Case Details
- Citation: [2025] SGPDPC 1
- Court: Intellectual Property Office of Singapore
- Date: 2025-05-21
- Judges: Wong Huiwen Denise, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Institute of Mental Health
- Legal Areas: Data Protection – Consent obligation
- Statutes Referenced: Personal Data Protection Act
- Cases Cited: [2019] SGPDPC 8, [2025] SGPDPC 1
- Judgment Length: 14 pages, 3,185 words
Summary
This case involves a complaint filed by a patient (the "Complainant") against the Institute of Mental Health (the "Organisation") for using his personal data without consent. The Personal Data Protection Commission (the "Commission") investigated the matter and found that the Organisation had obtained the Complainant's implied consent to use his personal data to identify and approach him as a potential participant in a research study. The Commission determined that the Organisation had complied with the consent obligations under the Personal Data Protection Act 2012 (the "PDPA").
What Were the Facts of This Case?
On 20 March 2024, the Complainant was waiting to see a doctor at the Organisation's clinic. A research officer ("RO") from the Organisation approached the Complainant, identified him by his full name, and sought his consent to participate in a study relating to certain medical conditions affecting outpatients at tertiary psychiatric hospitals ("Study"). The Complainant lodged a complaint with the Organisation, seeking an explanation as to why the doctor had disclosed his name and health condition and/or history to the RO without his consent (the "Incident").
The Organisation explained that the RO had approached the Complainant's attending doctor on the day of his appointment for the names of suitable participants in the Study and their appointment times. The attending doctor had only provided the names of suitable participants to the RO and did not disclose the participants' medical information. Armed with the names of the potential participants and their appointment times, the RO then searched for these potential participants' queue numbers in the Organisation's database to locate their whereabouts in the clinic, and approached the Complainant in the waiting area.
Investigations by the Commission revealed that the Organisation had placed a prominent notification at the manned registration counters, payment, and pharmacy counters in the clinic since 2014, stating that the Organisation "may use your personal data to invite you to participate in suitable care programmes or shortlist you for participation in relevant research studies" (the "Notification"). The Complainant had been visiting the same clinic since 2013 and was a regular patient at the time of the Incident.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had obtained the Complainant's consent, or deemed consent by notification, before using his personal data to identify and approach him as a potential participant in the Study.
The Commission noted that while the Complainant was aggrieved by the disclosure of his health condition and history to the RO by the attending doctor, this did not constitute a disclosure of personal data under the PDPA, as the data protection obligations apply to the organisation handling the data, and not to individual employees acting in the course of their employment.
How Did the Court Analyse the Issues?
The Commission examined the consent obligation under the PDPA, which requires an organisation to obtain an individual's consent before using their personal data. The PDPA allows for consent to be obtained in various ways, including express consent, verbal consent, and implied consent based on the individual's conduct and the circumstances.
Since the Complainant did not provide express consent for the use of his personal data for the Study Recruitment Purpose, the Commission considered whether the Organisation had obtained his implied consent. The Commission noted that the display of the Notification at the manned registration counters, which were in close proximity to the self-registration kiosks used by the Complainant, was a reasonable step to bring the Notification to the attention of patients, including the Complainant.
The Commission also found that the Complainant had ample reasonable opportunities to see the Notification during his visits to the clinic from 2014 to the date of the Incident. Based on the Complainant's conduct of regularly visiting the clinic and the prominent display of the Notification, the Commission determined that the Complainant's conduct amounted to an acceptance of the Organisation's use of his personal data for the Study Recruitment Purpose, which constituted implied consent under the PDPA.
What Was the Outcome?
The Commission concluded that the Organisation had obtained the Complainant's implied consent for the use of his personal data to identify and approach him as a potential participant in the Study. Therefore, the Commission found that the Organisation had complied with the consent obligations under the PDPA.
Why Does This Case Matter?
This case provides valuable guidance on the concept of implied consent under the PDPA. It demonstrates that an organisation can obtain deemed consent from an individual through the prominent display of a notification informing the individual of the purposes for which their personal data may be used, and the individual's subsequent conduct of regularly engaging with the organisation.
The case also highlights the importance of organisations ensuring that their employees' access to an individual's personal data, including medical information, is strictly confined to a need-to-know basis. While the disclosure of the Complainant's personal data by the attending doctor to the RO did not constitute a breach of the PDPA, the Commission emphasized that organisations must still ensure that they only use an individual's personal data after obtaining the necessary consent.
This decision serves as a reminder to healthcare providers and other organisations that collect and use personal data to carefully consider the consent obligations under the PDPA and implement appropriate measures to obtain valid consent, whether express or implied, from individuals. The case also highlights the importance of transparency and clear communication with individuals about the purposes for which their personal data may be used.
Legislation Referenced
Cases Cited
- [2019] SGPDPC 8 (Re German European School Singapore)
- [2025] SGPDPC 1 (Institute of Mental Health)
Source Documents
This article analyses [2025] SGPDPC 1 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.