Singapore legislation
Clause 27
Clause 27
Obligations of requestors
(1)
A requestor must establish and implement policies and practices to ensure that derived information obtained by the requestor under the section 25 approval granted to the requestor is accessed, collected, disclosed and used in accordance with this Act.
(2)
For the purposes of subsection (1), the policies and practices mentioned in that subsection must include policies and practices in respect of any matters prescribed relating to the access, collection, disclosure and use of derived information.
(3)
In relation to any type 1 derived information obtained by a requestor in accordance with section 25, the requestor —
must not, except with the prior written approval of the Minister, disclose to any person or class of persons other than a person or class of persons specified in the section 25 approval granted to the requestor (if any) —
the type 1 derived information; or
aggregated or anonymised health information derived from the type 1 derived information;
must not use, for any purpose other than a purpose specified in the section 25 approval —
the type 1 derived information; or
aggregated or anonymised health information derived from the type 1 derived information; and
subject to subsection (6) or unless this Act or the section 25 approval otherwise specifies, must delete or destroy the type 1 derived information and all copies thereof after the purpose specified in the section 25 approval has been fulfilled or otherwise ceases to apply.
(4)
Subsection (3)(a) includes the disclosure, by the requestor to another person, of aggregated or anonymised health information derived from type 1 derived information where —
the requestor —
discloses that aggregated or anonymised health information together with any other information; or
knows or has reason to believe that the other person has, or is likely to have access to, any other information; and
the other information mentioned in paragraph (a)(i) or (ii), when used in conjunction with the aggregated or anonymised health information, identifies or allows for the identification of any individual.
(5)
Where a requestor obtains type 2 derived information, in accordance with section 25, the requestor —
except with the prior written approval of the Minister, must not disclose the type 2 derived information to any person;
must not use the type 2 derived information for any purpose other than a purpose specified in the section 25 approval granted to the requestor;
must not do any act or take any step to identify or cause the identification of any individual from the type 2 derived information except —
where it is necessary to do so in connection with the administration or execution of anything under this Act;
where the identification of the individual is required or permitted under this Act or any other written law, or by an order of court;
where, in the opinion of the Minister, the identification of the individual is necessary for any purpose related to public health; or
in any other circumstances that may be prescribed; and
subject to subsection (6) or unless this Act or the section 25 approval otherwise specifies, must delete or destroy the type 2 derived information and all copies thereof after the purpose specified in the section 25 approval has been fulfilled or otherwise ceases to apply.
(6)
Subsection (3)(c) or (5)(d) does not apply to the extent that the requestor is required to retain the type 1 derived information or type 2 derived information (as the case may be) by or under, or for the purpose of complying with, any written law, rule of law or rule of professional conduct or ethics.
(7)
A requestor who contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 2 years or to both.