Singapore — Data Subject Rights

The Personal Data Protection Act 2012 (PDPA) establishes two core individual rights enforceable against organisations: the access obligation under section 21 and the correction obligation under section 22. The Personal Data Protection Commission (PDPC), established under the PDPA, administers and enforces the regime; the Commission also issues advisory guidelines that interpret these statutory obligations for organisations.

Scope of the access right (section 21). Upon request, organisations must provide individuals with (a) access to their personal data that is in the organisation's possession or under its control, and (b) information about the ways in which the personal data was used or disclosed within the 12 months preceding the request. The right applies to personal data — defined in section 2 as data, whether true or not, about an individual who can be identified from that data or from that data and other information to which the organisation has or is likely to have access. The PDPA does not apply to public agencies (which are instead governed by separate public-sector data-protection rules), individuals acting on a personal or domestic basis, or business contact information (such as job title, business telephone, or business email).

Response timeline and fees. Organisations must respond to access requests "as soon as reasonably possible" under section 21(1). The PDPC's Advisory Guidelines on Key Concepts interpret this to mean organisations should respond within 30 days of receiving a request; if unable to comply within 30 days, the organisation must notify the individual in writing within that period of when it will respond. Organisations may charge a reasonable fee reflecting the incremental cost of producing the requested data, but the fee must not be excessive. An individual may apply to the Commission under section 48H(1) for review of a fee the individual considers excessive; the Commission may then direct the organisation not to exceed a specified amount.

Statutory exceptions to access. The PDPA provides a suite of statutory exceptions in the Fourth Schedule permitting organisations to refuse access where, for example, disclosure could threaten the safety, physical health, or mental health of the individual or another person; would reveal the identity of another individual who has not consented; is subject to legal privilege; would prejudice an investigation or legal proceeding; or would be contrary to the national interest (defined in section 2(1) to include national defence, national security, public security, the maintenance of essential services, and the conduct of international affairs). Organisations may also refuse frivolous or vexatious requests.

The correction obligation (section 22). An individual may request that an organisation correct an error or omission in the individual's personal data in the organisation's possession or under its control. Organisations must correct the data as soon as practicable after receiving the request. If the organisation cannot complete the correction within 30 days, it must inform the individual in writing within 30 days of when it will complete the correction. Once corrected, the organisation must send the corrected data to every other organisation to which the personal data was disclosed within the year before the correction was made, unless the individual consents to a narrower set of recipient organisations. This onward-notification rule ensures data accuracy propagates through the processing chain.

Review and enforcement. If an organisation refuses an access or correction request, charges what the individual considers an excessive fee, or fails to respond within a reasonable time, the individual may apply to the PDPC under section 48H(1) for a Commission review. The Commission may direct the organisation to comply, reduce the fee, or take other remedial action under section 48H(2). The PDPC also has investigatory and enforcement powers for broader contraventions of the Access and Correction Obligations; enforcement decisions are published on the PDPC website at pdpc.gov.sg/commissions-decisions. Parties to civil proceedings relating to the PDPA may also refer to the Rules of Court 2021, Order 57.

The PDPA was originally enacted in 2012 and substantively revised in 2020 (effective in phases through 2021–2022) to add mandatory data-breach notification, data portability, and Part 9B criminal offences for knowing or reckless unauthorised disclosure, misuse for wrongful gain or loss, and re-identification of anonymised data. Organisations subject to the PDPA must designate a Data Protection Officer (DPO) and make the DPO's business contact information publicly available under the Accountability Obligation (section 12). For cross-border context, Singapore's PDPA distinguishes between organisations (the party that determines the purposes and means of processing, analogous to GDPR "controllers") and data intermediaries (processors acting on behalf of an organisation). Data intermediaries are subject to the Protection and Retention Limitation obligations but not to the Access and Correction obligations, on the policy rationale that intermediaries often lack visibility into the data they process and do not interact directly with individuals.

Source: Personal Data Protection Act 2012, sections 2, 12, 21, 22, 48H Source: PDPC – Data Protection Obligations Source: PDPC – Advisory Guidelines on Key Concepts in the PDPA (17 May 2022)

Section 16 of the Personal Data Protection Act 2012 (PDPA) establishes the right to withdraw consent — one of the foundational data-subject rights in Singapore's consent-based privacy regime. Unlike the EU GDPR, which provides six alternative lawful bases for processing, the PDPA follows a primarily consent-driven model with statutory exceptions; withdrawal therefore plays an especially important role in ensuring that individuals retain control over their personal data throughout the processing lifecycle.

Core right under section 16(1). An individual may at any time withdraw any consent given — or deemed to have been given under the Act — in respect of the collection, use, or disclosure of personal data by an organisation. The right extends to both express consent (affirmative agreement) and deemed consent, which may arise under section 14 (voluntary provision to the organisation for a purpose that would be considered reasonable by a reasonable person) or section 15 (notification-based deemed consent for specified purposes, introduced in the 2020 amendments). Withdrawal requires that the individual give "reasonable notice" to the organisation; the statute does not prescribe a fixed period but instead adopts a fact-sensitive standard. The Personal Data Protection Commission (PDPC) Advisory Guidelines on Key Concepts interpret "reasonable notice" to depend on the context — including the administrative burden on the organisation to action the withdrawal, the sensitivity of the data, the scale of processing, and the complexity of unwinding processing activities already underway.

Organisation's duty to inform (section 16(2)). Upon receiving a withdrawal notice, the organisation must inform the individual of the likely consequences of withdrawing consent. Consequences may include the inability to continue providing a service, termination of a contractual relationship, or loss of access to features that rely on the processing of the individual's personal data. The obligation is procedural: the PDPA does not require the organisation to obtain fresh consent or defer the withdrawal; it must simply provide transparent notice so the individual can make an informed decision. For example, if an individual withdraws consent to the use of location data by a ride-hailing app, the organisation must notify the individual that the app will no longer function without that data.

No prohibition on withdrawal (section 16(3)). The statute explicitly provides that organisations must not prohibit an individual from withdrawing consent. This is an absolute bar: tying access to a service to irrevocable consent, or refusing to process a withdrawal request, contravenes section 16(3). However, the subsection expressly preserves "legal consequences arising from such withdrawal" — meaning that while the organisation cannot block the withdrawal itself, it may enforce ordinary contractual or service-level consequences. For instance, a bank may terminate a credit card account if the cardholder withdraws consent to creditworthiness assessments required under banking regulations or internal risk policies, provided that consequence is communicated clearly under section 16(2).

Effect on retention obligations (section 16(4) and interaction with section 25). Section 16(4) states that, subject to section 25 (Retention Limitation Obligation), if an individual withdraws consent to the collection, use, or disclosure of personal data, the organisation must cease collecting, using, or disclosing the data as soon as reasonably practicable. "Reasonably practicable" recognises operational realities — an organisation need not instantaneously delete data from backup systems or third-party processors if doing so would be technically infeasible, but the organisation must take prompt, good-faith steps to halt active processing and initiate deletion workflows. Section 25, however, carves out retention where a business or legal purpose requires continued retention — such as compliance with accounting records retention under the Companies Act, ongoing litigation holds, or fraud-prevention imperatives. The PDPC has clarified in enforcement decisions that organisations relying on section 25 exceptions must document the specific legal or business purpose and may not continue to use or disclose the data for purposes unrelated to that retention justification.

Interaction with statutory exceptions to consent. Where an organisation processes personal data on the basis of a statutory exception to consent under the Second Schedule (for example, to investigate and respond to an incident, comply with a legal obligation, or for evaluative purposes under exception 1(f)), withdrawal of consent has no effect on that processing because consent was never the lawful basis. The PDPC Advisory Guidelines emphasise that organisations must clearly communicate to individuals whether processing is consent-based or exception-based; if both apply, the organisation may continue processing under the exception even after withdrawal, but only for the scope covered by that exception.

PDPC review powers. Section 48H(1) grants individuals a right to apply to the PDPC for review if an organisation refuses to process a withdrawal request, fails to respond within a reasonable time, or imposes consequences the individual considers disproportionate or unlawful. The Commission may direct the organisation to comply with the withdrawal, clarify the lawful consequences, or impose other remedial measures. Enforcement decisions are published on the PDPC website at pdpc.gov.sg/commissions-decisions. Representative enforcement examples include the 2019 decision against a loyalty-program operator that purported to make consent irrevocable for the term of membership, which the PDPC found contrary to section 16(3), and a 2021 decision involving a telco that failed to halt marketing communications within a reasonable period post-withdrawal.

Practical implementation considerations. Best-practice guidance from the PDPC recommends that organisations maintain documented withdrawal mechanisms — such as online account-preference centres, unsubscribe links in marketing emails, or dedicated DPO contact channels — and record the date and scope of each withdrawal for audit purposes. Where processing spans multiple purposes (e.g., service delivery, analytics, and marketing), organisations should enable granular withdrawal by purpose rather than requiring all-or-nothing withdrawal. The Advisory Guidelines also note that organisations should preserve evidence of the original consent and the subsequent withdrawal to defend against future complaints or regulatory inquiries.

Singapore's withdrawal-of-consent framework reflects the PDPC's policy objective of balancing individual autonomy with operational feasibility for data-driven business models. The "reasonable notice" standard, the duty to inform consequences, and the preservation of lawful contractual consequences together create a regime under which individuals can exit consent-based processing without penalising organisations for legitimate reliance on that consent up to the point of withdrawal.

Source: Personal Data Protection Act 2012, section 16 Source: PDPC – Advisory Guidelines on Key Concepts in the PDPA (17 May 2022)

Section 48H of the Personal Data Protection Act 2012 (PDPA) establishes the individual review application mechanism — the primary statutory route for data subjects to challenge an organisation's refusal or failure to comply with the Access, Correction, or Withdrawal of Consent obligations. This Commission-led review process empowers the Personal Data Protection Commission (PDPC) to issue binding directions to organisations that contravene data-subject rights, creating an administrative enforcement channel that does not require the individual to commence civil litigation.

## Scope of reviewable matters (section 48H(1))

An individual may apply to the PDPC for review in three scenarios:

(a) Refusal to comply. The organisation refuses to comply with a request under section 21 (access to personal data), section 22 (correction of personal data), or section 16 (withdrawal of consent).

(b) Failure to comply within a reasonable time. The organisation fails to respond to such a request within a reasonable time. The statute does not prescribe a fixed deadline; the PDPC Advisory Guidelines on Key Concepts (17 May 2022) interpret "reasonable time" for access and correction requests as ordinarily 30 days from receipt of the request. If an organisation cannot respond within 30 days, the Guidelines recommend that the organisation notify the individual in writing within that period of the extended timeline.

(c) Excessive fee (access requests only). For access requests under section 21, the organisation charges a fee that the individual considers excessive. Section 21 permits organisations to charge a "reasonable fee" reflecting the incremental cost of providing access, but the fee must not be excessive. An individual who disputes the fee may apply to the PDPC for review under section 48H(1)(c).

The right to apply for review is individual — only the data subject, or a person validly acting on the individual's behalf under section 14(4) of the PDPA, may initiate the process. Third parties and advocacy groups have no standing unless authorised by the individual.

## Commission review powers (section 48H(2))

If the PDPC accepts a review application and determines that the organisation has contravened the Access, Correction, or Withdrawal obligation, the Commission may issue a binding direction requiring the organisation to:

• Provide the requested access or correction;
• Cease collecting, using, or disclosing the personal data (for withdrawal-of-consent cases);
• Not charge more than a specified amount for access (in fee-dispute cases); or
• Take any other action the Commission considers appropriate to remedy the contravention.

Directions under section 48H(2) are enforceable. Failure to comply with a Commission direction is itself a separate contravention of the PDPA and may trigger enforcement action under Part IX of the Act, including financial penalties under section 48J (which permits penalties up to 10% of annual turnover or SGD 1 million, whichever is higher, for serious contraventions).

## Procedural framework

The Personal Data Protection (Appeal) Regulations 2021 prescribe the procedural rules for review applications. An individual must submit the application in the form and manner specified by the PDPC; the Commission publishes complaint forms and guidance on its website at pdpc.gov.sg. The Commission has discretion whether to accept an application; it may decline to review if the matter is trivial, frivolous, or vexatious, or if the individual has not first attempted to resolve the dispute directly with the organisation (though the statute does not explicitly require prior exhaustion).

If the PDPC accepts the application, it will notify the organisation and invite written submissions from both parties. The Commission may request documents, conduct interviews, or inspect records under its investigatory powers in Part IX. Reviews are conducted administratively — the statute does not provide for oral hearings, cross-examination, or formal rules of evidence, though the PDPC must observe principles of natural justice (notice, opportunity to be heard, impartiality).

## Appeals from Commission decisions

A party aggrieved by a Commission direction under section 48H(2) may appeal to the PDPC Appeal Panel under section 48P of the PDPA within 28 days of the direction. The Appeal Panel, established under section 48O and comprising independent members appointed by the Minister, conducts a review of the Commission's decision. The Appeal Panel may affirm, vary, or set aside the Commission's direction, or remit the matter for reconsideration. Appeal Panel decisions are final on the facts but may be challenged in the High Court on a question of law via judicial review under the Rules of Court 2021.

## Interaction with civil proceedings

Section 48H does not displace an individual's right to bring a civil claim for breach of statutory duty or other common-law remedies. However, the PDPC has indicated in guidance materials that individuals should consider the section 48H review mechanism before resorting to litigation, as Commission review is free and does not require legal representation. A Commission direction under section 48H(2) remedies the contravention prospectively (by requiring the organisation to comply going forward) but does not award compensation for past harm; an individual seeking monetary damages must pursue a separate civil action.

## Enforcement context and published decisions

The PDPC publishes enforcement decisions (including outcomes of section 48H reviews) on its website at pdpc.gov.sg/commissions-decisions. These published decisions illustrate the Commission's application of the Access, Correction, and Withdrawal obligations and provide guidance to organisations on compliance expectations. Organisations subject to the PDPA should establish clear internal processes for handling data-subject requests, including designated points of contact (often the Data Protection Officer required under section 12 of the PDPA), documented response timelines, and procedures for invoking statutory exceptions where applicable.

Where an organisation relies on a statutory exception to access or correction — for example, exceptions in the Fourth Schedule to the PDPA for legal privilege, safety risks, or disclosure that would reveal confidential commercial information — the organisation must be prepared to justify the specific exception and its factual basis in any PDPC review. Conclusory refusals without particulars are unlikely to withstand Commission scrutiny.

Source: Personal Data Protection Act 2012, sections 12, 14, 16, 21, 22, 48H, 48J, 48O, 48P Source: Personal Data Protection (Appeal) Regulations 2021 Source: PDPC – Advisory Guidelines on Key Concepts in the PDPA (17 May 2022) Source: PDPC – Commission's Decisions

Before responding to an access request under section 21 or a correction request under section 22 of the Personal Data Protection Act 2012 (PDPA), organisations must verify that the requester is the individual to whom the personal data relates or a person validly authorised to act on the individual's behalf. This verification obligation is a threshold requirement derived from the statutory framework and PDPC guidance, designed to prevent unauthorised disclosure of personal data to impostors or bad actors. The Personal Data Protection Commission (PDPC) has consistently emphasised that verification is not optional — it is a necessary procedural safeguard that organisations must implement before fulfilling any data-subject request.

## Statutory foundation and policy rationale

While sections 21 and 22 of the PDPA do not expressly prescribe an identity-verification step, the obligation follows from the Protection Obligation under section 24, which requires organisations to "make reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks" to personal data in their possession or under their control. Disclosing personal data to an unverified requester who is not the data subject — or who lacks authority to act on the data subject's behalf — constitutes unauthorised disclosure and contravenes section 24. The PDPC has issued enforcement decisions finding that organisations that failed to verify identity before disclosing personal data in response to purported data-subject requests breached the Protection Obligation.

The PDPC's Guide to Handling Access Requests (9 June 2016), a non-binding but authoritative resource published by the Commission, devotes an entire section (section 5, "Ascertaining identity") to identity verification. The Guide states that organisations should establish documented procedures for verifying the identity of requesters and should apply a risk-based approach: the more sensitive the personal data, the more robust the verification method should be. The PDPC Advisory Guidelines on Key Concepts in the PDPA (17 May 2022), which elaborates on the Access and Correction Obligations, similarly notes that organisations must take reasonable steps to confirm the requester's identity before providing access or making corrections, particularly where the data includes NRIC numbers, passport numbers, financial records, health information, or other sensitive categories.

## Risk-based verification standard — "reasonable steps"

The PDPA does not mandate a specific verification method (such as government-issued ID or two-factor authentication). Instead, the standard is one of reasonableness — the measures must be proportionate to the sensitivity of the data, the context of the request, and the risks of unauthorised disclosure. The PDPC's Guide to Handling Access Requests recommends that organisations consider the following factors when designing verification procedures:

Nature and sensitivity of the personal data. Requests for highly sensitive data (medical records, financial account details, biometric data, data concerning minors) warrant stronger verification — such as in-person presentation of a government-issued identity document, notarised authorisation letters for agents, or multi-factor authentication for online portals. Requests for lower-sensitivity data (marketing preferences, mailing address updates) may permit lighter-touch verification, such as matching the email address or telephone number on file with the requester's contact information.

Channel of the request. In-person requests allow for direct inspection of identification documents. Online or email requests require additional safeguards — for example, requiring the requester to log into a password-protected account that was previously set up with verified credentials, or sending a one-time password to a pre-registered mobile number or email address. The PDPC has cautioned against relying solely on email addresses without additional confirmation, as email accounts can be compromised or spoofed.

Frequency and volume of requests from the same requester. A pattern of repeated or unusual requests may indicate fraud or an attempt at social engineering; organisations should escalate verification procedures or flag the request for manual review in such cases.

Whether the requester is the individual or an authorised representative. If the request is made by a third party (such as a parent acting on behalf of a minor child, a legal guardian, a power-of-attorney holder, or a deceased individual's estate representative), the organisation must verify both the identity of the representative and the authority to act on behalf of the data subject. The PDPC recommends requesting documentation such as a birth certificate (for parent-child relationships), a court order appointing a guardian, a notarised power of attorney, or a grant of probate or letters of administration (for estate representatives). Section 14(4) of the PDPA provides a statutory gateway for parents and guardians to give or withdraw consent on behalf of individuals under 18 years of age (for consent-related purposes); by analogy, the PDPC has indicated that similar authority extends to access and correction requests where the individual lacks capacity or has delegated authority.

## Acceptable verification methods (PDPC guidance)

The PDPC's Guide to Handling Access Requests and case-law enforcement decisions illustrate the following acceptable verification approaches:

• Government-issued photo ID (NRIC, passport, driving licence) presented in person or submitted as a certified copy, with comparison to the individual's record on file.
• Knowledge-based authentication — asking the requester to provide information that only the data subject would know (date of birth, account number, recent transaction details, answers to security questions previously set by the individual). The PDPC cautions that this method alone may be insufficient for highly sensitive data, as knowledge-based questions can sometimes be answered by attackers who have obtained partial information through data breaches or social engineering.
• Login to a secure account — for organisations that maintain online customer accounts (banks, telcos, e-commerce platforms), allowing the individual to submit the request through a password-protected portal or mobile app that was previously registered with verified credentials. This method satisfies the verification requirement provided the initial account setup itself involved adequate identity verification.
• One-time password (OTP) or two-factor authentication — sending a code to the individual's registered mobile number or email and requiring the requester to provide the code as proof of identity.
• Notarised declarations or statutory declarations — for high-stakes or large-volume requests, organisations may request a statutory declaration or notarised affidavit attesting to the requester's identity and authority.

Organisations should document the verification method used and retain a record of the verification (without retaining unnecessary copies of identification documents longer than required under the Retention Limitation Obligation in section 25 of the PDPA). If an organisation refuses to provide access or make a correction because the requester has not provided sufficient identification, the organisation must inform the requester of the refusal and the reason, and allow the requester to resubmit the request with adequate verification.

## Verification failures and consequences

If an organisation discloses personal data to an unverified requester, it may contravene both the Protection Obligation (section 24) and the Consent Obligation (section 13, if the disclosure occurs without consent and no statutory exception applies). The PDPC has the power to impose financial penalties of up to SGD 1 million or 10% of the organisation's annual turnover in Singapore (whichever is higher) under section 48J of the PDPA for serious or repeated contraventions. Published enforcement decisions include cases where organisations disclosed customer data to third parties who falsely claimed to be the data subject or to have authority to act on the data subject's behalf; in each case, the PDPC found that inadequate identity verification contributed to the breach.

Conversely, if an organisation over-verifies and refuses a legitimate request on the grounds that the individual has not provided identification that the organisation has no legal basis to demand (for example, demanding a certified passport copy for a low-sensitivity request when the individual's registered email would suffice), the individual may file a complaint with the PDPC under section 48H(1) for failure to comply with the Access or Correction Obligation. The PDPC will then review whether the organisation's verification requirements were reasonable in the circumstances. Organisations should therefore calibrate their verification procedures to avoid both under-verification (risking unauthorised disclosure) and over-verification (creating unnecessary friction or discriminatory barriers for individuals exercising their statutory rights).

## Interaction with other data-protection frameworks

Singapore's verification-of-identity standard under the PDPA is similar in philosophy to the reasonable measures standard under the EU GDPR Article 12(6), which permits controllers to request additional information to confirm the identity of the data subject where the controller has "reasonable doubts" about identity, but prohibits controllers from requesting more information than is necessary for verification. The PDPC has noted that GDPR-compliant verification procedures are likely to satisfy the PDPA's reasonableness standard, though organisations operating in Singapore should tailor their procedures to local expectations and the PDPC's published guidance.

Source: Personal Data Protection Act 2012, sections 13, 14, 21, 22, 24, 25, 48H, 48J Source: PDPC – Guide to Handling Access Requests (9 June 2016).pdf) Source: PDPC – Advisory Guidelines on Key Concepts in the PDPA (17 May 2022)

The Personal Data Protection Act 2012 (PDPA) establishes two core individual rights — the access obligation under section 21 and the correction obligation under section 22 — but permits organisations to refuse access or correction in circumstances specified in the Fourth Schedule to the Act. These statutory exceptions are exhaustive and narrowly construed by the Personal Data Protection Commission (PDPC); organisations bear the burden of demonstrating that a specific exception applies and may not invoke general privacy concerns, operational inconvenience, or commercial sensitivity outside the statutory framework.

## Fourth Schedule structure and scope

The Fourth Schedule sets out nine categories of exceptions to the access and correction obligations, each reflecting a competing public-interest or individual-safety rationale that the legislature judged to outweigh the data subject's informational rights in defined circumstances. The exceptions apply to both the access obligation (section 21) and the correction obligation (section 22), with one exception (exception 1(a), discussed below) that applies only to access. Organisations may refuse a request in whole or in part; where only a portion of the requested data falls within an exception, the organisation must provide access to or correct the remainder.

## Exception 1: Legal and adjudicative privilege

Exception 1(a): Legal professional privilege. An organisation may refuse to provide access to personal data that is subject to legal professional privilege. This exception mirrors the common-law doctrine of legal privilege and protects confidential communications between a client and a legal adviser made for the purpose of obtaining or providing legal advice, or for use in actual or reasonably contemplated litigation. The PDPC has held that the privilege belongs to the client (the data subject), not to the organisation; therefore, if the data subject consents to disclosure or has waived privilege, the organisation may no longer rely on this exception. Where a request seeks both privileged and non-privileged data, the organisation must segregate and provide the non-privileged portions.

Exception 1(b): Judicial privilege. An organisation may refuse access to personal data if disclosure would reveal the identity of a confidential source of information in circumstances where confidentiality is reasonably expected. This exception protects whistleblowers, investigative sources, and analogous confidential informants. The PDPC has clarified that "confidential source" requires both an express or implied promise of confidentiality and a reasonable expectation that disclosure would deter future cooperation. The exception does not extend to routine business contacts or customer referrals unless the organisation can demonstrate a specific confidentiality undertaking.

Exception 1(c): Evaluative or opinion material. An organisation may refuse access to personal data compiled solely for an evaluative purpose in the course of determining suitability, eligibility, or qualifications for employment, promotion, contract award, or similar decisions — but only if disclosure would reveal the identity of a confidential source. The exception applies principally to reference checks, confidential performance assessments, and competitive-selection scoring. The PDPC has emphasised that the exception is narrow: if the evaluative material does not identify a confidential source, or if it was compiled for both evaluative and operational purposes, the exception does not apply. Furthermore, factual data underlying an evaluation (such as attendance records or sales figures) is not evaluative material and must be disclosed.

## Exception 2: Health and safety

Exception 2(a): Serious harm to health or safety. An organisation may refuse access to personal data if providing access would threaten the life, health, or safety of the individual requesting access or of another individual. This exception applies most frequently in healthcare, mental-health, and domestic-violence contexts. For example, a medical practitioner may withhold access to clinical notes if disclosure would cause serious psychological harm to the patient or would identify a third party at risk of harm. The PDPC's Advisory Guidelines on Key Concepts note that "serious harm" requires more than transient distress or discomfort; the risk must be substantial and objectively foreseeable. Organisations relying on this exception must document the factual basis and, where practicable, offer the individual an alternative mechanism for access (such as disclosure to a nominated healthcare professional or legal representative).

Exception 2(b): Another individual's personal data — consent refusal. An organisation may refuse access to personal data if the data cannot reasonably be severed from personal data of another individual and that other individual has not consented to disclosure. This exception addresses commingled data — for example, email correspondence containing both the requester's and a third party's personal information, or joint account records. The PDPC has held that organisations must make reasonable efforts to redact or sever third-party data before invoking this exception; wholesale refusal is not permitted where redaction is feasible. The exception does not apply if the third party's data is already publicly available or if the third party is a data subject who would reasonably expect disclosure in the context of the relationship (such as a co-signatory to a contract).

## Exception 3: Law enforcement and legal proceedings

Exception 3: Prejudice to enforcement, proceedings, or investigation. An organisation may refuse access if disclosure would be reasonably likely to prejudice the detection, investigation, or prosecution of an offence; the enforcement of any written law; the conduct of a judicial, quasi-judicial, or administrative proceeding; or the safety or security of correctional institutions. The exception is forward-looking — the prejudice must be a likely consequence of disclosure, not a speculative risk. The PDPC has noted that organisations must distinguish between data whose disclosure would actually compromise an ongoing investigation (for example, by revealing investigative methods, witness identities, or evidence not yet adduced) and data that merely relates to an investigation. Mere involvement in litigation or regulatory inquiry does not trigger the exception; the organisation must demonstrate the specific prejudice.

Exception 4: National interest. An organisation may refuse access if disclosure would be contrary to the national interest. Section 2(1) of the PDPA defines "national interest" to include:

• Defence of Singapore;
• National security, public security, or public safety;
• The maintenance of essential services; and
• The conduct of the international affairs of Singapore.

The exception is invoked principally by government-linked organisations, critical-infrastructure operators, and entities holding data under official-secrets or national-security classifications. The PDPC has stated that invocation of the national-interest exception should be accompanied by a reference to the specific statutory authority or government directive underpinning the refusal, and that organisations should seek guidance from the relevant government agency (such as the Ministry of Home Affairs or Ministry of Defence) before relying on this exception in response to a data-subject request.

## Exception 5: Specified-law prohibitions

Exception 5: Prohibition or restriction by specified law. An organisation may refuse access to the extent that disclosure is prohibited or restricted by another written law of Singapore. The exception recognises that sectoral statutes — such as the Banking Act (secrecy provisions), the Official Secrets Act, or the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act — may impose disclosure restrictions that override the PDPA's access obligations. The organisation must identify the specific statutory provision that prohibits or restricts disclosure; vague references to "regulatory requirements" or "banking secrecy" do not suffice. The PDPC's enforcement decisions have found that organisations improperly citing this exception without naming the statute and section contravened the Access Obligation.

## Exception 6: Requested data does not exist or cannot be found

Exception 6: Data does not exist or cannot be found after reasonable search. An organisation may refuse access if the personal data requested does not exist or cannot be located after the organisation has made reasonable efforts to search for it. This is a factual exception, not a discretionary one. The PDPC expects organisations to conduct a diligent search of systems, archives, and backup repositories reasonably likely to contain the requested data, and to document the search efforts. If data has been lawfully deleted pursuant to the Retention Limitation Obligation (section 25 of the PDPA), the organisation should inform the requester of the deletion and the retention schedule that applied. Organisations may not refuse access simply because retrieval is administratively inconvenient or costly; the reasonableness standard balances the requester's rights against the organisation's legitimate operational constraints.

## Exception 7: Frivolous or vexatious requests

Exception 7: Frivolous, vexatious, or repetitive requests. An organisation may refuse access to personal data if the request is frivolous or vexatious, or if the organisation has already provided access to substantially the same data on a recent prior occasion and there is no reasonable basis to believe the data has changed. The PDPC's Advisory Guidelines define "frivolous or vexatious" as requests that are manifestly unreasonable, made in bad faith, or intended to harass the organisation rather than to obtain information. Factors include repetitive requests with no material change in circumstances, requests that seek voluminous or overly broad categories of data with no apparent legitimate purpose, and requests coupled with threats or abusive language. Organisations should exercise caution before invoking this exception; the PDPC has found that organisations citing "vexatious" grounds without particularised evidence contravened the Access Obligation. If an organisation refuses a request as vexatious, it must inform the individual of the refusal and the reasons, and the individual retains the right to apply to the PDPC for review under section 48H.

## Exception 8: Requests requiring disclosure of proprietary information of the organisation

Exception 8: Proprietary information that could harm competitive position. An organisation may refuse access to personal data if disclosure would reveal confidential commercial information that could reasonably be expected to harm the competitive position of the organisation. This exception is not listed explicitly in the Fourth Schedule as of the statute's current consolidation; instead, it is addressed through the Second Schedule exceptions to consent and the PDPC's guidance on balancing individual rights with legitimate business interests. Organisations should note that commercial sensitivity alone does not override the Access Obligation unless the data falls within one of the Fourth Schedule exceptions (such as exception 1(c) for evaluative material with a confidential source). The PDPC has cautioned that organisations may not refuse access to factual personal data — such as transaction histories, account balances, or contact preferences — on the basis that aggregating such data with other customers' data yields competitive intelligence; the exception, where it applies, protects the organisation's proprietary algorithms, pricing models, or strategic analyses that the data might reveal.

## Exception 9: Correction would be inconsistent with a legal or business purpose

While the Fourth Schedule exceptions apply to both access and correction, section 22(5) of the PDPA provides an additional ground for refusing a correction request: the organisation may refuse to correct personal data if it would be inconsistent with any legal or business purpose for which the data is being used or disclosed at the time of the request. For example, an organisation may refuse to correct historical transaction records or audit logs if doing so would compromise financial reporting integrity, evidentiary value in litigation, or compliance with statutory recordkeeping requirements. The PDPC has held that organisations relying on this ground must identify the specific legal or business purpose and demonstrate that correction — as opposed to annotation or supplementation — would undermine that purpose. Organisations should consider offering the individual the ability to append a statement of disagreement to the record if correction cannot be made.

## Procedural requirements when invoking exceptions

When an organisation refuses an access or correction request on the basis of a Fourth Schedule exception, it must inform the individual of the refusal and the reason (section 21(4) and section 22(4) of the PDPA). The PDPC expects organisations to provide sufficient detail to enable the individual to understand the factual and legal basis for the refusal, and to decide whether to seek PDPC review under section 48H. Generic or conclusory refusals — such as "your request is denied on legal grounds" — do not satisfy the statutory notice requirement and may themselves constitute a contravention of the Access or Correction Obligation. Organisations should document the exception invoked, the factual circumstances supporting it, and any internal review or legal advice obtained, to defend the refusal in the event of a PDPC review or enforcement action.

Source: Personal Data Protection Act 2012, sections 2, 21, 22, 25, 48H, Fourth Schedule Source: PDPC – Advisory Guidelines on Key Concepts in the PDPA (17 May 2022)

The Personal Data Protection Act 2012 (PDPA) permits organisations to refuse access requests under section 21 or correction requests under section 22 where a statutory exception in the Fourth Schedule (access exceptions) or Sixth Schedule (correction exceptions) applies. These Schedules establish narrow, enumerated grounds on which an organisation may withhold personal data or decline to correct it, balancing the individual's data-subject rights against competing public-interest, safety, confidentiality, and evidentiary concerns. The Personal Data Protection Commission (PDPC) has emphasised in published guidance and enforcement decisions that these exceptions are to be construed narrowly — organisations bear the burden of demonstrating that a specific exception applies and must provide a reasoned refusal when invoking one.

## Fourth Schedule — exceptions to access (section 21)

The Fourth Schedule to the PDPA sets out twelve categories of personal data that an organisation may refuse to disclose in response to an access request. An organisation relying on a Fourth Schedule exception is not required to provide access to the data covered by the exception, but must inform the individual of the refusal and the specific exception relied upon (unless disclosing the exception itself would compromise the underlying protected interest, such as revealing an ongoing criminal investigation). The exceptions are:

1. Threat to life, health, or safety (paragraph 1(a)–(c)). An organisation may refuse access where disclosure is likely to:

• Threaten the life or safety of the individual or another individual;
• Threaten the physical or mental health of the individual; or
• Cause immediate or grave harm to the safety or physical or mental health of another individual.

This exception recognises that access to certain data — such as psychiatric assessments, risk-of-harm evaluations, or protective-custody decisions — may itself trigger harm. The standard is likelihood, not certainty; organisations must undertake a good-faith, documented assessment of the risk. The PDPC has cautioned that this exception should not be used preemptively to withhold all health data — only the subset where disclosure poses a concrete, foreseeable risk.

2. Revealing another individual's identity (paragraph 1(d)). An organisation may refuse access where disclosure would reveal the identity of another individual who has provided personal data about the requesting individual without that other individual's consent. Classic applications include references provided by former employers or academic referees, complaint records where the complainant's identity would be disclosed, or witness statements in internal investigations. The exception protects the confidentiality of third-party contributors but does not permit blanket refusal — organisations should redact the identifying details and provide the substantive content where feasible.

3. Legal professional privilege (paragraph 1(e)). An organisation may refuse access to personal data that is subject to legal professional privilege. This exception mirrors the common-law privilege protecting confidential communications between a lawyer and client made for the purpose of obtaining or giving legal advice or for use in actual or contemplated litigation. The privilege belongs to the client (the organisation in most cases, though the individual may be the client if the organisation's lawyers represented the individual). If the individual is asserting that the privileged communication is their own, the organisation must substantiate its claim of privilege — for example, by demonstrating that the data was created in the course of representing the organisation, not the individual.

4. Evaluation, examination, or test data (paragraph 1(f)). An organisation may refuse access to personal data that was collected, used, or disclosed solely for evaluative purposes, including:

• Examinations, tests, or assessments to determine the individual's suitability for employment, promotion, award of contract, scholarship, or honour;
• Determining eligibility for continued employment or engagement; or
• Evaluating performance.

This exception permits organisations to withhold proprietary assessments, psychometric test results, scoring rubrics, and evaluation notes where disclosure would compromise the integrity of the assessment process or reveal confidential evaluation methodologies. However, the exception does not extend to the outcome or final decision derived from the evaluation (e.g., the individual is entitled to know they were not selected, or their performance rating, even if the underlying evaluator comments are withheld).

5. References or recommendations (paragraph 1(g)). An organisation may refuse access to personal data that consists of a reference or recommendation given confidentially by the organisation concerning the individual for:

• Employment by another organisation or person;
• Appointment to an office;
• Provision of a service; or
• Education or training.

This exception overlaps with the third-party-identity exception (paragraph 1(d)) but applies more broadly to confidential references where the referee explicitly or implicitly expected confidentiality. The PDPC has stated that the exception does not apply where the reference was not confidential (e.g., a LinkedIn recommendation that was publicly posted, or a reference provided on an "open reference" basis where the individual was copied).

6. Prejudice to negotiations (paragraph 1(h)). An organisation may refuse access where disclosure would be reasonably likely to prejudice negotiations between the organisation and the individual, or would disclose a bargaining position. For example, an employer negotiating a settlement of a wrongful-dismissal claim may withhold internal assessments of the strength of its legal position or the range of settlement amounts it is prepared to offer. The exception is time-limited — once negotiations conclude, the rationale evaporates and the organisation must reassess whether access can be granted.

7. Ongoing investigation or legal proceeding (paragraph 1(i)–(j)). An organisation may refuse access where disclosure would be reasonably likely to prejudice:

• The prevention, detection, investigation, or prosecution of an offence; or
• The administration of justice.

This exception permits organisations to withhold data in support of ongoing criminal investigations (whether conducted by the organisation itself, such as internal fraud investigations, or by public authorities where the organisation is cooperating), civil litigation where disclosure would compromise evidence, or investigations into regulatory breaches. The PDPC has held that the exception does not apply to concluded investigations or proceedings — once the matter is resolved, the organisation must re-evaluate whether access can be granted without prejudice.

8. National interest (paragraph 1(k)). An organisation may refuse access where disclosure would be contrary to the national interest. Section 2(1) of the PDPA defines "national interest" to include:

• Defence of Singapore;
• National security, public security, or public safety;
• Conduct of international affairs;
• Maintenance of essential services; and
• Economic interests of Singapore.

This exception is invoked rarely and typically in the context of organisations operating in critical-infrastructure, defence, or national-security sectors. The PDPC expects organisations to provide specific justification — a generalised assertion of "national interest" without particulars is insufficient.

9. Confidential commercial information (paragraph 1(l)). An organisation may refuse access where disclosure would reveal confidential commercial information that, if disclosed, could reasonably be expected to:

• Prejudice the competitive position of the organisation; or
• Interfere with contractual or other negotiations of the organisation.

This exception permits organisations to withhold trade secrets, proprietary business models, pricing strategies, or customer lists embedded in the individual's personal data. However, the exception does not permit wholesale refusal of access on the grounds that the data resides in a commercial system — the organisation must identify the specific confidential information that would be revealed and demonstrate actual commercial harm.

10. Requested within the preceding 12 months (paragraph 1(m)). An organisation may refuse a repeat access request where the individual made a substantially similar request within the preceding 12 months and the organisation has already complied with that earlier request. This exception prevents vexatious or harassing repeated requests where the data has not materially changed. The PDPC has clarified that the exception does not apply where the individual's circumstances have changed materially (e.g., a new employment record was created since the last request) or where the organisation failed to comply fully with the earlier request.

11. Frivolous or vexatious requests (paragraph 1(n)). An organisation may refuse access where the request is frivolous or vexatious. The PDPC has adopted a narrow interpretation: a request is frivolous if it is trivial, has no serious purpose, or is made in jest; it is vexatious if it is made to harass, annoy, or burden the organisation rather than to exercise the access right in good faith. The bar is high — the PDPC expects organisations to substantiate the vexatious nature with evidence of the requester's conduct, such as a pattern of abusive communications, simultaneous filing of dozens of overlapping requests, or explicit statements of intent to disrupt. A single broad or detailed request is not vexatious merely because it is burdensome to comply with.

12. Data held for archival or research purposes (paragraph 1(o)). An organisation may refuse access to personal data that is retained solely for archival, research, or statistical purposes and is no longer in active use for the purposes for which it was originally collected. This exception permits organisations to withhold data that has been moved to archival storage and is maintained only for historical record-keeping, research integrity, or compliance with retention obligations under other laws (e.g., the Companies Act or the Accountants Act). The exception does not apply to data that is still being actively used or disclosed for operational purposes.

## Sixth Schedule — exceptions to correction (section 22)

The Sixth Schedule sets out five categories of personal data for which an organisation may refuse a correction request. The correction obligation under section 22 is more limited in scope than the access obligation — an individual may request correction only of errors or omissions, not subjective assessments or opinions that the individual simply disagrees with.

1. Opinion data (paragraph 1(a)). An organisation is not required to correct personal data that consists of an opinion about the individual, as distinct from a fact about the individual. This exception recognises that opinions — such as performance reviews, reference letters, or evaluative assessments — are inherently subjective and cannot be "corrected" by the data subject. However, if the underlying factual basis for the opinion is in error, the organisation must correct that fact. For example, if a performance review states "Employee was absent 15 days in 2025" and the employee demonstrates that the correct figure is 3 days, the organisation must correct the factual error even though it need not retract the opinion that the employee's attendance was problematic.

2. Derived personal data (paragraph 1(b)). An organisation is not required to correct derived personal data — defined in the Twelfth Schedule as personal data that is created by the organisation by way of inference or deduction from other personal data in the organisation's possession or control, or from other information. Examples include credit scores derived from payment history, customer-lifetime-value scores derived from transaction data, or risk assessments derived from multiple data points. The policy rationale is that derived data reflects the organisation's analytical judgment, not an error in the underlying source data. If the individual contends that the input data used to derive the score is inaccurate, the organisation must correct the input data under section 22 and recalculate the derived data; the individual cannot, however, demand that the organisation change its derivation methodology or override the output of a correctly applied algorithm.

3. National interest (paragraph 1(c)). An organisation may refuse correction where compliance would be contrary to the national interest (defined identically to the Fourth Schedule exception above). This exception is invoked rarely — typically in intelligence, defence, or critical-infrastructure contexts where correcting the data would compromise operational security or reveal intelligence sources.

4. Legal professional privilege (paragraph 1(d)). An organisation may refuse to correct personal data that is subject to legal professional privilege, on the same grounds as the Fourth Schedule access exception. In practice, this exception has limited application to correction requests because privileged documents are rarely the subject of correction requests.

5. Archival, research, or statistical data (paragraph 1(e)). An organisation may refuse to correct personal data that is retained solely for archival, research, or statistical purposes and is no longer in active use, mirroring the Fourth Schedule access exception. This exception preserves the integrity of historical datasets — for instance, a medical research database that has been locked and anonymised post-study should not be retrospectively altered even if a participant later asserts that a baseline health measurement was recorded in error.

## Procedural obligations when invoking exceptions

When an organisation refuses access or correction on the basis of a Fourth or Sixth Schedule exception, the PDPA and PDPC guidance impose procedural safeguards:

Written refusal with reasons. The organisation must inform the individual in writing of the refusal and the specific exception relied upon (section 21(3) for access, section 22(5) for correction). Generic refusals (e.g., "access denied for legal reasons") are insufficient; the organisation must cite the Schedule paragraph. The only circumstance in which the organisation may withhold the reason is where disclosing the reason itself would undermine the protected interest (e.g., revealing that an investigation is ongoing would compromise the investigation).

Review by the PDPC. If an individual contests the refusal, the individual may apply to the PDPC for review under section 48H(1). The Commission will assess whether the exception was correctly invoked and whether the organisation acted reasonably. The PDPC may direct the organisation to provide access or correction, in whole or in part, or may uphold the refusal. Organisations should maintain documentary evidence of the grounds for refusal — such as legal advice establishing privilege, medical assessments supporting a safety risk, or investigation files demonstrating ongoing prejudice — to defend the decision in a section 48H review.

Partial compliance where feasible. The PDPC expects organisations to apply exceptions narrowly and to provide partial access or correction where possible. For example, if a document contains both privileged and non-privileged personal data, the organisation should redact the privileged portions and provide the remainder. If a correction request concerns both factual and opinion data, the organisation must correct the factual error even if it declines to alter the opinion.

## Interaction with other data-protection frameworks

Singapore's exception framework is narrower than the EU GDPR's Article 23 restrictions on data-subject rights, which permit member states to legislate broad carve-outs for public-interest grounds. The PDPA's Fourth and Sixth Schedules are exhaustive — an organisation cannot refuse access or correction on grounds not listed in the Schedules, even if the grounds are compelling. This creates a higher baseline of individual rights enforcement in Singapore compared to jurisdictions with more discretionary exception regimes.

Conversely, the PDPA's opinion-data and derived-data exceptions (Sixth Schedule paragraphs 1(a) and (b)) are more generous to organisations than the GDPR's Article 16 right to rectification, which applies to both factual and certain categories of inaccurate assessments. The policy trade-off reflects Singapore's emphasis on enabling data-driven innovation — organisations may develop and apply proprietary algorithms without being required to disclose or alter their methodologies in response to data-subject requests.

Source: Personal Data Protection Act 2012, sections 2, 21, 22, 48H, Fourth Schedule, Sixth Schedule, Twelfth Schedule Source: PDPC – Advisory Guidelines on Key Concepts in the PDPA (17 May 2022), sections on Access and Correction Obligations