What does the Privacy Act apply?

The Privacy Act of 1974 is a federal law that governs our collection and use of records we maintain on you in a system of records. A system of records is any grouping of information about an individual under the control of a Federal agency from which information is retrievable by personal identifiers, such as name, social security number, or other identifying number or symbol. Under the Privacy Act, Federal agencies may not disclose information without consent unless certain exceptions apply to the disclosure. The Privacy Act provides protections to individuals in three primary ways. It provides individuals with:

Nội dung chính Show

Who does the Australian Privacy Act apply to?
What acts are covered by the Data Privacy Act?
What does the Australian Privacy Act cover?

the right to request their records, subject to Privacy Act exemptions;
the right to request a change to their records that are not accurate, relevant, timely or complete; and
the right to be protected against unwarranted invasion of their privacy resulting from the collection, maintenance, use, and disclosure of their personal information.

All OSC's System of Records Notices (SORNs) are published in the Federal Register. These notices provide the legal authority for collecting and storing records, individuals about whom records will be collected, what kinds of information will be collected, and how the records will be used.

The following are the twelve (12) Privacy Act Exemptions when consent to release information is not required:

to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties;
required under section 552 of this title (FOIA disclosures);
for a routine use as defined in subsection (a)(7) of this section and described under subsection (e)(4)(D) of this section (routine uses);
to the Bureau of the Census for purposes of planning or carrying out a census or survey or related activity pursuant to the provisions of title 13;
to a recipient who has provided the agency with advance adequate written assurance that the record will be used solely as a statistical research or reporting record, and the record is to be transferred in a form that is not individually identifiable;
to the National Archives and Records Administration as a record which has sufficient historical or other value to warrant its continued preservation by the United States Government, or for evaluation by the Archivist of the United States or the designee of the Archivist to determine whether the record has such value;
to another agency or to an instrumentality of any governmental jurisdiction within or under the control of the United States for a civil or criminal law enforcement activity if the activity is authorized by law, and if the head of the agency or instrumentality has made a written request to the agency which maintains the record specifying the particular portion desired and the law enforcement activity for which the record is sought;
to a person pursuant to a showing of compelling circumstances affecting the health or safety of an individual if upon such disclosure notification is transmitted to the last known address of such individual;
to either House of Congress, or, to the extent of matter within its jurisdiction, any committee or subcommittee thereof, any joint committee of Congress or subcommittee of any such joint committee;
to the Comptroller General, or any of his authorized representatives, in the course of the performance of the duties of the Government Accountability Office;
pursuant to the order of a court of competent jurisdiction; or
to a consumer reporting agency in accordance with section 3711(e) of title 31.

Personal Data Protection
Act 2012

This revised edition incorporates all amendments up to and including 1 December 2021 and comes into operation on 31 December 2021

An Act to govern the collection, use and disclosure of personal data by organisations, and to establish the Do Not Call Register and to provide for its administration, and for matters connected therewith.

[22/2016]

[2 January 2013: Parts I, II, VIII, IX (except sections 36 to 38, 41 and 43 to 48) and X (except section 67(1)), and the First, Seventh and Ninth Schedules ;

2 December 2013: Sections 36, 37, 38 and 41 ;

2 January 2014: Sections 43 to 48 and 67(1) and the Eighth Schedule ;

2 July 2014: Parts III to VII, and the Second to Sixth Schedules ]

PART 1

1. This Act is the Personal Data Protection Act 2012.

2.—(1) In this Act, unless the context otherwise requires —

“advisory committee” means an advisory committee appointed under section 7;

“Appeal Committee” means a Data Protection Appeal Committee constituted under section 48P(4), read with the Seventh Schedule;

“Appeal Panel” means the Data Protection Appeal Panel established by section 48P(1);

“authorised officer”, in relation to the exercise of any power or performance of any function or duty under any provision of this Act, means a person to whom the exercise of that power or performance of that function or duty under that provision has been delegated under section 38 of the Info‑communications Media Development Authority Act 2016;

“Authority” means the Info‑communications Media Development Authority established by section 3 of the Info‑communications Media Development Authority Act 2016;

“benefit plan” means an insurance policy, a pension plan, an annuity, a provident fund plan or other similar plan;

“business” includes the activity of any organisation, whether or not carried on for purposes of gain, or conducted on a regular, repetitive or continuous basis, but does not include an individual acting in his or her personal or domestic capacity;

“business contact information” means an individual’s name, position name or title, business telephone number, business address, business electronic mail address or business fax number and any other similar information about the individual, not provided by the individual solely for his or her personal purposes;

“Chief Executive”, in relation to the Authority, means the Chief Executive of the Authority appointed under section 40(2) of the Info‑communications Media Development Authority Act 2016, and includes any individual acting in that capacity;

“Commission” means the person designated as the Personal Data Protection Commission under section 5 to be responsible for the administration of this Act;

“Commissioner” means the Commissioner for Personal Data Protection appointed under section 8(1)(a), and includes any Deputy Commissioner for Personal Data Protection or Assistant Commissioner for Personal Data Protection appointed under section 8(1)(b);

“credit bureau” means an organisation which —

(a)	provides credit reports for gain or profit; or
(b)	provides credit reports on a routine, non‑profit basis as an ancillary part of a business carried on for gain or profit;

“credit report” means a communication, whether in written, oral or other form, provided to an organisation to assess the creditworthiness of an individual in relation to a transaction between the organisation and the individual;

“data intermediary” means an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation;

“derived personal data” —

(a)	means personal data about an individual that is derived by an organisation in the course of business from other personal data, about the individual or another individual, in the possession or under the control of the organisation; but
(b)	does not include personal data derived by the organisation using any prescribed means or method;

“document” includes information recorded in any form;

“domestic” means related to home or family;

“education institution” means an organisation that provides education, including instruction, training or teaching, whether by itself or in association or collaboration with, or by affiliation with, any other person;

“employee” includes a volunteer;

“employment” includes working under an unpaid volunteer work relationship;

“evaluative purpose” means —

(a)

the purpose of determining the suitability, eligibility or qualifications of the individual to whom the data relates —

(i)	for employment or for appointment to office;
(ii)	for promotion in employment or office or for continuance in employment or office;
(iii)	for removal from employment or office;
(iv)	for admission to an education institution;
(v)	for the awarding of contracts, awards, bursaries, scholarships, honours or other similar benefits;
(vi)	for selection for an athletic or artistic purpose; or
(vii)	for grant of financial or social assistance, or the delivery of appropriate health services, under any scheme administered by a public agency;

(b)

the purpose of determining whether any contract, award, bursary, scholarship, honour or other similar benefit should be continued, modified or cancelled;

(c)

the purpose of deciding whether to insure any individual or property or to continue or renew the insurance of any individual or property; or

(d)

such other similar purposes as the Minister may prescribe;

“individual” means a natural person, whether living or deceased;

“inspector” means an individual appointed as an inspector under section 8(1)(b);

“investigation” means an investigation relating to —

(a)	a breach of an agreement;
(b)	a contravention of any written law, or any rule of professional conduct or other requirement imposed by any regulatory authority in exercise of its powers under any written law; or
(c)	a circumstance or conduct that may result in a remedy or relief being available under any law;

“national interest” includes national defence, national security, public security, the maintenance of essential services and the conduct of international affairs;

“organisation” includes any individual, company, association or body of persons, corporate or unincorporated, whether or not —

(a)	formed or recognised under the law of Singapore; or
(b)	resident, or having an office or a place of business, in Singapore;

“personal data” means data, whether true or not, about an individual who can be identified —

(a)	from that data; or
(b)	from that data and other information to which the organisation has or is likely to have access;

“prescribed healthcare body” means a healthcare body prescribed for the purposes of the Second Schedule by the Minister charged with the responsibility for health;

“prescribed law enforcement agency” means an authority charged with the duty of investigating offences or charging offenders under written law, prescribed for the purposes of sections 21(4) and 26D(6) and the Second Schedule by the Minister charged with the responsibility for that authority;

“private trust” means a trust for the benefit of one or more designated individuals who are the settlor’s friends or family members;

“proceedings” means any civil, criminal or administrative proceedings by or before a court, tribunal or regulatory authority that is related to the allegation of —

(a)	a breach of an agreement;
(b)	a contravention of any written law or any rule of professional conduct or other requirement imposed by any regulatory authority in exercise of its powers under any written law; or
(c)	a wrong or a breach of a duty for which a remedy is claimed under any law;

“processing”, in relation to personal data, means the carrying out of any operation or set of operations in relation to the personal data, and includes any of the following:

(a)	recording;
(b)	holding;
(c)	organisation, adaptation or alteration;
(d)	retrieval;
(e)	combination;
(f)	transmission;
(g)	erasure or destruction;

“public agency” includes —

(a)	the Government, including any ministry, department, agency, or organ of State;
(b)	any tribunal appointed under any written law; or
(c)	any statutory body specified under subsection (2);

“publicly available”, in relation to personal data about an individual, means personal data that is generally available to the public, and includes personal data which can be observed by reasonably expected means at a location or an event —

(a)	at which the individual appears; and
(b)	that is open to the public;

“relevant body” means the Commission, the Appeal Panel or any Appeal Committee;

“tribunal” includes a judicial or quasi‑judicial body or a disciplinary, an arbitral or a mediatory body;

“user activity data”, in relation to an organisation, means personal data about an individual that is created in the course or as a result of the individual’s use of any product or service provided by the organisation;

“user‑provided data”, in relation to an organisation, means personal data provided by an individual to the organisation.

[22/2016; 40/2020]

(2) The Minister may, by notification in the Gazette, specify any statutory body established under a public Act for a public function to be a public agency for the purposes of this Act.

3. The purpose of this Act is to govern the collection, use and disclosure of personal data by organisations in a manner that recognises both the right of individuals to protect their personal data and the need of organisations to collect, use or disclose personal data for purposes that a reasonable person would consider appropriate in the circumstances.

4.—(1) Parts 3, 4, 5, 6, 6A and 6B do not impose any obligation on —

(a)	any individual acting in a personal or domestic capacity;
(b)	any employee acting in the course of his or her employment with an organisation;
(c)	any public agency; or
(d)	any other organisations or personal data, or classes of organisations or personal data, prescribed for the purposes of this provision. [40/2020]

(2) Parts 3, 4, 5, 6 (except sections 24 and 25), 6A (except sections 26C(3)(a) and 26E) and 6B do not impose any obligation on a data intermediary in respect of its processing of personal data on behalf of and for the purposes of another organisation pursuant to a contract which is evidenced or made in writing.

[40/2020]

(3) An organisation has the same obligation under this Act in respect of personal data processed on its behalf and for its purposes by a data intermediary as if the personal data were processed by the organisation itself.

(4) This Act does not apply in respect of —

(a)	personal data about an individual that is contained in a record that has been in existence for at least 100 years; or
(b)	personal data about a deceased individual, except that the provisions relating to the disclosure of personal data and section 24 (protection of personal data) apply in respect of personal data about an individual who has been dead for 10 years or less.

(5) Except where business contact information is expressly mentioned, Parts 3, 4, 5, 6 and 6A do not apply to business contact information.

[40/2020]

(6) Unless otherwise expressly provided in this Act —

(a)	nothing in Parts 3, 4, 5, 6, 6A and 6B affects any authority, right, privilege or immunity conferred, or obligation or limitation imposed, by or under the law, including legal privilege, except that the performance of a contractual obligation is not an excuse for contravening this Act; and
(b)	the provisions of other written law prevail to the extent that any provision of Parts 3, 4, 5, 6, 6A and 6B is inconsistent with the provisions of that other written law. [40/2020]

Who does the Australian Privacy Act apply to?

The Privacy Act provides 13 Australian Privacy Principles (APPs). The APPs apply to government agencies and private sector organisations with an annual turnover of $3 million or more. The APPs are principles-based—protecting privacy while not burdening agencies and organisations with inflexible prescriptive rules.

What acts are covered by the Data Privacy Act?

Republic Act No. 10173, otherwise known as the Data Privacy Act is a law that seeks to protect all forms of information, be it private, personal, or sensitive. It is meant to cover both natural and juridical persons involved in the processing of personal information.

What does the Australian Privacy Act cover?

The Privacy Act 1988 (Privacy Act) was introduced to promote and protect the privacy of individuals and to regulate how Australian Government agencies and organisations with an annual turnover of more than $3 million, and some other organisations, handle personal information.