Singapore legislation
Clause 38
Clause 38
Offences relating to improper access or collection of accessible health information by users or authorised individuals of users
(1)
A specified user or an authorised individual of a specified user must not access or collect accessible health information about any individual except for a specified purpose, or as otherwise required or permitted under this Act.
(2)
An approved user or an authorised individual of an approved user must not —
access or collect any type of accessible health information that is not specified in the notification published in respect of that approved user under section 20(2); or
access or collect accessible health information about any individual except for a purpose specified in that notification, or as otherwise required or permitted under this Act.
(3)
A user or an authorised individual of a user (X) must not access or collect accessible health information about any individual if —
either of the following applies:
a class 1 access restriction is in force in respect of accessible health information about that individual;
a class 2 access restriction is in force in respect of accessible health information about that individual, and X’s access or collection of that accessible health information is not in accordance with that access restriction; and
X’s access or collection of accessible health information about that individual is not otherwise permitted under section 30(3), (4) or (5).
(4)
Except in a case where subsection (5) applies, a person who contravenes subsection (1), (2) or (3) shall be guilty of an offence and shall be liable on conviction —
to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 2 years or to both, unless paragraph (b) applies; or
if the person has a prior qualifying conviction — to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 4 years or to both.
(5)
A person who contravenes subsection (1), (2) or (3) by accessing or collecting accessible health information about any individual for an excluded purpose shall be guilty of an offence and shall be liable on conviction —
to a fine not exceeding $100,000 or to imprisonment for a term not exceeding 4 years or to both, unless paragraph (b) applies; and
if the person has a prior qualifying conviction — to a fine not exceeding $200,000 or to imprisonment for a term not exceeding 7 years or to both.
(6)
In subsections (4) and (5), “qualifying conviction” means a conviction for an offence under subsection (4) or (5).
(7)
It is not a defence in any proceedings for an offence under subsection (4) or (5) that the accused accessed or collected accessible health information about an individual on the basis that the individual has consented or has given his or her consent in accordance with Part 4 of the Personal Data Protection Act 2012 or such consent is not required under that Part.
(8)
It is not a defence in any proceedings for an offence under subsection (4) or (5) in relation to a contravention of subsection (1) that the accused accessed or collected accessible health information about an individual for more than one purpose, and any of those purposes is a specified purpose.
(9)
It is not a defence in any proceedings for an offence under subsection (4) or (5) in relation to a contravention of subsection (2) that the accused accessed or collected accessible health information about an individual for more than one purpose, and any of those purposes is a purpose mentioned in subsection (2)(b).