTRATION
Personal Data Protection Commission
5.—(1)  The Info‑communications Media Development Authority is designated as the Personal Data Protection Commission.
[22/2016]
(2)  The Personal Data Protection Commission is responsible for the administration of this Act.
[22/2016]
Functions of Commission
6.  The functions of the Commission are —
(a)to promote awareness of data protection in Singapore;
(b)to provide consultancy, advisory, technical, managerial or other specialist services relating to data protection;
(c)to advise the Government on all matters relating to data protection;
(d)to represent the Government internationally on matters relating to data protection;
(e)to conduct research and studies and promote educational activities relating to data protection, including organising and conducting seminars, workshops and symposia relating thereto, and supporting other organisations conducting such activities;
(f)to manage technical cooperation and exchange in the area of data protection with other organisations, including foreign data protection authorities and international or inter‑governmental organisations, on its own behalf or on behalf of the Government;
(g)to administer and enforce this Act;
(h)to carry out functions conferred on the Commission under any other written law; and
(i)to engage in such other activities and perform such functions as the Minister may permit or assign to the Commission by order in the Gazette.
Advisory committees
7.—(1)  The Minister may appoint one or more advisory committees to provide advice to the Commission with regard to the performance of any of its functions under this Act.
(2)  The Commission may consult such advisory committees in relation to the performance of its functions and duties and the exercise of its powers under this Act but is not bound by such consultation.
Delegation
8.—(1)  The Commission may appoint, by name or office, from among public officers and the employees of the Authority —
(a)the Commissioner for Personal Data Protection; and
(b)such number of Deputy Commissioners for Personal Data Protection, Assistant Commissioners for Personal Data Protection and inspectors, as the Commission considers necessary.
[22/2016]
(2)  Where any function, duty or power of the Commission under this Act is delegated to the Commissioner under section 38 of the Info‑communications Media Development Authority Act 2016 —
(a)the Commissioner must perform that function or duty, or exercise that power, in his or her name;
(b)the Commission must not perform that function or duty, or exercise that power, during the period when the delegation is in force; and
(c)the Commission must, as soon as practicable after the delegation, publish a notice of the delegation in the Gazette.
[22/2016]
(3)  In exercising any of the powers of enforcement under this Act, an authorised officer must on demand produce to the person against whom he or she is acting the authority issued to him or her by the Commission.
Conduct of proceedings
9.—(1)  An individual appointed under section 8(1) or an employee of the Authority, who is authorised in writing by the Chief Executive of the Authority for the purpose of this section, may conduct, with the authorisation of the Public Prosecutor, proceedings in respect of an offence under this Act.
[22/2016]
(2)  A legal counsel of the Commission who is an advocate and solicitor may —
(a)appear in any civil proceedings involving the performance of any function or duty, or the exercise of any power, of the Commission under any written law; and
(b)make all applications and do all acts in respect of the civil proceedings on behalf of the Commission or an authorised officer.
[22/2016]
Cooperation agreements
10.—(1)  For the purposes of section 59, a cooperation agreement is an agreement for the purposes of —
(a)facilitating cooperation between the Commission and another regulatory authority in the performance of their respective functions in so far as those functions relate to data protection; and
(b)avoiding duplication of activities by the Commission and another regulatory authority, being activities involving the enforcement of data protection laws.
[22/2016]
(2)  A cooperation agreement may include provisions —
(a)to enable the Commission and the other regulatory authority to provide to each other information in their respective possession if the information is required by the other for the purpose of performance by it of any of its functions;
(b)to provide such other assistance to each other as will facilitate the performance by the other of any of its functions; and
(c)to enable the Commission and the other regulatory authority to forbear to perform any of their respective functions in relation to a matter in circumstances where it is satisfied that the other is performing functions in relation to that matter.
(3)  The Commission must not provide any information to a foreign data protection body pursuant to a cooperation agreement unless it requires of, and obtains from, that body an undertaking in writing by it that it will comply with terms specified in that requirement, including terms that correspond to the provisions of any written law concerning the disclosure of that information by the Commission.
(4)  The Commission may give an undertaking to a foreign data protection body that it will comply with terms specified in a requirement made of the Commission by the foreign data protection body to give such an undertaking where —
(a)those terms correspond to the provisions of any law in force in the country or territory in which the foreign data protection body is established, being provisions which concern the disclosure by the foreign data protection body of the information mentioned in paragraph (b); and
(b)compliance with the requirement is a condition imposed by the foreign data protection body for providing information in its possession to the Commission pursuant to a cooperation agreement.
(5)  In this section —
“foreign data protection body” means a body in whom there are vested functions under the law of another country or territory with respect to the enforcement or the administration of provisions of law of that country or territory concerning data protection;
“regulatory authority” includes the Commission and any foreign data protection body.
PART 3
GENERAL RULES WITH RESPECT TO
PROTECTION OF AND ACCOUNTABILITY FOR
PERSONAL DATA
[40/2020]
Compliance with Act
11.—(1)  In meeting its responsibilities under this Act, an organisation must consider what a reasonable person would consider appropriate in the circumstances.
(2)  An organisation is responsible for personal data in its possession or under its control.
(3)  An organisation must designate one or more individuals to be responsible for ensuring that the organisation complies with this Act.
(4)  An individual designated under subsection (3) may delegate to another individual the responsibility conferred by that designation.
(5)  An organisation must make available to the public the business contact information of at least one of the individuals designated under subsection (3) or delegated under subsection (4).
(5A)  Without limiting subsection (5), an organisation is deemed to have satisfied that subsection if the organisation makes available the business contact information of any individual mentioned in subsection (3) in any prescribed manner.
[40/2020]
(6)  The designation of an individual by an organisation under subsection (3) does not relieve the organisation of any of its obligations under this Act.
Policies and practices
12.  An organisation must —
(a)develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act;
(b)develop a process to receive and respond to complaints that may arise with respect to the application of this Act;
(c)communicate to its staff information about the organisation’s policies and practices mentioned in paragraph (a); and
(d)make information available on request about —
(i)the policies and practices mentioned in paragraph (a); and
(ii)the complaint process mentioned in paragraph (b).
PART 4
COLLECTION, USE AND DISCLOSURE OF
PERSONAL DATA
Division 1 — Consent
Consent required
13.  An organisation must not, on or after 2 July 2014, collect, use or disclose personal data about an individual unless —
(a)the individual gives, or is deemed to have given, his or her consent under this Act to the collection, use or disclosure, as the case may be; or
(b)the collection, use or disclosure (as the case may be) without the individual’s consent is required or authorised under this Act or any other written law.
Provision of consent
14.—(1)  An individual has not given consent under this Act for the collection, use or disclosure of personal data about the individual by an organisation for a purpose unless —
(a)the individual has been provided with the information required under section 20; and
(b)the individual provided his or her consent for that purpose in accordance with this Act.
(2)  An organisation must not —
(a)as a condition of providing a product or service, require an individual to consent to the collection, use or disclosure of personal data about the individual beyond what is reasonable to provide the product or service to that individual; or
(b)obtain or attempt to obtain consent for collecting, using or disclosing personal data by providing false or misleading information with respect to the collection, use or disclosure of the personal data, or using deceptive or misleading practices.
(3)  Any consent given in any of the circumstances in subsection (2) is not validly given for the purposes of this Act.
(4)  In this Act, references to consent given, or deemed to have been given, by an individual for the collection, use or disclosure of personal data about the individual include consent given, or deemed to have been given, by any person validly acting on that individual’s behalf for the collection, use or disclosure of such personal data.
Deemed consent
15.—(1)  An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if —
(a)the individual, without actually giving consent mentioned in section 14, voluntarily provides the personal data to the organisation for that purpose; and
(b)it is reasonable that the individual would voluntarily provide the data.
(2)  If an individual gives, or is deemed to have given, consent to the disclosure of personal data about the individual by one organisation to another organisation for a particular purpose, the individual is deemed to consent to the collection, use or disclosure of the personal data for that particular purpose by that other organisation.
(3)  Without limiting subsection (2) and subject to subsection (9), an individual (P) who provides personal data to an organisation (A) with a view to P entering into a contract with A is deemed to consent to the following where reasonably necessary for the conclusion of the contract between P and A:
(a)the disclosure of that personal data by A to another organisation (B);
(b)the collection and use of that personal data by B;
(c)the disclosure of that personal data by B to another organisation.
[40/2020]
(4)  Where an organisation collects personal data disclosed to it by B under subsection (3)(c), subsection (3)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (3)(a).
[40/2020]
(5)  Subsections (3) and (4) apply to personal data provided before 1 February 2021 by an individual to an organisation with a view to the individual entering into a contract with the organisation —
(a)on or after 1 February 2021; or
(b)which contract was entered into before 1 February 2021 and remains in force on that date,
as if subsections (3) and (4) —
(c)were in force when the personal data was so provided; and
(d)had continued in force until 1 February 2021.
[40/2020]
(6)  Without limiting subsection (2) and subject to subsection (9), an individual (P) who enters into a contract with an organisation (A) and provides personal data to A pursuant or in relation to that contract is deemed to consent to the following:
(a)the disclosure of that personal data by A to another organisation (B), where the disclosure is reasonably necessary —
(i)for the performance of the contract between P and A; or
(ii)for the conclusion or performance of a contract between A and B which is entered into at P’s request, or which a reasonable person would consider to be in P’s interest;
(b)the collection and use of that personal data by B, where the collection and use are reasonably necessary for any purpose mentioned in paragraph (a);
(c)the disclosure of that personal data by B to another organisation, where the disclosure is reasonably necessary for any purpose mentioned in paragraph (a).
[40/2020]
(7)  Where an organisation collects personal data disclosed to it by B under subsection (6)(c), subsection (6)(b) and (c) applies to the organisation as if the personal data were disclosed by A to the organisation under subsection (6)(a).
[40/2020]
(8)  Subsections (6) and (7) apply to personal data provided before 1 February 2021 by an individual to an organisation in relation to a contract that the individual entered into before that date with the organisation, and which remains in force on that date, as if subsections (6) and (7) —
(a)were in force when the personal data was so provided; and
(b)had continued in force until 1 February 2021.
[40/2020]
(9)  Subsections (3), (4), (5), (6), (7) and (8) do not affect any obligation under the contract between P and A that specifies or restricts —
(a)the personal data provided by P that A may disclose to another organisation; or
(b)the purposes for which A may disclose the personal data provided by P to another organisation.
[40/2020]
Deemed consent by notification
15A.—(1)  This section applies to the collection, use or disclosure of personal data about an individual by an organisation on or after 1 February 2021.
[40/2020]
(2)  Subject to subsection (3), an individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation if —
(a)the organisation satisfies the requirements in subsection (4); and
(b)the individual does not notify the organisation, before the expiry of the period mentioned in subsection (4)(b)(iii), that the individual does not consent to the proposed collection, use or disclosure of the personal data by the organisation.
[40/2020]
(3)  Subsection (2) does not apply to the collection, use or disclosure of personal data about the individual for any prescribed purpose.
[40/2020]
(4)  For the purposes of subsection (2)(a), the organisation must, before collecting, using or disclosing any personal data about the individual —
(a)conduct an assessment to determine that the proposed collection, use or disclosure of the personal data is not likely to have an adverse effect on the individual;
(b)take reasonable steps to bring the following information to the attention of the individual:
(i)the organisation’s intention to collect, use or disclose the personal data;
(ii)the purpose for which the personal data will be collected, used or disclosed;
(iii)a reasonable period within which, and a reasonable manner by which, the individual may notify the organisation that the individual does not consent to the organisation’s proposed collection, use or disclosure of the personal data; and
(c)satisfy any other prescribed requirements.
[40/2020]
(5)  The organisation must, in respect of the assessment mentioned in subsection (4)(a) —
(a)identify any adverse effect that the proposed collection, use or disclosure of the personal data for the purpose concerned is likely to have on the individual;
(b)identify and implement reasonable measures to —
(i)eliminate the adverse effect;
(ii)reduce the likelihood that the adverse effect will occur; or
(iii)mitigate the adverse effect; and
(c)comply with any other prescribed requirements.
[40/2020]
Withdrawal of consent
16.—(1)  On giving reasonable notice to the organisation, an individual may at any time withdraw any consent given, or deemed to have been given under this Act, in respect of the collection, use or disclosure by that organisation of personal data about the individual for any purpose.
(2)  On receipt of the notice mentioned in subsection (1), the organisation concerned must inform the individual of the likely consequences of withdrawing his or her consent.
(3)  An organisation must not prohibit an individual from withdrawing his or her consent to the collection, use or disclosure of personal data about the individual, but this section does not affect any legal consequences arising from such withdrawal.
(4)  Subject to section 25, if an individual withdraws consent to the collection, use or disclosure of personal data about the individual by an organisation for any purpose, the organisation must cease (and cause its data intermediaries and agents to cease) collecting, using or disclosing the personal data (as the case may be) unless such collection, use or disclosure (as the case may be) without the individual’s consent is required or authorised under this Act or other written law.
Collection, use and disclosure without consent
17.—(1)  An organisation may —
(a)collect personal data about an individual, without the individual’s consent or from a source other than the individual, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 1 of the Second Schedule;
(b)use personal data about an individual without the individual’s consent, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 2 of the Second Schedule; or
(c)disclose personal data about an individual without the individual’s consent, in the circumstances or for the purposes, and subject to any condition, in the First Schedule or Part 3 of the Second Schedule.
[40/2020]
(2)  Unless otherwise provided under this Act, an organisation may —
(a)collect personal data about an individual that the organisation receives by way of a disclosure to the organisation —
(i)on or after 1 February 2021 in accordance with subsection (1)(c); or
(ii)before 1 February 2021 in accordance with section 17(3) as in force before that date,
for purposes consistent with the purpose of that disclosure, or for any purpose permitted by subsection (1)(a); or
(b)use or disclose personal data about an individual that —
(i)is collected by the organisation on or after 1 February 2021 in accordance with subsection (1)(a); or
(ii)was collected by the organisation before 1 February 2021 in accordance with section 17(1) as in force before that date,
for purposes consistent with the purpose of that collection, or for any purpose permitted by subsection (1)(b) or (c), as the case may be.
[40/2020]
Division 2 — Purpose
Limitation of purpose and extent
18.  An organisation may collect, use or disclose personal data about an individual only for purposes —
(a)that a reasonable person would consider appropriate in the circumstances; and
(b)that the individual has been informed of under section 20, if applicable.
Personal data collected before 2 July 2014
19.  Despite the other provisions in this Part, an organisation may use personal data about an individual collected before 2 July 2014 for the purposes for which the personal data was collected unless —
(a)consent for such use is withdrawn in accordance with section 16; or
(b)the individual, whether before, on or after 2 July 2014, has otherwise indicated to the organisation that he or she does not consent to the use of the personal data.
Notification of purpose
20.—(1)  For the purposes of sections 14(1)(a) and 18(b), an organisation must inform the individual of —
(a)the purposes for the collection, use or disclosure of the personal data (as the case may be) on or before collecting the personal data;
(b)any other purpose of the use or disclosure of the personal data of which the individual has not been informed under paragraph (a), before the use or disclosure of the personal data for that purpose; and
(c)on request by the individual, the business contact information of a person who is able to answer on behalf of the organisation the individual’s questions about the collection, use or disclosure of the personal data.
(2)  An organisation, on or before collecting personal data about an individual from another organisation without the individual’s consent, must provide the other organisation with sufficient information regarding the purpose of the collection to allow that other organisation to determine whether the disclosure would be in accordance with this Act.
(3)  Subsection (1) does not apply if —
(a)the individual is deemed to have consented to the collection, use or disclosure (as the case may be) under section 15 or 15A; or
(b)the organisation collects, uses or discloses the personal data without the individual’s consent in accordance with section 17.
[40/2020]
(4)  Despite subsection (3), an organisation must comply with subsection (5) on or before collecting, using or disclosing personal data about an individual for the purpose of or in relation to the organisation —
(a)entering into an employment relationship with the individual or appointing the individual to any office; or
(b)managing or terminating the employment relationship with or appointment of the individual.
[40/2020]
(5)  For the purposes of subsection (4), the organisation must inform the individual of the following:
(a)the purpose for which the organisation is collecting, using or disclosing (as the case may be) the personal data about the individual;
(b)on request by the individual, the business contact information of a person who is able to answer the individual’s questions about that collection, use or disclosure (as the case may be) on behalf of the organisation.
[40/2020]
PART 5
ACCESS TO AND CORRECTION OF
PERSONAL DATA
Access to personal data
21.—(1)  Subject to subsections (2), (3) and (4), on request of an individual, an organisation must, as soon as reasonably possible, provide the individual with —
(a)personal data about the individual that is in the possession or under the control of the organisation; and
(b)information about the ways in which the personal data mentioned in paragraph (a) has been or may have been used or disclosed by the organisation within a year before the date of the request.
(2)  An organisation is not required to provide an individual with the individual’s personal data or other information under subsection (1) in respect of the matters specified in the Fifth Schedule.
(3)  Subject to subsection (3A), an organisation must not provide an individual with the individual’s personal data or other information under subsection (1) if the provision of that personal data or other information (as the case may be) could reasonably be expected to —
(a)threaten the safety or physical or mental health of an individual other than the individual who made the request;
(b)cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request;
(c)reveal personal data about another individual;
(d)reveal the identity of an individual who has provided personal data about another individual and the individual providing the personal data does not consent to the disclosure of his or her identity; or
(e)be contrary to the national interest.
[40/2020]
(3A)  Subsection (3)(c) and (d) does not apply to any user activity data about, or any user‑provided data from, the individual who made the request despite such data containing personal data about another individual.
[40/2020]
(4)  An organisation must not inform any individual under subsection (1)(b) that the organisation has disclosed personal data about the individual to a prescribed law enforcement agency if the disclosure was made under this Act or any other written law without the individual’s consent.
[40/2020]
(5)  If an organisation is able to provide the individual with the individual’s personal data and other information requested under subsection (1) without the personal data or other information excluded under subsections (2), (3) and (4), the organisation must provide the individual with access to the personal data and other information without the personal data or other information excluded under subsections (2), (3) and (4).
(6)  Where —
(a)an individual makes a request under subsection (1) to an organisation on or after 1 February 2021; and
(b)the organisation, by reason of subsection (2) or (3), does not provide an individual with the individual’s personal data or other information requested under subsection (1),
the organisation must, within the prescribed time and in accordance with the prescribed requirements, notify the individual of the rejection.
[40/2020]
(7)  Where —
(a)an individual makes a request under subsection (1) to an organisation on or after 1 February 2021; and
(b)the organisation provides the individual, in accordance with subsection (5), with the individual’s personal data or other information requested under subsection (1),
the organisation must notify the individual of the exclusion, under subsection (2) or (3), of any of the personal data or other information so requested.
[40/2020]
Correction of personal data
22.—(1)  An individual may request an organisation to correct an error or omission in the personal data about the individual that is in the possession or under the control of the organisation.
(2)  Unless the organisation is satisfied on reasonable grounds that a correction should not be made, the organisation must —
(a)correct the personal data as soon as practicable; and
(b)subject to subsection (3), send the corrected personal data to every other organisation to which the personal data was disclosed by the organisation within a year before the date the correction was made, unless that other organisation does not need the corrected personal data for any legal or business purpose.
(3)  An organisation (not being a credit bureau) may, if the individual consents, send the corrected personal data only to specific organisations to which the personal data was disclosed by the organisation within a year before the date the correction was made.
(4)  When an organisation is notified under subsection (2)(b) or (3) of a correction of personal data, the organisation must correct the personal data in its possession or under its control unless the organisation is satisfied on reasonable grounds that the correction should not be made.
(5)  If no correction is made under subsection (2)(a) or (4), the organisation must annotate the personal data in its possession or under its control with the correction that was requested but not made.
(6)  Nothing in this section requires an organisation to correct or otherwise alter an opinion, including a professional or an expert opinion.
(7)  An organisation is not required to comply with this section in respect of the matters specified in the Sixth Schedule.
Preservation of copies of personal data
22A.—(1)  Where —
(a)an individual, on or after 1 February 2021, makes a request under section 21(1)(a) to an organisation to provide personal data about the individual that is in the possession or under the control of the organisation; and
(b)the organisation refuses to provide that personal data,
the organisation must preserve, for not less than the prescribed period, a copy of the personal data concerned.
[40/2020]
(2)  The organisation must ensure that the copy of the personal data it preserves for the purposes of subsection (1) is a complete and accurate copy of the personal data concerned.
[40/2020]
PART 6
CARE OF PERSONAL DATA
Accuracy of personal data
23.  An organisation must make a reasonable effort to ensure that personal data collected by or on behalf of the organisation is accurate and complete, if the personal data —
(a)is likely to be used by the organisation to make a decision that affects the individual to whom the personal data relates; or
(b)is likely to be disclosed by the organisation to another organisation.
Protection of personal data
24.  An organisation must protect personal data in its possession or under its control by making reasonable security arrangements to prevent —
(a)unauthorised access, collection, use, disclosure, copying, modification or disposal, or similar risks; and
(b)the loss of any storage medium or device on which personal data is stored.
[40/2020]
Retention of personal data
25.  An organisation must cease to retain its documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that —
(a)the purpose for which that personal data was collected is no longer being served by retention of the personal data; and
(b)retention is no longer necessary for legal or business purposes.
Transfer of personal data outside Singapore
26.—(1)  An organisation must not transfer any personal data to a country or territory outside Singapore except in accordance with requirements prescribed under this Act to ensure that organisations provide a standard of protection to personal data so transferred that is comparable to the protection under this Act.
(2)  The Commission may, on the application of any organisation, by written notice exempt the organisation from any requirement prescribed pursuant to subsection (1) in respect of any transfer of personal data by that organisation.
(3)  An exemption under subsection (2) —
(a)may be granted subject to such conditions as the Commission may specify in writing; and
(b)need not be published in the Gazette and may be revoked at any time by the Commission.
(4)  The Commission may at any time add to, vary or revoke any condition imposed under this section.
PART 6A
NOTIFICATION OF DATA BREACHES
Interpretation of this Part
26A.  In this Part, unless the context otherwise requires —
“affected individual” means any individual to whom any personal data affected by a data breach relates;
“data breach”, in relation to personal data, means —
(a)the unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data; or
(b)the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.
[40/2020]
Notifiable data breaches
26B.—(1)  A data breach is a notifiable data breach if the data breach —
(a)results in, or is likely to result in, significant harm to an affected individual; or
(b)is, or is likely to be, of a significant scale.
[40/2020]
(2)  Without limiting subsection (1)(a), a data breach is deemed to result in significant harm to an individual —
(a)if the data breach is in relation to any prescribed personal data or class of personal data relating to the individual; or
(b)in other prescribed circumstances.
[40/2020]
(3)  Without limiting subsection (1)(b), a data breach is deemed to be of a significant scale —
(a)if the data breach affects not fewer than the prescribed number of affected individuals; or
(b)in other prescribed circumstances.
[40/2020]
(4)  Despite subsections (1), (2) and (3), a data breach that relates to the unauthorised access, collection, use, disclosure, copying or modification of personal data only within an organisation is deemed not to be a notifiable data breach.
[40/2020]
Duty to conduct assessment of data breach
26C.—(1)  This section applies to a data breach that occurs on or after 1 February 2021.
[40/2020]
(2)  Subject to subsection (3), where an organisation has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, the organisation must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach.
[40/2020]
(3)  Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation —
(a)the data intermediary must, without undue delay, notify that other organisation of the occurrence of the data breach; and
(b)that other organisation must, upon notification by the data intermediary, conduct an assessment of whether the data breach is a notifiable data breach.
[40/2020]
(4)  The organisation must carry out the assessment mentioned in subsection (2) or (3)(b) in accordance with any prescribed requirements.
[40/2020]
Duty to notify occurrence of notifiable data breach
26D.—(1)  Where an organisation assesses, in accordance with section 26C, that a data breach is a notifiable data breach, the organisation must notify the Commission as soon as is practicable, but in any case no later than 3 calendar days after the day the organisation makes that assessment.
[40/2020]
(2)  Subject to subsections (5), (6) and (7), on or after notifying the Commission under subsection (1), the organisation must also notify each affected individual affected by a notifiable data breach mentioned in section 26B(1)(a) in any manner that is reasonable in the circumstances.
[40/2020]
(3)  The notification under subsection (1) or (2) must contain, to the best of the knowledge and belief of the organisation at the time it notifies the Commission or affected individual (as the case may be), all the information that is prescribed for this purpose.
[40/2020]
(4)  The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission.
[40/2020]
(5)  Subsection (2) does not apply to an organisation in relation to an affected individual if the organisation —
(a)on or after assessing that the data breach is a notifiable data breach, takes any action, in accordance with any prescribed requirements, that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual; or
(b)had implemented, prior to the occurrence of the notifiable data breach, any technological measure that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual.
[40/2020]
(6)  An organisation must not notify any affected individual in accordance with subsection (2) if —
(a)a prescribed law enforcement agency so instructs; or
(b)the Commission so directs.
[40/2020]
(7)  The Commission may, on the written application of an organisation, waive the requirement to notify an affected individual under subsection (2) subject to any conditions that the Commission thinks fit.
[40/2020]
(8)  An organisation is not, by reason only of notifying the Commission under subsection (1) or an affected individual under subsection (2), to be regarded as being in breach of —
(a)any duty or obligation under any written law or rule of law, or any contract, as to secrecy or other restriction on the disclosure of information; or
(b)any rule of professional conduct applicable to the organisation.
[40/2020]
(9)  Subsections (1) and (2) apply concurrently with any obligation of the organisation under any other written law to notify any other person (including any public agency) of the occurrence of a data breach, or to provide any information relating to a data breach.
[40/2020]
Obligations of data intermediary of public agency
26E.  Where an organisation —
(a)is a data intermediary processing personal data on behalf of and for the purposes of a public agency; and
(b)has reason to believe that a data breach has occurred in relation to that personal data,
the organisation must, without undue delay, notify the public agency of the occurrence of the data breach.
[40/2020]
PART 7
27.  [Repealed by Act 40 of 2020]
28.  [Repealed by Act 40 of 2020]
29.  [Repealed by Act 40 of 2020]
30.  [Repealed by Act 40 of 2020]
31.  [Repealed by Act 40 of 2020]
32.  [Repealed by Act 40 of 2020]
PART 8
33.  [Repealed by Act 40 of 2020]
34.  [Repealed by Act 40 of 2020]
35.  [Repealed by Act 40 of 2020]
PART 9
DO NOT CALL REGISTRY
Division 1 — Preliminary
Interpretation of this Part
36.—(1)  In this Part, unless the context otherwise requires —
“calling line identity” means the telephone number or information identifying the sender;
“checker” means a person mentioned in section 43A(1);
“financial services” has the meaning given by section 2 of the Consumer Protection (Fair Trading) Act 2003;
“goods” means any personal property, whether tangible or intangible, and is deemed to include —
(a)chattels that are attached or intended to be attached to real property on or after delivery;
(b)financial products and credit, including credit extended solely on the security of land;
(c)any residential property; and
(d)a voucher;
“message” means any message, whether in sound, text, visual or other form;
“register” means any Do Not Call Register kept and maintained under section 39;
“send”, in relation to a message, means —
(a)to send the message, cause the message to be sent, or authorise the sending of the message; or
(b)to make a voice call containing the message, cause a voice call containing the message to be made, or authorise the making of a voice call containing the message;
“sender”, in relation to a message, means a person —
(a)who sends the message, causes the message to be sent, or authorises the sending of the message; or
(b)who makes a voice call containing the message, causes a voice call containing the message to be made, or authorises the making of a voice call containing the message;
“services” includes —
(a)a service offered or provided that involves the addition to or maintenance, repair or alteration of goods or any residential property;
(b)a membership in any club or organisation if the club or organisation is a business formed to make a profit for its owners;
(c)the right to use time share accommodation under a time share contract; and
(d)financial services;
“Singapore telephone number” means —
(a)a telephone number, with 8 digits beginning with the digit “3”, “6”, “8” or “9”, that is in accordance with the National Numbering Plan mentioned in regulation 12A of the Telecommunications (Class Licences) Regulations; or
(b)any other telephone numbers as may be prescribed;
“subscriber”, in relation to a Singapore telephone number, means the subscriber of the telecommunications service to which the Singapore telephone number is allocated;
“time share accommodation” means any living accommodation, in Singapore or elsewhere, used or intended to be used (wholly or partly) for leisure purposes by a class of persons all of whom have rights to use, or participate in arrangements under which they may use, that accommodation or accommodation within a pool of accommodation to which that accommodation belongs;
“time share contract” means a contract which confers or purports to confer on an individual time share rights that are exercisable during a period of not less than 3 years;
“voice call” includes —
(a)a call that involves a recorded or synthetic voice; or
(b)in the case of a recipient with a disability (for example, a hearing impairment), a call that is equivalent to a voice call.
[40/2020]
(2)  For the purposes of this Part, a telecommunications service provider who merely provides a service that enables a specified message to be sent is, unless the contrary is proved, presumed not to have sent the message and not to have authorised the message to be sent.
(3)  For the purposes of this Part, if a specified message is sent and at the relevant time the telecommunications device, service or network from which it was sent was controlled by a person without the knowledge of the owners or authorised users of the telecommunications device, service or network, the owners or authorised users are, unless the contrary is proved, presumed not to have sent the message and not to have authorised the sending of the message.
(4)  In subsection (3), “control” means either physical control or control through the use of software or other means.
Meaning of “specified message”
37.—(1)  Subject to subsection (5), for the purposes of this Part, a specified message is a message where, having regard to the following, it would be concluded that the purpose, or one of the purposes, of the message is an applicable purpose:
(a)the content of the message;
(b)the presentational aspects of the message;
(c)the content that can be obtained using the numbers, URLs or contact information (if any) mentioned in the message;
(d)if the telephone number from which the message is made is disclosed to the recipient (whether by calling line identity or otherwise), the content (if any) that can be obtained by calling that number.
[40/2020]
(2)  For the purposes of subsection (1), where the applicable purpose relates to offering, supplying, advertising or promoting any goods, service, land, interest in land, business opportunity or investment opportunity, it does not matter whether or not —
(a)the goods, service, land, interest or opportunity exists; or
(b)it is lawful to acquire the goods, service, land or interest or take up the opportunity.
[40/2020]
(3)  Subject to subsection (4), a person (A) who authorises another person (B) to offer, advertise or promote A’s goods, services, land, interest or opportunity is deemed to have authorised the sending of any message sent by B that offers, advertises or promotes A’s goods, services, land, interest or opportunity.
(4)  For the purposes of subsection (3), a person who takes reasonable steps to stop the sending of a message mentioned in that subsection is deemed not to have authorised the sending of the message.
(5)  For the purposes of this Part, a specified message does not include any message mentioned in the Eighth Schedule.
(6)  In this section, “applicable purpose” means a purpose specified in the Tenth Schedule.
[40/2020]
Application of this Part
38.  This Part applies to a specified message addressed to a Singapore telephone number where —
(a)the sender of the specified message is present in Singapore when the specified message is sent; or
(b)the recipient of the specified message is present in Singapore when the specified message is accessed.
Division 2 — Administration
Register
39.—(1)  The Commission must cause to be kept and maintained one or more registers of Singapore telephone numbers, each known as a Do Not Call Register, for the purposes of this Part.
(2)  Each register must be kept in such form and must contain such particulars as the Commission thinks fit.
(3)  The Commission may authorise another person to maintain any register, on its behalf, subject to such conditions or restrictions as the Commission may think fit.
Applications
40.—(1)  A subscriber may apply to the Commission, in the form and manner prescribed —
(a)to add his or her Singapore telephone number to a register; or
(b)to remove his or her Singapore telephone number from a register.
(2)  Any person may apply to the Commission, in the form and manner required by the Commission, to confirm whether any Singapore telephone number is listed in a register.
Evidence
41.  A certificate purporting to be signed by the Chief Executive of the Authority or an authorised officer and stating that a Singapore telephone number was or was not listed in a register at a date specified in the certificate is admissible as evidence of its contents in any proceedings.
[22/2016]
Information on terminated Singapore telephone number
42.—(1)  Every telecommunications service provider must report to the Commission, in the form and manner prescribed, all terminated Singapore telephone numbers.
(2)  A telecommunications service provider which contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000.
(3)  In this section, “terminated Singapore telephone number” means —
(a)a Singapore telephone number to which the following apply:
(i)the Singapore telephone number has been allocated to a subscriber;
(ii)the telecommunications service associated with the Singapore telephone number has been terminated by the subscriber or telecommunications service provider; and
(iii)the Singapore telephone number has not been allocated to a different subscriber; or
(b)any other telephone numbers and circumstances as may be prescribed.
(4)  For the purpose of subsection (1), where —
(a)a Singapore telephone number has been allocated to a subscriber by a telecommunications service provider (called in this subsection the first provider);
(b)the telecommunications service associated with the Singapore telephone number has been terminated by the subscriber;
(c)the subscriber contracts for a telecommunications service associated with the Singapore telephone number with another telecommunications service provider (called in this subsection the subsequent provider);
(d)the telecommunications service mentioned in paragraph (c) has been terminated by the subscriber or the subsequent provider; and
(e)the Singapore telephone number has not subsequently been allocated to any subscriber,
it is the responsibility of the first provider to satisfy subsection (1).
(5)  Without affecting the obligations of the telecommunications service provider under subsections (1) to (4), the Commission must pay the prescribed fees to the telecommunications service provider for each terminated Singapore telephone number reported to the Commission in accordance with this section.
Division 3 — Specified message to Singapore
telephone number
Duty to check register
43.—(1)  Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless the person has, at the time the person sends the specified message, valid confirmation that the Singapore telephone number is not listed in the relevant register.
[40/2020]
(2)  For the purposes of subsection (1), the person has valid confirmation that a Singapore telephone number is not listed in the relevant register in either of the following circumstances:
(a)the person has, within the prescribed duration before sending the specified message —
(i)made an application to the Commission under section 40(2) to confirm whether the Singapore telephone number is listed in the relevant register; and
(ii)received confirmation from the Commission that the Singapore telephone number is not listed in the relevant register;
(b)the person has obtained from a checker information that the Singapore telephone number is not listed in the relevant register (called in this section the relevant information) and has no reason to believe that, and is not reckless as to whether —
(i)the prescribed period in relation to the relevant information has expired; or
(ii)the relevant information is false or inaccurate.
[40/2020]
(3)  In subsection (2)(b)(i), “prescribed period”, in relation to relevant information, means the prescribed period beginning after the date on which the checker received confirmation from the Commission, in response to the checker’s application to the Commission under section 40(2), that a Singapore telephone number is not listed in the relevant register.
[40/2020]
(4)  A person does not contravene subsection (1) if the subscriber or user of the Singapore telephone number to which a specified message is sent —
(a)gave clear and unambiguous consent to the sending of the specified message to that Singapore telephone number; and
(b)the consent is evidenced in written or other form so as to be accessible for subsequent reference.
[40/2020]
(5)  For the purposes of this section and section 43A —
(a)where there is only one register kept or maintained under section 39, the relevant register refers to that register; and
(b)where there are 2 or more registers kept or maintained under section 39 for different types of specified messages, the relevant register refers to the register relevant for the particular type of specified message.
[40/2020]
Duty of checkers
43A.—(1)  This section applies to a person (called the checker) that, for reward, provides to another person (P) information on whether a Singapore telephone number is listed in the relevant register (called in this section the applicable information) for the purpose of P’s compliance with section 43(1), other than —
(a)the Commission;
(b)an individual who is an employee of P; and
(c)an individual who is an employee or agent of a checker.
[40/2020]
(2)  A checker must —
(a)ensure that the applicable information provided to P is accurate; and
(b)provide the applicable information to P in accordance with any prescribed requirements.
[40/2020]
(3)  A checker is deemed to have complied with subsection (2)(a) if —
(a)the applicable information that the checker provides to P is in accordance with a reply from the Commission in response to the checker’s application under section 40(2); and
(b)the checker provides the applicable information to P before the expiry of the prescribed period mentioned in section 43(2)(b)(i).
[40/2020]
Contact information
44.  Subject to section 48(2), a person must not send a specified message addressed to a Singapore telephone number unless —
(a)the specified message includes clear and accurate information identifying the individual or organisation that sent or authorised the sending of the specified message;
(b)the specified message includes clear and accurate information about how the recipient can readily contact that individual or organisation;
(c)the specified message includes the information, and complies with the conditions, specified in the regulations, if any; and
(d)the information included in the specified message in compliance with this section is reasonably likely to be valid for at least 30 days after the message is sent.
[40/2020]
Calling line identity not to be concealed
45.  Subject to section 48(3), a person that makes a voice call containing a specified message or causes a voice call containing a specified message to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number or fax number, must not do any of the following:
(a)conceal or withhold from the recipient the calling line identity of the sender;
(b)perform any operation or issue any instruction in connection with the sending of the specified message for the purpose of, or that has the effect of, concealing or withholding from the recipient the calling line identity of the sender.
[40/2020]
Consent
46.—(1)  A person must not, as a condition for supplying goods, services, land, interest or opportunity, require a subscriber or user of a Singapore telephone number to give consent for the sending of a specified message to that Singapore telephone number or any other Singapore telephone number beyond what is reasonable to provide the goods, services, land, interest or opportunity to that subscriber or user, and any consent given in such circumstance is not validly given.
(2)  If a person obtains or attempts to obtain consent for sending a specified message to a Singapore telephone number —
(a)by providing false or misleading information with respect to the sending of the specified message; or
(b)by using deceptive or misleading practices,
any consent given in such circumstances is not validly given.
Withdrawal of consent
47.—(1)  On giving notice, a subscriber or user of a Singapore telephone number may at any time withdraw any consent given to a person for the sending of any specified message to that Singapore telephone number.
(2)  A person must not prohibit a subscriber or user of a Singapore telephone number from withdrawing the subscriber’s or user’s consent to the sending of a specified message to that Singapore telephone number, but this section does not affect any legal consequences arising from such withdrawal.
(3)  If a subscriber or user of a Singapore telephone number gives notice withdrawing consent given to a person for the sending of any specified message to that Singapore telephone number, the person must cease (and cause its agent to cease) sending any specified message to that Singapore telephone number after the expiry of the prescribed period.
(4)  For the purposes of this Part, a subscriber or user of a Singapore telephone number is deemed to have given his or her consent to a person to send a specified message to that Singapore telephone number if the subscriber or user —
(a)consents to the sending of the specified message before 2 January 2014; and
(b)that consent has not been withdrawn on or after 2 January 2014.
(5)  For the purposes of this Part, where a subscriber or user of a Singapore telephone number —
(a)consents to a person sending a specified message to that Singapore telephone number before, on or after 2 January 2014; and
(b)subsequently applies to add or adds that Singapore telephone number to the register on or after 2 January 2014,
the application to add or the addition of that Singapore telephone number is not to be regarded as a withdrawal of the consent.
(6)  To avoid doubt, a subscriber of a Singapore telephone number may, at any time on or after 2 January 2014, withdraw any consent given for the sending of a specified message to that Singapore telephone number.
Defence for employee
48.—(1)  In any proceedings for an offence under this Part brought against any employee in respect of an act or conduct alleged to have been done or engaged in (as the case may be) by the employee, it is a defence for the employee to prove that he or she did the act or engaged in the conduct in good faith —
(a)in the course of his or her employment; or
(b)in accordance with instructions given to him or her by or on behalf of his or her employer in the course of his or her employment.
(2)  Section 43(1) or 44 does not apply to an employee (X) who sends a specified message addressed to a Singapore telephone number in good faith —
(a)in the course of X’s employment; or
(b)in accordance with instructions given to X by or on behalf of X’s employer in the course of X’s employment.
[40/2020]
(3)  Section 45 does not apply to an employee (Y) who makes, causes to be made or authorises the making of a voice call containing a specified message, addressed to a Singapore telephone number, from a telephone number or fax number, in good faith —
(a)in the course of Y’s employment; or
(b)in accordance with instructions given to Y by or on behalf of Y’s employer in the course of Y’s employment.
[40/2020]
(4)  Subsection (1), (2) or (3) does not apply to an employee (Z) who, at the time the act was done or the conduct was engaged in, was an officer or a partner of Z’s employer and it is proved that —
(a)Z knew or ought reasonably to have known that the telephone number is a Singapore telephone number listed in the relevant register; and
(b)the specified message was sent with Z’s consent or connivance, or the sending of the specified message was attributable to any neglect on Z’s part.
[40/2020]
(5)  In this section —
“corporation” has the meaning given by section 52(7);
“officer”  —
(a)in relation to a corporation, has the meaning given by section 52(7); or
(b)in relation to an unincorporated association (other than a partnership), has the meaning given by section 52A(7);
“partner”, in relation to a partnership, has the meaning given by section 52A(7).
[40/2020]
PART 9A
DICTIONARY ATTACKS AND
ADDRESS‑HARVESTING SOFTWARE
Interpretation of this Part
48A.—(1)  In this Part, unless the context otherwise requires —
“address‑harvesting software” means software that is specifically designed or marketed for use for —
(a)searching the Internet for telephone numbers; and
(b)collecting, compiling, capturing or otherwise harvesting those telephone numbers;
“applicable message” means a message with a Singapore link that is sent to any applicable telephone number;
“applicable telephone number” means a telephone number that is generated or obtained through the use of —
(a)a dictionary attack; or
(b)address‑harvesting software;
“dictionary attack” means the method by which the telephone number of a recipient is obtained using an automated means that generates possible telephone numbers by combining numbers into numerous permutations;
“message”, “send”, “sender” and “Singapore telephone number” have the meanings given by section 36(1).
[40/2020]
(2)  In this Part, an applicable message has a Singapore link in any of the following circumstances:
(a)the message originates in Singapore;
(b)the sender of the message —
(i)where the sender is an individual — is physically present in Singapore when the message is sent; or
(ii)in any other case —
(A)is formed or recognised under the law of Singapore; or
(B)has an office or a place of business in Singapore;
(c)the telephone, mobile telephone or other device that is used to access the message is located in Singapore;
(d)the recipient of the message —
(i)where the recipient is an individual — is physically present in Singapore when the message is accessed; or
(ii)in any other case — carries on business or activities in Singapore when the message is accessed;
(e)if the message cannot be delivered because the telephone number to which the message is sent has ceased to exist (assuming that the telephone number existed), it is reasonably likely that the message would have been accessed using a telephone, mobile telephone or other device located in Singapore.
[40/2020]
(3)  For the purposes of the definition of “applicable message” in subsection (1), it does not matter —
(a)whether the telephone number to which the message is sent is a Singapore telephone number;
(b)whether that telephone number exists; or
(c)whether the message reaches its intended destination.
[40/2020]
(4)  For the purposes of this Part, a telecommunications service provider that merely provides a service that enables an applicable message to be sent is, unless the contrary is proved, presumed not to have sent, caused to be sent or authorised the sending of the applicable message.
[40/2020]
(5)  For the purposes of this Part, if, at the time an applicable message is sent, the telecommunications device, service or network from which it was sent was controlled by a person without the knowledge of the owner or authorised user of the telecommunications device, service or network (as the case may be), the owner or authorised user (as the case may be) is, unless the contrary is proved, presumed not to have sent, caused to be sent or authorised the sending of the applicable message.
[40/2020]
(6)  In subsection (5), “control” means —
(a)physical control; or
(b)control through the use of software or other means.
[40/2020]
Prohibition on use of dictionary attacks and address‑harvesting software
48B.—(1)  Subject to subsections (2) and (3), a person must not send, cause to be sent or authorise the sending of an applicable message.
[40/2020]
(2)  Subsection (1) does not apply to an employee (P) who sends, causes to be sent or authorises the sending of an applicable message in good faith —
(a)in the course of P’s employment; or
(b)in accordance with instructions given to P by or on behalf of P’s employer in the course of P’s employment.
[40/2020]
(3)  However, subsection (2) does not apply to a person (P) who, at the time the applicable message was sent, was an officer or a partner of the sender and it is proved that —
(a)P knew or ought reasonably to have known that the telephone number is an applicable telephone number; and
(b)the applicable message was sent with P’s consent or connivance, or the sending of the applicable message was attributable to any neglect on P’s part.
[40/2020]
(4)  In this section —
“corporation” has the meaning given by section 52(7);
“officer”  —
(a)in relation to a corporation, has the meaning given by section 52(7); or
(b)in relation to an unincorporated association (other than a partnership), has the meaning given by section 52A(7);
“partner”, in relation to a partnership, has the meaning given by section 52A(7).
[40/2020]
PART 9B
OFFENCES AFFECTING PERSONAL DATA AND
ANONYMISED INFORMATION
Interpretation and application of this Part
48C.—(1)  In this Part, unless the context otherwise requires —
“disclose”, in relation to personal data, includes providing access to personal data;
“gain” means —
(a)a gain in property or a supply of services, whether temporary or permanent; or
(b)an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of remuneration;
“harm”, in relation to an individual, means —
(a)any physical harm; or
(b)harassment, alarm or distress caused to the individual;
“loss” means —
(a)a loss in property or a supply of services, whether temporary or permanent; or
(b)a loss of an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of remuneration,
but excludes, in relation to an individual, the loss of personal data about the individual;
“Monetary Authority of Singapore” means the Monetary Authority of Singapore established by section 3 of the Monetary Authority of Singapore Act 1970;
“relevant public official” has the meaning given by section 7(7) of the Public Sector (Governance) Act 2018;
“Singapore public sector agency” has the meaning given by section 2(1) of the Public Sector (Governance) Act 2018.
[40/2020]
(2)  This Part does not apply to an individual who —
(a)at the time of the commission of any offence under section 48D(1), 48E(1) or 48F(1), is a relevant public official in a Singapore public sector agency; or
(b)is or has been a director or an officer or employee of the Monetary Authority of Singapore in respect of the disclosure, use or re‑identification of information acquired in the performance of the individual’s duties or the exercise of the individual’s functions.
[40/2020]
Unauthorised disclosure of personal data
48D.—(1)  If —
(a)an individual discloses, or the individual’s conduct causes disclosure of, personal data in the possession or under the control of an organisation or a public agency to another person;
(b)the disclosure is not authorised by the organisation or public agency, as the case may be; and
(c)the individual does so —
(i)knowing that the disclosure is not authorised by the organisation or public agency, as the case may be; or
(ii)reckless as to whether the disclosure is or is not authorised by the organisation or public agency, as the case may be,
the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both.
[40/2020]
(2)  In proceedings for an offence under subsection (1), it is a defence to the charge for the accused to prove, on a balance of probabilities, any of the following:
(a)that —
(i)the personal data in the possession or under the control of the organisation or public agency (as the case may be) that was disclosed was, at the time of the disclosure, publicly available; and
(ii)where the personal data was publicly available solely because of an applicable contravention, the accused did not know, and was not reckless as to whether, that was the case;
(b)that the accused disclosed, or caused the disclosure of, personal data in the possession or under the control of the organisation or public agency, as the case may be —
(i)as permitted or required by or under an Act or other law (apart from this Act);
(ii)as authorised or required by an order of court;
(iii)in the reasonable belief that, and was not reckless as to whether, the accused had the legal right to do so; or
(iv)in any other circumstances, or for any other purpose, prescribed.
[40/2020]
(3)  To avoid doubt, subsection (2) does not affect any obligation or limitation imposed on, or prohibition of, the disclosure of personal data in the possession or under the control of an organisation or a public agency (as the case may be) by or under any other written law or other law.
[40/2020]
(4)  In this section, “applicable contravention” means a contravention of any of the following:
(a)subsection (1);
(b)section 48F(1);
(c)section 7(1) or 8(1) of the Public Sector (Governance) Act 2018;
(d)section 14A(1) or 14C(1) of the Monetary Authority of Singapore Act 1970.
[40/2020]
Improper use of personal data
48E.—(1)  If —
(a)an individual makes use of personal data in the possession or under the control of an organisation or a public agency;
(b)the use is not authorised by the organisation or public agency, as the case may be;
(c)the individual does so —
(i)knowing that the use is not authorised by the organisation or public agency, as the case may be; or
(ii)reckless as to whether the use is or is not authorised by the organisation or public agency, as the case may be; and
(d)the individual, as a result of that use —
(i)obtains a gain for the individual or another person;
(ii)causes harm to another individual; or
(iii)causes a loss to another person,
the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both.
[40/2020]
(2)  In proceedings for an offence under subsection (1), it is a defence to the charge for the accused to prove, on a balance of probabilities, any of the following:
(a)that —
(i)the personal data in the possession or under the control of the organisation or public agency (as the case may be) that was used was, at the time of the use, publicly available; and
(ii)where the personal data was publicly available solely because of an applicable contravention, the accused did not know, and was not reckless as to whether, that was the case;
(b)that the accused used the personal data in the possession or under the control of the organisation or public agency, as the case may be —
(i)as permitted or required by or under an Act or other law (apart from this Act);
(ii)as authorised or required by an order of court;
(iii)in the reasonable belief that, and was not reckless as to whether, the accused had the legal right to do so; or
(iv)in any other circumstances, or for any other purpose, prescribed.
[40/2020]
(3)  To avoid doubt, subsection (2) does not affect any obligation or limitation imposed on, or prohibition of, the use of personal data in the possession or under the control of an organisation or a public agency (as the case may be) by or under any other written law or other law.
[40/2020]
(4)  In this section, “applicable contravention” means a contravention of any of the following:
(a)section 48D(1) or 48F(1);
(b)section 7(1) or 8(1) of the Public Sector (Governance) Act 2018;
(c)section 14A(1) or 14C(1) of the Monetary Authority of Singapore Act 1970.
[40/2020]
Unauthorised re‑identification of anonymised information
48F.—(1)  If —
(a)an individual takes any action to re‑identify or cause re‑identification of the person to whom anonymised information in the possession or under the control of an organisation or a public agency relates (called in this section the affected person);
(b)the re‑identification is not authorised by the organisation or public agency, as the case may be; and
(c)the individual does so —
(i)knowing that the re‑identification is not authorised by the organisation or public agency, as the case may be; or
(ii)reckless as to whether the re‑identification is or is not authorised by the organisation or public agency, as the case may be,
the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both.
[40/2020]
(2)  In proceedings for an offence under subsection (1), it is a defence to the charge for the accused to prove, on a balance of probabilities, any of the following:
(a)that —
(i)the information on the identity of the affected person is publicly available; and
(ii)where that information was publicly available solely because of an applicable contravention, the accused did not know, and was not reckless as to whether, that was the case;
(b)the action to re‑identify or cause re‑identification is —
(i)permitted or required by or under an Act or other law (apart from this Act); or
(ii)authorised or required by an order of court;
(c)the accused —
(i)reasonably believed that the re‑identification was for a specified purpose; and
(ii)notified the Commission or the organisation or public agency (as the case may be) of the re‑identification as soon as was practicable;
(d)the accused took the action to re‑identify or cause re‑identification in the reasonable belief that, and was not reckless as to whether, the accused had the legal right to do so, other than for a specified purpose;
(e)in any other circumstances, or for any other purpose, prescribed.
[40/2020]
(3)  To avoid doubt, subsection (2) does not affect any obligation or limitation imposed on, or prohibition of, the re‑identification of the affected person by or under any other written law or other law.
[40/2020]
(4)  In this section —
“applicable contravention” means a contravention of any of the following:
(a)subsection (1);
(b)section 8(1) of the Public Sector (Governance) Act 2018;
(c)section 14C(1) of the Monetary Authority of Singapore Act 1970;
“specified purpose” means any purpose specified in the Eleventh Schedule.
[40/2020]
PART 9C
ENFORCEMENT
Alternative dispute resolution
48G.—(1)  If the Commission is of the opinion that any complaint by an individual (called in this section the complainant) against an organisation may more appropriately be resolved by mediation, the Commission may, without the consent of the complainant and the organisation, refer the matter to mediation under a dispute resolution scheme.
[40/2020]
(2)  Subject to subsection (1), the Commission may, with or without the consent of the complainant and the organisation, direct the complainant or the organisation or both to attempt to resolve the complaint of the complainant in the way directed by the Commission.
[40/2020]
(3)  For the purposes of subsection (1), the Commission may establish or approve one or more dispute resolution schemes for the resolution of complaints by individuals against organisations.
[40/2020]
(4)  The Commission may, with the approval of the Minister, make regulations under section 65 to provide for matters relating to the operation by an operator of a dispute resolution scheme, including —
(a)the standards or requirements of the services provided under the dispute resolution scheme;
(b)the fees that the operator may charge for the services provided under the dispute resolution scheme;
(c)the records that the operator must keep, and the period of retention of those records;
(d)the reports that the operator must submit to the Commission, and the manner and time for those submissions;
(e)matters relating to the administration of the dispute resolution scheme; and
(f)generally to give effect to or for carrying out the purposes of subsections (1) and (3).
[40/2020]
Power to review
48H.—(1)  On the application of a complainant, the Commission may review —
(a)a refusal by an organisation to provide access to personal data or other information requested by the complainant under section 21, or the organisation’s failure to provide that access within a reasonable time;
(b)a refusal by an organisation to correct personal data in accordance with a request by the complainant under section 22, or the organisation’s failure to make the correction within a reasonable time;
(c)a refusal by a porting organisation to transmit any applicable data pursuant to a data porting request under section 26H, or the porting organisation’s failure to transmit the applicable data within a reasonable time;
(d)a fee required from the complainant by an organisation in relation to a request by the complainant under section 21 or 22; or
(e)a fee required from the complainant or a receiving organisation by a porting organisation in relation to a data porting request by the complainant under section 26H.
[40/2020]
(2)  Upon completion of its review under subsection (1), the Commission may —
(a)confirm the refusal to provide access to the personal data or other information, or direct the organisation to provide access to the personal data or other information within the time specified by the Commission;
(b)confirm the refusal to correct the personal data, or direct the organisation to correct the personal data in the manner and within the time specified by the Commission;
(c)confirm the refusal to transmit the applicable data, or direct the porting organisation to transmit the applicable data in the manner and within the time specified by the Commission; or
(d)confirm, reduce or disallow a fee, or direct the organisation or porting organisation (as the case may be) to make a refund to the complainant or receiving organisation, as the case may be.
[40/2020]
Directions for non‑compliance
48I.—(1)  The Commission may, if it is satisfied that —
(a)an organisation has not complied or is not complying with any provision of Part 3, 4, 5, 6, 6A or 6B; or
(b)a person has not complied or is not complying with any provision of Part 9 or section 48B(1),
give the organisation or person (as the case may be) any direction that the Commission thinks fit in the circumstances to ensure compliance with that provision.
[40/2020]
(2)  Without limiting subsection (1), the Commission may, if it thinks fit in the circumstances to ensure compliance with any provision of Part 3, 4, 5, 6, 6A or 6B, give an organisation all or any of the following directions:
(a)to stop collecting, using or disclosing personal data in contravention of this Act;
(b)to destroy personal data collected in contravention of this Act;
(c)to comply with any direction of the Commission under section 48H(2).
[40/2020]
Financial penalties
48J.—(1)  Subject to subsection (2), the Commission may, if it is satisfied that —
(a)an organisation has intentionally or negligently contravened any provision of Part 3, 4, 5, 6, 6A or 6B; or
(b)a person has intentionally or negligently contravened —
(i)any provision of Part 9; or
(ii)section 48B(1),
require, by written notice, the organisation or person (as the case may be) to pay a financial penalty.
[40/2020]
(2)  Subsection (1) does not apply in relation to any contravention of a provision of this Act, the breach of which is an offence under this Act.
[40/2020]
(3)  A financial penalty imposed on an organisation under subsection (1)(a) must not exceed the maximum amount to be prescribed, which in no case may be more than the following:
(a)in the case of a contravention on or after the date of commencement of section 24 of the Personal Data Protection (Amendment) Act 2020 by an organisation whose annual turnover in Singapore exceeds $10 million — 10% of the annual turnover in Singapore of the organisation;
(b)in any other case — $1 million.
[Act 40 of 2020 wef 01/10/2022]
(4)  A financial penalty imposed on a person under subsection (1)(b)(i) must not exceed the maximum amount to be prescribed, which in no case may be more than the following:
(a)in the case of an individual — $200,000;
(b)in any other case — $1 million.
[40/2020]
[Act 40 of 2020 wef 01/10/2022]
(4A)  A financial penalty imposed on a person under subsection (1)(b)(ii) must not exceed the maximum amount to be prescribed, which in no case may be more than the following:
(a)in the case of an individual — $200,000;
(b)in the case of a contravention on or after the date of commencement of section 24 of the Personal Data Protection (Amendment) Act 2020 by a person whose annual turnover in Singapore exceeds $20 million — 5% of the annual turnover of the person in Singapore;
(c)in any other case — $1 million.
[Act 40 of 2020 wef 01/10/2022]
(5)  For the purposes of subsections (3) and (4), different maximum amounts may be prescribed in respect of contraventions of different provisions of this Act.
[40/2020]
(5A)  For the purposes of subsections (3)(a) and (4A)(b), the annual turnover in Singapore of an organisation or a person (as the case may be) is the amount ascertained from the most recent audited accounts of the organisation or person available at the time the financial penalty is imposed on that organisation or person.
[Act 40 of 2020 wef 01/10/2022]
(6)  The Commission must, in determining the amount of a financial penalty imposed under subsection (1), have regard to, and give such weight as the Commission considers appropriate to, all of the following matters:
(a)the nature, gravity and duration of the non‑compliance by the organisation or person, as the case may be;
(b)the type and nature of the personal data affected by the non‑compliance by the organisation or person, as the case may be;
(c)whether the organisation or person (as the case may be), as a result of the non‑compliance, gained any financial benefit or avoided any financial loss;
(d)whether the organisation or person (as the case may be) took any action to mitigate the effects and consequences of the non‑compliance, and the timeliness and effectiveness of that action;
(e)whether the organisation or person (as the case may be) had, despite the non‑compliance, implemented adequate and appropriate measures for compliance with the requirements under this Act;
(f)whether the organisation or person (as the case may be) had previously failed to comply with this Act;
(g)the compliance of the organisation or person (as the case may be) with any direction given under section 48I or 48L(4) in relation to remedying or mitigating the effect of the non‑compliance;
(h)whether the financial penalty to be imposed is proportionate and effective, having regard to achieving compliance and deterring non‑compliance with this Act;
(i)the likely impact of the imposition of the financial penalty on the organisation or person (as the case may be), including the ability of the organisation or person to continue the usual activities of the organisation or person;
(j)any other matter that may be relevant.
[40/2020]
Procedure for giving of directions and imposing of financial penalty
48K.—(1)  Before giving any direction under section 48I or imposing a financial penalty under section 48J(1), the Commission must give written notice to the organisation or person concerned —
(a)stating that the Commission intends to take action against the organisation or person under section 48I or 48J(1), as the case may be;
(b)where the Commission intends to give any direction under section 48I, specifying the direction the Commission proposes to give;
(c)specifying each instance of non‑compliance that is the subject of the proposed action, or the reason or reasons for the proposed action; and
(d)subject to subsections (2) and (3), specifying the time within which written representations may be made to the Commission with respect to the proposed action.
[40/2020]
(2)  Where the Commission intends to impose a financial penalty under section 48J(1) on an organisation or a person, the time specified in the notice within which written representations may be made to the Commission must be at least 14 days after the date the notice is served on that organisation or person.
[40/2020]
(3)  The Commission may, on written application by the organisation or person concerned (whether before, on or after the expiry of the time specified in the notice), extend the time for the organisation or person to make written representations to the Commission if the Commission is satisfied that the extension should be granted by reason of exceptional circumstances in the particular case.
[40/2020]
(4)  The Commission may decide to give the direction under section 48I or impose the financial penalty under section 48J(1), as the case may be —
(a)after considering any written representation made to the Commission pursuant to the notice mentioned in subsection (1); or
(b)upon the expiry of the time specified in the notice under subsection (1)(d), or as extended by the Commission under subsection (3), where no representation is so made or any written representation made is subsequently withdrawn.
[40/2020]
(5)  Subsection (1) does not apply where the organisation or person (as the case may be) has died, is adjudged bankrupt, has been dissolved or wound up or has otherwise ceased to exist.
[40/2020]
(6)  Where the Commission decides to give the direction under section 48I or impose the financial penalty under section 48J(1) (as the case may be), the Commission must serve a notice of the decision on the following persons:
(a)the organisation or person concerned;
(b)the complainant whose complaint against the organisation or person concerned resulted in the giving of the direction or the imposition of the financial penalty (as the case may be), if any.
[40/2020]
(7)  A direction given under section 48I or the imposition of a financial penalty under section 48J(1) takes effect only when the Commission serves the notice in subsection (6)(a) on the organisation or person concerned.
[40/2020]
(8)  Where the Commission imposes a financial penalty under section 48J(1) on an organisation or a person, the written notice issued by the Commission to the organisation or person must specify the date before which the financial penalty is to be paid, being a date not earlier than 28 days after the notice is issued.
[40/2020]
(9)  The Commission may, on written application by an organisation or a person on whom a financial penalty under section 48J(1) is imposed —
(a)extend the time for the organisation or person to pay the financial penalty; or
(b)allow the financial penalty to be paid by instalments.
[40/2020]
(10)  The interest payable —
(a)on the outstanding amount of any financial penalty imposed under section 48J(1); and
(b)for payment by instalments (as the Commission may allow) of any financial penalty imposed under section 48J(1),
must be at such rate as the Commission may direct, which must not exceed the rate prescribed in the Rules of Court in respect of judgment debts.
[40/2020]
Voluntary undertakings
48L.—(1)  Without affecting sections 48I, 48J(1) and 50(1), where the Commission has reasonable grounds to believe that —
(a)an organisation has not complied, is not complying or is likely not to comply with any provision of Part 3, 4, 5, 6, 6A or 6B; or
(b)a person has not complied, is not complying or is likely not to comply with any provision of Part 9 or section 48B(1),
the organisation or person concerned may give, and the Commission may accept, a written voluntary undertaking.
[40/2020]
(2)  Without limiting the matters to which the voluntary undertaking may relate, the voluntary undertaking may include any of the following undertakings by the organisation or person concerned:
(a)an undertaking to take specified action within a specified time;
(b)an undertaking to refrain from taking specified action;
(c)an undertaking to publicise the voluntary undertaking.
[40/2020]
(3)  Subject to subsection (4), the Commission may, after accepting the voluntary undertaking and with the agreement of the organisation or person who gave the voluntary undertaking —
(a)vary the terms of any undertaking included in the voluntary undertaking; or
(b)include, in the voluntary undertaking, any additional undertaking mentioned in subsection (2).
[40/2020]
(4)  Where an organisation or a person fails to comply with any undertaking in a voluntary undertaking —
(a)the Commission may give the organisation or person concerned any direction that the Commission thinks fit in the circumstances to ensure the compliance of the organisation or person with that undertaking; and
(b)section 48K(1), (3), (4), (5), (6) and (7) applies to the direction given under paragraph (a) as if the direction were given under section 48I.
[40/2020]
(5)  In addition, where an organisation or a person fails to comply with an undertaking mentioned in subsection (2)(c), the Commission may publicise the voluntary undertaking in accordance with the undertaking, and recover the costs and expenses so incurred from the organisation or person as a debt due to the Commission.
[40/2020]
Enforcement of directions of or written notices by Commission in District Court
48M.—(1)  For the purposes of enforcing a direction or written notice mentioned in subsection (2) —
(a)the Commission may apply for the direction or written notice (as the case may be) to be registered in a District Court in accordance with the Rules of Court; and
(b)the District Court is to register the direction or written notice in accordance with the Rules of Court.
[40/2020]
(2)  Subsection (1) applies to any of the following:
(a)a direction made by the Commission under section 48H(2), 48I or 48L(4);
(b)a written notice by the Commission for the payment of any sum comprising —
(i)a financial penalty imposed under section 48J(1); and
(ii)any interest payable under section 48K(10) on that financial penalty.
[40/2020]
(3)  From the date of registration of a direction or written notice under subsection (1), the direction or written notice (as the case may be) has the same force and effect, and all proceedings may be taken on the direction or written notice (as the case may be), for the purposes of enforcement, as if it had been an order originally obtained in the District Court which has power to enforce it accordingly.
[40/2020]
(4)  A District Court may, for the purpose of enforcing a direction in accordance with subsection (3), make any order —
(a)to secure compliance with the direction; or
(b)to require any person to do anything to remedy, mitigate or eliminate any effects arising from —
(i)anything done which ought not, under the direction, to have been done; or
(ii)anything not done which ought, under the direction, to have been done,
which would not have occurred had the direction been complied with.
[40/2020]
(5)  A District Court has jurisdiction to enforce a written notice in accordance with subsection (3) regardless of the amount of the sum mentioned in subsection (2)(b).
[40/2020]
Reconsideration of directions or decisions
48N.—(1)  An organisation or a person (including any individual who is a complainant) aggrieved by —
(a)any direction made by the Commission under section 48G(2), 48I(1) or (2) or 48L(4); or
(b)any direction or decision made under section 48H(2),
may make a written application to the Commission to reconsider the direction or decision in accordance with this section.
[40/2020]
(2)  An organisation or a person aggrieved by a financial penalty imposed by the Commission under section 48J(1) on the organisation or person may make a written application to the Commission to reconsider the decision to impose the financial penalty or the amount of the financial penalty so imposed in accordance with this section.
[40/2020]
(3)  Unless the Commission decides otherwise in any particular case, an application for reconsideration does not suspend the effect of the direction or decision to be reconsidered except in the case of an application for reconsideration under subsection (2).
[40/2020]
(4)  The application for reconsideration —
(a)subject to subsection (5), must be submitted to the Commission within the prescribed period;
(b)must be made in the form and manner required by the Commission; and
(c)must set out the grounds on which the applicant is requesting the reconsideration.
[40/2020]
(5)  The Commission may, on written application by the organisation or person concerned (whether before, on or after the expiry of the prescribed period mentioned in subsection (4)(a)), extend the time for the organisation or person to make the application for reconsideration if the Commission is satisfied that the extension should be granted by reason of exceptional circumstances in the particular case.
[40/2020]
(6)  If an application for reconsideration is made in accordance with this section, the Commission must —
(a)reconsider the direction or decision;
(b)take any of the following actions as the Commission thinks fit:
(i)affirm, revoke or vary the direction or decision;
(ii)affirm or revoke, or vary the amount of, the financial penalty; and
(c)notify the applicant in writing of the result of the reconsideration.
[40/2020]
(7)  There is to be no application for reconsideration of a decision made under subsection (6)(b).
[40/2020]
Right of private action
48O.—(1)  A person who suffers loss or damage directly as a result of a contravention —
(a)by an organisation of any provision of Part 4, 5, 6, 6A or 6B; or
(b)by a person of any provision of Division 3 of Part 9 or section 48B(1),
has a right of action for relief in civil proceedings in a court.
[40/2020]
(2)  If the Commission has made a decision under this Act in respect of a contravention specified in subsection (1), an action accruing under subsection (1) may not be brought in respect of that contravention until after the decision has become final as a result of there being no further right of appeal.
[40/2020]
(3)  The court may grant to the claimant in an action under subsection (1) all or any of the following:
(a)relief by way of injunction or declaration;
(b)damages;
(c)any other relief as the court thinks fit.
[40/2020]
[Act 25 of 2021 wef 01/04/2022]
 

Archived for legal research. Authoritative version at sso.agc.gov.sg.