Singapore legislation
Clause 22
Clause 22
New Parts IXA and IXB
The principal Act is amended by inserting, immediately after section 48, the following Parts:“PART IXADICTIONARY ATTACKS AND ADDRESS-HARVESTING SOFTWAREInterpretation of this Part48A.—
In this Part, unless the context otherwise requires —“address‑harvesting software” means software that is specifically designed or marketed for use for —
searching the Internet for telephone numbers; and
collecting, compiling, capturing or otherwise harvesting those telephone numbers;“applicable message” means a message with a Singapore link that is sent to any applicable telephone number;“applicable telephone number” means a telephone number that is generated or obtained through the use of —
a dictionary attack; or
address‑harvesting software;“dictionary attack” means the method by which the telephone number of a recipient is obtained using an automated means that generates possible telephone numbers by combining numbers into numerous permutations;“message”, “send”, “sender” and “Singapore telephone number” have the meanings given by section 36(1).(2) In this Part, an applicable message has a Singapore link in any of the following circumstances:
the message originates in Singapore;
the sender of the message —
where the sender is an individual — is physically present in Singapore when the message is sent; or
in any other case —
is formed or recognised under the law of Singapore; or
has an office or a place of business in Singapore;
the telephone, mobile telephone or other device that is used to access the message is located in Singapore;
the recipient of the message —
where the recipient is an individual — is physically present in Singapore when the message is accessed; or
in any other case — carries on business or activities in Singapore when the message is accessed;
if the message cannot be delivered because the telephone number to which the message is sent has ceased to exist (assuming that the telephone number existed), it is reasonably likely that the message would have been accessed using a telephone, mobile telephone or other device located in Singapore.(3) For the purposes of the definition of “applicable message” in subsection (1), it does not matter —
whether the telephone number to which the message is sent is a Singapore telephone number;
whether that telephone number exists; or
whether the message reaches its intended destination.(4) For the purposes of this Part, a telecommunications service provider that merely provides a service that enables an applicable message to be sent is, unless the contrary is proved, presumed not to have sent, caused to be sent or authorised the sending of the applicable message.(5) For the purposes of this Part, if, at the time an applicable message is sent, the telecommunications device, service or network from which it was sent was controlled by a person without the knowledge of the owner or authorised user of the telecommunications device, service or network (as the case may be), the owner or authorised user (as the case may be) is, unless the contrary is proved, presumed not to have sent, caused to be sent or authorised the sending of the applicable message.(6) In subsection (5), “control” means —
physical control; or
control through the use of software or other means.Prohibition on use of dictionary attacks and address‑harvesting software48B.—
Subject to subsections (2) and (3), a person must not send, cause to be sent or authorise the sending of an applicable message.(2) Subsection (1) does not apply to an employee (P) who sends, causes to be sent or authorises the sending of an applicable message in good faith —
in the course of P’s employment; or
in accordance with instructions given to P by or on behalf of P’s employer in the course of P’s employment.(3) However, subsection (2) does not apply to a person (P) who, at the time the applicable message was sent, was an officer or a partner of the sender and it is proved that —
P knew or ought reasonably to have known that the telephone number is an applicable telephone number; and
the applicable message was sent with P’s consent or connivance, or the sending of the applicable message was attributable to any neglect on P’s part.(4) In this section —“corporation” has the meaning given by section 52(7);“officer” —
in relation to a corporation, has the meaning given by section 52(7); or
in relation to an unincorporated association (other than a partnership), has the meaning given by section 52A(7);“partner”, in relation to a partnership, has the meaning given by section 52A(7).PART IXBOFFENCES AFFECTING PERSONAL DATA AND ANONYMISED INFORMATIONInterpretation and application of this Part48C.—
In this Part, unless the context otherwise requires —“disclose”, in relation to personal data, includes providing access to personal data;“gain” means —
a gain in property or a supply of services, whether temporary or permanent; or
an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of remuneration;“harm”, in relation to an individual, means —
any physical harm; or
harassment, alarm or distress caused to the individual;“loss” means —
a loss in property or a supply of services, whether temporary or permanent; or
a loss of an opportunity to earn remuneration or greater remuneration or to gain a financial advantage otherwise than by way of remuneration,but excludes, in relation to an individual, the loss of personal data about the individual;“Monetary Authority of Singapore” means the Monetary Authority of Singapore established by section 3 of the Monetary Authority of Singapore Act (Cap. 186);“relevant public official” has the meaning given by section 7(5) of the Public Sector (Governance) Act 2018 (Act 5 of 2018);“Singapore public sector agency” has the meaning given by section 2(1) of the Public Sector (Governance) Act 2018.(2) This Part does not apply to an individual who —
at the time of the commission of any offence under section 48D(1), 48E(1) or 48F(1), is a relevant public official in a Singapore public sector agency; or
is or has been a director or an officer or employee of the Monetary Authority of Singapore in respect of the disclosure, use or re‑identification of information acquired in the performance of the individual’s duties or the exercise of the individual’s functions.Unauthorised disclosure of personal data48D.—
If —
an individual discloses, or the individual’s conduct causes disclosure of, personal data in the possession or under the control of an organisation or a public agency to another person;
the disclosure is not authorised by the organisation or public agency, as the case may be; and
the individual does so —
knowing that the disclosure is not authorised by the organisation or public agency, as the case may be; or
reckless as to whether the disclosure is or is not authorised by the organisation or public agency, as the case may be,the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both.(2) In proceedings for an offence under subsection (1), it is a defence to the charge for the accused to prove, on a balance of probabilities, any of the following:
that —
the personal data in the possession or under the control of the organisation or public agency (as the case may be) that was disclosed was, at the time of the disclosure, publicly available; and
where the personal data was publicly available solely because of an applicable contravention, the accused did not know, and was not reckless as to whether, that was the case;
the accused disclosed, or caused the disclosure of, personal data in the possession or under the control of the organisation or public agency, as the case may be —
as permitted or required by or under an Act or other law (apart from this Act);
as authorised or required by an order of court;
in the reasonable belief that, and was not reckless as to whether, the accused had the legal right to do so; or
in any other circumstances, or for any other purpose, prescribed.(3) To avoid doubt, subsection (2) does not affect any obligation or limitation imposed on, or prohibition of, the disclosure of personal data in the possession or under the control of an organisation or a public agency (as the case may be) by or under any other written law or other law.(4) In this section, “applicable contravention” means a contravention of any of the following:
subsection (1);
section 48F(1);
section 7(1) or 8(1) of the Public Sector (Governance) Act 2018;
section 14A(1) or 14C(1) of the Monetary Authority of Singapore Act.Improper use of personal data48E.—
If —
an individual makes use of personal data in the possession or under the control of an organisation or a public agency;
the use is not authorised by the organisation or public agency, as the case may be;
the individual does so —
knowing that the use is not authorised by the organisation or public agency, as the case may be; or
reckless as to whether the use is or is not authorised by the organisation or public agency, as the case may be; and
the individual, as a result of that use —
obtains a gain for the individual or another person;
causes harm to another individual; or
causes a loss to another person,the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both.(2) In proceedings for an offence under subsection (1), it is a defence to the charge for the accused to prove, on a balance of probabilities, any of the following:
that —
the personal data in the possession or under the control of the organisation or public agency (as the case may be) that was used was, at the time of the use, publicly available; and
where the personal data was publicly available solely because of an applicable contravention, the accused did not know, and was not reckless as to whether, that was the case;
the accused used the personal data in the possession or under the control of the organisation or public agency, as the case may be —
as permitted or required by or under an Act or other law (apart from this Act);
as authorised or required by an order of court;
in the reasonable belief that, and was not reckless as to whether, the accused had the legal right to do so; or
in any other circumstances, or for any other purpose, prescribed.(3) To avoid doubt, subsection (2) does not affect any obligation or limitation imposed on, or prohibition of, the use of personal data in the possession or under the control of an organisation or a public agency (as the case may be) by or under any other written law or other law.(4) In this section, “applicable contravention” means a contravention of any of the following:
section 48D(1) or 48F(1);
section 7(1) or 8(1) of the Public Sector (Governance) Act 2018;
section 14A(1) or 14C(1) of the Monetary Authority of Singapore Act.Unauthorised re-identification of anonymised information48F.—
If —
an individual takes any action to re-identify or cause re‑identification of the person to whom anonymised information in the possession or under the control of an organisation or a public agency relates (called in this section the affected person);
the re‑identification is not authorised by the organisation or public agency, as the case may be; and
the individual does so —
knowing that the re‑identification is not authorised by the organisation or public agency, as the case may be; or
reckless as to whether the re‑identification is or is not authorised by the organisation or public agency, as the case may be,the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both.(2) In proceedings for an offence under subsection (1), it is a defence to the charge for the accused to prove, on a balance of probabilities, any of the following:
that —
the information on the identity of the affected person is publicly available; and
where that information was publicly available solely because of an applicable contravention, the accused did not know, and was not reckless as to whether, that was the case;
the action to re-identify or cause re-identification is —
permitted or required by or under an Act or other law (apart from this Act); or
authorised or required by an order of court;
the accused —
reasonably believed that the re‑identification was for a specified purpose; and
notified the Commission or the organisation or public agency (as the case may be) of the re‑identification as soon as was practicable;
the accused took the action to re‑identify or cause re‑identification in the reasonable belief that, and was not reckless as to whether, the accused had the legal right to do so, other than for a specified purpose;
in any other circumstances, or for any other purpose, prescribed.(3) To avoid doubt, subsection (2) does not affect any obligation or limitation imposed on, or prohibition of, the re‑identification of the affected person by or under any other written law or other law.(4) In this section —“applicable contravention” means a contravention of any of the following:
subsection (1);
section 8(1) of the Public Sector (Governance) Act 2018;
section 14C(1) of the Monetary Authority of Singapore Act;“specified purpose” means any purpose specified in the Eleventh Schedule.”.