Statute Details
- Title: Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015
- Act Code: PDPA2012-S90-2015
- Type: Subsidiary Legislation (SL)
- Authorising Act: Personal Data Protection Act 2012 (Act 26 of 2012)
- Enacting Formula (source power): Made in exercise of powers under the definition of “prescribed healthcare body” in section 2(1) of the PDPA 2012
- Citation: S 90/2015
- Commencement: 1 March 2015
- Key Provisions: Section 1 (Citation and commencement); Section 2 (Prescribed healthcare bodies); Schedule (list of prescribed healthcare bodies)
- Amendments noted in the extract: Amended by S 69/2021 with effect from 1 February 2021
What Is This Legislation About?
The Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015 is a Singapore subsidiary instrument made under the Personal Data Protection Act 2012 (“PDPA”). In practical terms, it is a designation notification: it identifies specific organisations that are to be treated as “prescribed healthcare bodies” for the purposes of the PDPA’s healthcare-related provisions.
While the PDPA is the main statute governing personal data protection in Singapore, the PDPA contains special rules for certain categories of organisations and contexts. One such category is healthcare. The PDPA’s framework recognises that healthcare data can be sensitive and that healthcare organisations may have particular operational needs (for example, clinical administration, patient care coordination, and handling of personal data in medical contexts). To apply those special rules, the law needs a mechanism to formally identify which organisations qualify as “prescribed healthcare bodies”.
This Notification serves that mechanism. It does not, by itself, create a general data protection regime. Instead, it prescribes the organisations listed in its Schedule as “prescribed healthcare bodies”. Once an organisation is properly prescribed, the PDPA provisions that refer to “prescribed healthcare bodies” become applicable to that organisation (including the PDPA’s healthcare-specific obligations and permissions set out in the Second Schedule to the Act).
What Are the Key Provisions?
Section 1: Citation and commencement. Section 1 provides the formal citation and the date the Notification comes into operation. The Notification may be cited as the Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015 and it comes into operation on 1 March 2015. For practitioners, this matters because the designation affects which organisations fall within the healthcare category from that date (and any later amendments affect the scope prospectively from their effective dates).
Section 2: Prescribed healthcare bodies. Section 2 is the core operative provision. It states that the organisations specified in the Schedule are prescribed as “prescribed healthcare bodies” for the purposes of the Second Schedule to the Act. The legal effect is that the PDPA’s Second Schedule provisions—those that are triggered by the status of being a prescribed healthcare body—apply to the organisations listed.
The Schedule: the list of prescribed healthcare bodies. The Schedule is where the practical work lies. Although the extract provided does not reproduce the actual list of organisations, the Schedule is the authoritative source for determining whether a particular healthcare organisation is prescribed. In legal practice, the Schedule is therefore the document section that must be checked when advising an organisation on its PDPA obligations or when assessing compliance posture.
Amendment history (S 69/2021 effective 1 February 2021). The extract indicates that the Notification was amended by S 69/2021 with effect from 1 February 2021. This is significant for compliance. If an organisation was added, removed, or otherwise affected by the amendment, its PDPA healthcare-specific treatment would change from the effective date. For counsel, this means advising clients to maintain a version-controlled compliance view: the correct question is not only “is it prescribed?” but “is it prescribed as at the relevant time for the processing activity in question?”.
How Is This Legislation Structured?
The Notification is structured in a straightforward way typical of designation instruments:
(1) Enacting formula and short title. The instrument is made under the PDPA’s enabling power and includes the citation and commencement provision.
(2) Operative sections. It contains two short sections: Section 1 (citation/commencement) and Section 2 (prescription of organisations listed in the Schedule).
(3) The Schedule. The Schedule lists the organisations that are prescribed as “prescribed healthcare bodies”. This Schedule is the key reference point for determining applicability.
Notably, the Notification itself is brief and does not set out detailed substantive obligations. Instead, it functions as a gateway to the PDPA’s healthcare-specific rules contained in the Second Schedule to the PDPA.
Who Does This Legislation Apply To?
This Notification applies to organisations specified in its Schedule. In other words, it is not a general rule directed at all businesses or all individuals. Rather, it designates particular healthcare organisations as “prescribed healthcare bodies” for PDPA purposes.
For a practitioner advising a healthcare organisation, the key legal question is whether the organisation is named in the Schedule (and, if relevant, whether the organisation’s status changed due to amendments such as the 1 February 2021 amendment). If it is prescribed, the organisation will be subject to the PDPA’s healthcare-related provisions that are triggered by that designation. If it is not prescribed, those specific healthcare provisions may not apply, and the organisation would instead rely on the general PDPA framework (including the PDPA’s general obligations on consent, purpose limitation, access/correction, and protection of personal data, as applicable).
Why Is This Legislation Important?
Although the Notification is short, it is legally important because it determines whether an organisation falls within a special regulatory category under the PDPA. In Singapore’s PDPA architecture, healthcare data is treated with particular sensitivity and the law provides tailored rules for healthcare contexts. The designation of “prescribed healthcare bodies” is therefore a compliance-critical step.
Practical compliance impact. For counsel and compliance officers, the Notification affects how the organisation should interpret and apply the PDPA’s Second Schedule provisions. Depending on the exact wording of those provisions, the organisation may have different obligations or may be permitted to handle certain personal data in specific healthcare-related circumstances. Even where the general PDPA principles remain constant, the healthcare designation can change the legal analysis for particular processing activities.
Risk management and audit readiness. Because the Notification is amended over time, organisations should treat it as a living compliance reference. A change to the Schedule can create immediate operational and legal consequences. For example, if an organisation is newly prescribed, it may need to update internal policies, training, and contractual arrangements to align with the healthcare-specific PDPA regime. Conversely, if an organisation is removed or reclassified, it may need to adjust its compliance approach to avoid relying on provisions that no longer apply.
Version control and timing. The amendment effective date (1 February 2021) underscores a common legal issue: compliance must be assessed against the law in force at the time of the relevant processing. Practitioners should therefore document which version of the Notification applied when advising on historical incidents, responding to complaints, or preparing for regulatory engagement.
Related Legislation
- Personal Data Protection Act 2012 (Act 26 of 2012) — the principal statute; includes the definition of “prescribed healthcare body” in section 2(1) and the Second Schedule provisions referenced by this Notification.
- Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015 — this instrument; amended by S 69/2021 with effect from 1 February 2021.
Source Documents
This article provides an overview of the Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the official text for authoritative provisions.