Singapore legislation
Clause 66
Clause 66
Data security and handling of health information and relevant information
(1)
A relevant person must —
implement reasonable controls to ensure the secure processing of health information or relevant information, as the case may be;
implement reasonable safeguards to protect against the unauthorised access, collection, use, disclosure, copying, modification, disposal, destruction or loss of health information or relevant information, as the case may be; and
ensure that every personnel who accesses or handles health information or relevant information (as the case may be) is aware of his or her role and responsibility in ensuring that —
the confidentiality and integrity of the information is protected; and
the information is available for use by the relevant person (including individuals employed or engaged by the relevant person who are authorised to access or handle the information) in the ordinary course of the relevant person’s activities.
(2)
For the purposes of subsection (1)(a), the controls to ensure the secure processing of health information or relevant information include controls or requirements relating to the classification of the information, having regard to —
the nature of the information; and
the likely consequences that follow from the disclosure of the information.
(3)
A relevant person must, in relation to any health information or relevant information that is in the form of or part of an extract or a compilation of de‑identified or aggregated information, additionally ensure that —
the confidentiality and integrity of the extract or compilation is maintained at all times; and
the extract or compilation is available for use in the ordinary course of the relevant person’s activities.
(4)
If health information is processed by a relevant HDI (A) of a contributor or user (B) —
A must —
implement reasonable controls to ensure the secure processing of health information;
implement reasonable safeguards to protect against the unauthorised access, collection, use, disclosure, copying, modification, disposal, destruction or loss of health information; and
ensure that every personnel who accesses or handles health information is aware of his or her role and responsibility in ensuring that —
the confidentiality and integrity of the health information is protected; and
the health information is available for use by B (including individuals employed or engaged by B who are authorised to access or handle the health information) in the ordinary course of B’s activities; and
B must ensure that A complies with all the requirements under paragraph (a).
(5)
A relevant person or a relevant HDI of a contributor or user must comply with any requirements that may be prescribed in relation to —
the processing of health information or relevant information (as the case may be), including the controls mentioned in subsection (1)(a) or (4)(a)(i) that must be implemented, if any; and
the protection of health information or relevant information (as the case may be) against unauthorised access, collection, use, disclosure, copying, modification, disposal, destruction or loss.
(6)
A person who contravenes subsection (1), (3), (4) or (5) shall be guilty of an offence and shall be liable on conviction —
in the case of an individual, to a fine not exceeding $200,000 or to imprisonment for a term not exceeding 2 years or to both; or
in any other case, to a fine not exceeding $1 million.