Skip to content

GIR Insight: Know-how – Data Privacy & Transfer in Investigations: Singapore – Global Investigations Review

Last verified on Wednesday 31st December 1969
Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

The collection, use and disclosure of personal data in Singapore is regulated by the Personal Data Protection Act 2012 (PDPA) and associated subsidiary legislation, including the Personal Data Protection Regulations 2021. The Personal Data Protection Commission (PDPC) is responsible for administering and enforcing the PDPA. 
Under the PDPA, the collection, use or disclosure of personal data typically requires an individual’s prior informed consent. However, in the context of an investigation, companies may seek to rely on the legitimate interests exception. Under paragraph 3 of Part 3 of the First Schedule to the PDPA, companies are not required to seek an individual’s consent if the collection, use or disclosure (as the case may be) of personal data about the individual is ‘necessary for any investigation or proceedings’.
Under the PDPA, investigation means:
Under the PDPA, proceedings means any civil, criminal or administrative proceedings by or before a court, tribunal or regulatory authority relating to the allegation of:
An organisation must not transfer any personal data to a country or territory outside Singapore unless it has taken appropriate steps to ensure that the overseas recipient is bound by legally enforceable obligations or specified certifications to provide the transferred personal data a standard of protection that is comparable to that under the PDPA.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

Companies should consider sectoral rules in Singapore that may prevent or restrict data sharing pertaining to an investigation. For example, in the context of licensed banks, banking secrecy in Singapore is governed by section 47 of the Banking Act (Cap. 19) (the Singapore Banking Act).
Banks and banking officers in Singapore cannot disclose customer information to any other person, except as expressly provided under the Singapore Banking Act. Parts I and II of the Third Schedule to the Singapore Banking Act specify the circumstances and conditions in which a bank can disclose customer information. For example, disclosures are permitted if they are necessary for the bank to comply with an order or request from a duly authorised Singapore police officer or public officer, with the purpose of providing information for an investigation or prosecution into alleged or suspected offences under written Singapore laws.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

Personal data protected by the PDPA only relates to personal data of natural persons.  The definition of personal data is broad and includes ‘data, whether true or not, about an individual who can be identified either from that data alone or from a combination of that data and other information to which an organisation has, or is likely to have, access’.  However, key data categories are excluded from the definition, including:
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

The PDPA applies to organisations that have personal data in their possession or control and where they collect, use or disclose personal data.
Although the PDPA does not contain specific territorial provisions, the PDPC’s Advisory Guidelines on Key Concepts in the PDPA (Revised 1 February 2021) provide that the obligations under the PDPA apply to organisations (whether or not they are in Singapore) carrying out activities involving personal data in Singapore. When personal data is collected overseas and transferred into Singapore, the PDPA will apply to any activities in Singapore involving that personal data.
Under the PDPA, a data intermediary is an organisation that processes data on behalf of another organisation, similar to a data processor under the GDPR, and is subject to fewer obligations than organisations under the PDPA.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

Consent Obligation: A company is only allowed to collect, use or disclose an individual’s personal data if the individual gives, or is deemed to have given, their consent for the collection, use or disclosure of that personal data. This obligation does not apply if the collection, use or disclosure of an individual’s personal data is required or authorised under the PDPA, for example, under the legitimate interests exception, which includes where such collection, use or disclosure is necessary for ‘any investigation or proceedings’.
Purpose Limitation Obligation: A company may only collect, use or disclose personal data about an individual: (i) for purposes that a reasonable person would consider appropriate in the circumstances; and (ii) if applicable, for purposes for which the company has informed the individual.
Notification Obligation: If a company intends to rely on consent to collect, use or disclose an individual’s personal data, it must inform individuals of the purposes for which their personal data will be collected, used and disclosed.
Access Obligation: Individuals may request access to their personal data that is in the possession of or under the control of the company carrying out the investigation. The company is not required to provide such information if an exception applies, including if the information is subject to legal privilege, or if the investigation and associated proceedings and appeals have not been completed.
Protection Obligation: A company should make reasonable security arrangements to protect personal data in its possession or control, to prevent: (i) unauthorised access, collection, use, disclosure, copying, modification or disposal or similar risks; and (ii) the loss of any storage medium or device on which personal data is stored.
Retention Limitation Obligation: A company should cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer served by retaining the personal data, and retention is no longer necessary for legal or business purposes.
Transfer Limitation Obligation: A company must not transfer any personal data to a country or territory outside Singapore, unless it has taken appropriate steps to ensure that the overseas recipient is bound by legally enforceable obligations or specified certifications to provide the transferred personal data a standard of protection comparable to that under the PDPA.
Data Breach Notification Obligation: Singapore has implemented a mandatory data breach notification regime, which requires data breaches to be notified to the PDPC if certain requirements and thresholds are met.
If a company has credible grounds to believe that a data breach has occurred (whether through self-discovery, alert from the public or notification by its data intermediary), the company is required to take reasonable and expeditious steps to assess whether the data breach is notifiable under the PDPA.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

A company carrying out an internal investigation would likely be considered an organisation under the PDPA, and would therefore be subject to the PDPA’s full requirements, including:
Consent Obligation. The company is allowed to collect, use or disclose an individual’s personal data if the individual gives, or is deemed to have given, their consent for the collection, use or disclosure of that personal data. This obligation does not apply if the collection, use or disclosure of an individual’s personal data is required or authorised under the PDPA, for example, under the legitimate interests exception, which includes if such action is ‘necessary for any investigation or proceedings’.
Another specified legitimate interest may apply if the investigation relates to company employees and if the collection, use or disclosure of the personal data is reasonable for the purpose of ‘managing or terminating the employment relationship’ with the individual.
Purpose Limitation Obligation. The company may collect, use or disclose personal data about an individual only: (i) for purposes that a reasonable person would consider appropriate in the circumstances; and (ii) if applicable, for purposes about which the company has informed the individual.
Notification Obligation. If the company intends to rely on consent to collect, use or disclose an individual’s personal data, it must inform individuals of the purposes for which their personal data will be collected, used and disclosed.
Access and Correction Obligations. Individuals may request access to their personal data, and may request corrections to their personal data, that is in the possession of or under the control of the company carrying out the internal investigation. The company is not required to provide or correct such information if an exception applies, for example if the  personal data is in a document related to a prosecution, and if all proceedings related to the prosecution have not been completed.
Accuracy Obligation. The company should make a reasonable effort to ensure that personal data collected by or on behalf of the company is accurate and complete, if the personal data: (i) is likely to be used by the company to make a decision that affects the individual to whom the personal data relates; or (ii) is likely to be disclosed by the company to another organisation.
Protection Obligation. The company should make reasonable security arrangements to protect personal data in its possession or control, to prevent: (i) unauthorised access, collection, use, disclosure, copying, modification or disposal or similar risks; and (ii) the loss of any storage medium or device on which personal data is stored.
Retention Limitation Obligation.The company should cease to retain documents containing personal data, or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose for which that personal data was collected is no longer served by retention of the personal data, and retention is no longer necessary for legal or business purposes.
Transfer Limitation Obligation. The company must not transfer any personal data to a country or territory outside Singapore, unless it has taken appropriate steps to ensure that the overseas recipient is bound by legally enforceable obligations or specified certifications to provide the transferred personal data a standard of protection comparable to that under the PDPA.
Data Breach Notification Obligation. Singapore has implemented a mandatory data breach notification regime, which requires data breaches to be notified to the PDPC if certain requirements and thresholds are met.
If the company has credible grounds to believe that a data breach has occurred (whether through self-discovery, alert from the public or notification by its data intermediary), the company is required to take reasonable and expeditious steps to assess whether the data breach is notifiable under the PDPA.
Accountability Obligation. The company should have internal measures in place to help meet its obligations under the PDPA. These include: (i) appointing a data protection officer; (ii) developing and implementing data protection policies and practices; and (iii) developing a process to receive and respond to complaints that may arise with respect to the application of the PDPA.
A party assisting with an investigation would likely be considered a data intermediary of the company carrying out the investigation.
A data intermediary is subject to a more limited set of obligations under the PDPA for the personal data it processes on behalf of a company, namely the Protection and Retention Obligations.
In addition, if a data intermediary has reason to believe that a data breach has occurred in relation to personal data that it is processing on behalf of the company carrying out the investigation, it must, without undue delay, notify the company of the data breach.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

No. A company could seek to rely on the legitimate interests exception.
Paragraph 3 of Part 3 of the First Schedule to the PDPA, refers to instances in which the collection, use or disclosure of personal data about an individual is ‘necessary for any investigation or proceedings’.
Under the PDPA, investigation relates to:
Under the PDPA, proceedings means any civil, criminal or administrative proceedings by or before a court, tribunal or regulatory authority that relates to the allegation of:
Another specified legitimate interest may apply if the investigation relates to company employees and if the collection, use or disclosure of the personal data is reasonable for the purpose of ‘managing or terminating the employment relationship’ with the individual.
PDPC guidelines suggest that, from an employer’s perspective, monitoring how an employee uses company computer network resources and conducting audits on an employee’s finance claims could fall within ‘managing or terminating an employment relationship’.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

Consent may still be considered when a company is planning an investigation. The company should determine whether an individual previously consented to the processing of their personal data for the purposes of internal investigations, for example, through on-boarding documents at the start of employment.
However, under the PDPA, individuals may at any time withdraw their consent in respect of the collection, use or disclosure of their personal data for any purpose. Parties cannot contract out of this right, which poses difficulties in the context of an investigation, and therefore it may be easier for the company to rely on a consent exception.
If an individual withdraws consent, employers may continue collecting, using or disclosing the personal data by relying on other PDPA exceptions, such as the necessary for any investigation or proceedings exception. Per section 16(4) of the PDPA, the organisation is not required to cease collecting, using or disclosing the personal data if such activities (without the consent of the individual) are required or authorised under the PDPA or other Singapore law.
If an investigation relates to certain offences such as money-laundering, drug-trafficking or corruption, the company should consider whether seeking consent from the relevant individual(s) might alert such individual(s) of the investigation, and whether this would constitute the tipping-off offence under section 48(1) of the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

Yes, provided that the employee is informed that the employers may collect, use or disclose their personal data for the purposes of investigations, on or before collection of the personal data, and the purposes set out are those that a reasonable person would consider appropriate in the circumstances.
This consent does not need to be specific and separate, and could be included alongside other processing activities in an employee-facing privacy policy.
Consent will not be valid if the organisation obtains or attempts to obtain consent by providing false or misleading information, or by using deceptive or misleading practices.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

The PDPC does not prescribe a specific form for obtaining consent. Typical methods for obtaining consent include asking the data subject to sign a consent form, or to acknowledge a privacy policy containing a description of the collection, use or disclosure of their personal data.  
Data subjects can consent to the processing of their personal data in advance.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

Data subjects may submit an access request to a company. However, companies are not required to accede to such requests if an exception from the Access Obligation applies. Exceptions to the Access Obligation that may be relevant in the context of an investigation include:
In addition, if an organisation has disclosed personal data to a prescribed Singapore law enforcement agency without consent, as authorised under the PDPA or other Singapore law, the PDPA requires that it must not inform the individual about such disclosure. This obligation does not extend to disclosures to foreign law enforcement agencies, though the organisation may refuse to disclose such information if another exception to the Access Obligation applies.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

Depending on the scope of work and the nature of the arrangement, such third parties may be considered the data intermediaries of the appointing organisation under the PDPA.
An organisation appointing such third parties should be aware that, if a data intermediary processes personal data on its behalf, the organisation is subject to the same personal data obligations under the PDPA as it would be if it processed the personal data itself.
The PDPC recommends that such organisations: (i) undertake an appropriate level of due diligence to ensure that a potential data intermediary is capable of complying with the PDPA; and (ii) emphasise in written contracts the scope of work that the data intermediary will perform on its behalf and for its purposes.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

Yes. A company may either obtain consent from the individual(s) involved or seek to rely on the legitimate interests exception. For example, if the collection, use or disclosure (as the case may be) of personal data about an individual is: (i) necessary for the provision of legal services by the organisation to another person, or for the organisation to obtain legal services; or (ii) necessary for any investigation or proceedings.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

Law firms do not have a specific or special status under the PDPA.  Whether a law firm is directly accountable, or has shared responsibility with the client, is a fact-specific question that depends on whether the law firm is acting as (i) an organisation or (ii) a data intermediary.
If a law firm is processing data for its own purposes, and those purposes are outside the scope of the contract between the firm and the client, then the firm likely will be considered an organisation and will be required to comply with the full obligations of the PDPA.
If a law firm is processing data on behalf of a client for the purposes set out in a contract between the law firm and client, then the law firm likely will be considered a data intermediary and will only be subject to the Protection and Retention Obligations, and will need to notify the client of potential data breaches.
Under such arrangements, the client would have the same obligations under the PDPA in respect of personal data processed on its behalf by the law firm, as if the personal data were processed by the client itself.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

Assuming that a legal process outsourcing firm is processing data only on behalf of a client for the purposes of an investigation, the firm will be considered a data intermediary and will only be subject to the Protection and Retention Obligations.
Under such arrangements, the client would have the same obligations under the PDPA in respect of personal data processed on its behalf by the legal process outsourcing firm, as if the personal data were processed by the client itself.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

Companies should consider sectoral rules in Singapore that may regulate disclosure. For example, financial institutions in Singapore should comply with the Guidelines on Outsourcing issued by the Monetary Authority of Singapore, if the arrangement with the third party can be considered an outsourcing arrangement.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

An organisation must not transfer personal data to a country or territory outside Singapore unless it has taken appropriate steps to ensure that the overseas recipient is bound by legally enforceable obligations or specified certifications to provide the transferred personal data a standard of protection that is comparable to that under the PDPA (the Transfer Limitation Obligation).
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

For an organisation to transfer personal data outside of Singapore, the Transfer Limitation Obligation can be discharged in the following ways:
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

The transfer of personal data to regulators or enforcement authorities within Singapore is permissible if the organisation complies with the usual obligations under the PDPA.
An organisation seeking to transfer the personal data should ensure that: (i) the organisation has the individual’s express or deemed consent for the transfer; or (ii) an exception applies that permits the disclosure of personal data without the individual’s consent.
Possible exceptions:
The list of prescribed law enforcement agencies is set out under subsidiary legislation and includes the following Singapore authorities: (i) Casino Regulatory Authority of Singapore; (ii) Central Narcotics Bureau; (iii) Immigration & Checkpoints Authority; (iv) Internal Security Department; (v) Singapore Civil Defence Force; (vi) Singapore Police Force; (vii) Singapore Prison Service; and (viii) the Corrupt Practices Investigation Bureau.
Information-gathering powers of Singapore regulators and enforcement authorities
The PDPA provides that other Singapore legislation provisions shall prevail over the PDPA, to the extent that there are inconsistencies.
Accordingly, if an organisation: (i) receives a request or written notice from a Singapore regulator or enforcement authority requesting a transfer of personal data; and (ii) such request or written notice is made validly pursuant to powers granted to the Singapore regulator or enforcement authority under other Singapore legislation, then the organisation would not be able to rely on compliance with the PDPA as a sufficient reason for refusing such a request or written notice.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

Transferring personal data to regulators or enforcement authorities outside of Singapore is permissible if an organisation complies with the usual obligations under the PDPA.
An organisation seeking to transfer the personal data should ensure that: (i) the organisation either has the individual’s express or deemed consent for the transfer; or (ii) an exception applies that permits the disclosure of personal data without the individual’s consent.
While the PDPA stipulates that other Singapore legislation shall prevail over the PDPA to the extent that there are inconsistencies, this does not extend to foreign legislation or to the powers granted to non-Singapore regulators or enforcement authorities. Foreign regulators or enforcement authorities are also not considered prescribed law enforcement agencies, which benefit from a PDPA exemption.
Possible exceptions:
An organisation is not required to notify the PDPC of personal data transfers to regulators or enforcement authorities in other countries.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

Organisations should take steps to verify that the request is legitimate and that the request is from the regulator that it purports to be from. For example, the PDPC has alerted the Singapore public to impersonation scams involving individuals pretending to be PDPC officers.
Recipients should check that the email address has the appropriate suffix and is from a Singapore government email address, or whether the sender and their email address is listed in the Singapore Government Directory, available here.
The recipients should then assess the legal basis for the request to ensure that the request is duly authorised under Singapore legislation.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

The PDPC may require an organisation to pay a financial penalty of up to SG$1 million for non-compliance with the PDPA.
Following an update to the PDPA, this maximum penalty will be amended to be either SGD 1 million or 10 per cent of the organisation’s annual turnover in Singapore, whichever is higher. This amendment will take effect on a further date to be notified, and no earlier than 1 February 2022.
The PDPC may also issue directions to an organisation to secure compliance with the PDPA, including to:
Individuals may be criminally prosecuted in certain limited circumstances for the egregious mishandling of personal data, including:
Individuals found guilty of any of these offences are subject to a fine not exceeding SGD 5,000 or to imprisonment for a term not exceeding two years, or both.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan

The authors are not aware of case law or specific guidance from the PDPC regarding internal and external investigations and transfers to regulators or enforcement authorities.
The PDPA is available here.
The PDPC’s Advisory Guidelines are available here.
The list of published PDPC enforcement decisions is available here.
Answer contributed by Farhana Sharmeen, Esther C. Franks and Gen Huong Tan
Get more from GIR
Sign up to our daily email alert

Sign up

Get unlimited access to all Global Investigations Review content

source

Leave a Reply

Your email address will not be published. Required fields are marked *