Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015

Statute Details

• Title: Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015
• Act Code: PDPA2012-S90-2015
• Type: Subsidiary Legislation (SL)
• Authorising Act: Personal Data Protection Act 2012 (Act 26 of 2012)
• Enacting Formula (power source): Definition of “prescribed healthcare body” in section 2(1) of the PDPA 2012
• Citation: No. S 90
• Commencement: 1 March 2015
• Maker: Minister for Health (made on 15 February 2015)
• Key Provisions: Section 1 (citation and commencement); Section 2 (prescribed healthcare bodies); Schedule (list of organisations)
• Latest version reference in provided text: Current version as at 27 Mar 2026
• Noted amendment: Amended by S 69/2021 with effect from 1 February 2021

What Is This Legislation About?

The Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015 is a Singapore subsidiary instrument made under the Personal Data Protection Act 2012 (“PDPA”). In practical terms, it performs a single, highly targeted function: it designates specific organisations as “prescribed healthcare bodies” for the purposes of the PDPA’s Second Schedule.

Under the PDPA, different categories of organisations may be subject to different operational requirements, particularly in relation to how personal data is handled in healthcare contexts. The PDPA’s framework recognises that healthcare organisations often process sensitive personal data and may require tailored compliance approaches. This Notification is the mechanism by which the Minister for Health formally identifies which healthcare organisations fall within that special category.

Accordingly, the Notification is not a general data protection code. It is an enabling and classification instrument. Its legal effect is to “turn on” the PDPA’s Second Schedule regime for the organisations listed in the Schedule. For lawyers advising healthcare providers, insurers, or related entities, the key question is whether a particular organisation is named in the Schedule—because that status can materially affect the compliance obligations and the way certain PDPA provisions apply.

What Are the Key Provisions?

Section 1: Citation and commencement. Section 1 provides the formal citation and states when the Notification comes into operation. The Notification “may be cited as” the Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015 and “comes into operation on 1 March 2015.” For practitioners, commencement matters when assessing historical compliance—particularly if an organisation’s data handling practices were implemented before or after 1 March 2015.

Section 2: Prescribed healthcare bodies. Section 2 is the operative provision. It states that “the organisations specified in the Schedule are prescribed as prescribed healthcare bodies for the purposes of the Second Schedule to the Act.” This is the legal bridge between the Notification and the PDPA. The Notification itself does not set out detailed obligations; instead, it designates the entities to which the PDPA’s Second Schedule applies.

In other words, Section 2 is a classification clause. It relies on the PDPA’s definition of “prescribed healthcare body” (in section 2(1) of the PDPA) and uses the Schedule to identify the organisations. The legal consequence is that those organisations are treated as “prescribed healthcare bodies” under the PDPA’s structured compliance regime.

The Schedule: the list of organisations. The Schedule is the most practically important part of the Notification. It contains the “Prescribed healthcare bodies” list. While the extract provided does not reproduce the actual names, the Schedule is where the designation occurs. For lawyers, the Schedule is the authoritative source for determining whether a specific organisation is within scope.

Amendment by S 69/2021 (effective 1 February 2021). The text indicates that the Notification was amended by S 69/2021 with effect from 1 February 2021. This is significant because the Schedule may be updated over time—adding organisations, removing organisations, or otherwise changing the list. Practitioners should therefore verify the current version of the Schedule as at the relevant date for the matter at hand. A healthcare organisation’s PDPA classification may change due to legislative updates, and compliance advice must reflect the correct version.

How Is This Legislation Structured?

The Notification is structured in a straightforward, two-section format supported by a Schedule:

(1) Enacting Formula and short title/commencement (Section 1). This section provides the citation and commencement date.

(2) Designation provision (Section 2). This section states that organisations specified in the Schedule are prescribed healthcare bodies for the purposes of the PDPA’s Second Schedule.

(3) Schedule. This is the substantive list of organisations. The Schedule is where the scope is defined in concrete terms.

From a legal research perspective, the Notification should be read together with the PDPA 2012—especially the definition of “prescribed healthcare body” in section 2(1) and the Second Schedule to the Act. The Notification does not operate in isolation; it is best understood as a “designation instrument” that activates the PDPA’s tailored healthcare-related compliance framework.

Who Does This Legislation Apply To?

This Notification applies to the organisations specified in its Schedule. Those organisations are “prescribed healthcare bodies” for the purposes of the PDPA’s Second Schedule. The scope is therefore not determined by the general nature of an organisation (e.g., “any hospital” or “any clinic”) but by whether the organisation is expressly listed in the Schedule.

For legal practitioners, this means that applicability is a factual and legal determination: you must confirm the organisation’s identity and whether it appears on the Schedule in the relevant version. Corporate restructuring, name changes, mergers, or changes in legal entity status can create practical issues. For example, a healthcare group may operate through multiple legal entities; only the entities listed in the Schedule would be “prescribed healthcare bodies” under the Notification.

Additionally, because the Notification was amended with effect from 1 February 2021, the relevant version of the Schedule may differ depending on the time period of the conduct being assessed. Advice should therefore be time-sensitive and anchored to the correct legislative version.

Why Is This Legislation Important?

Although the Notification is brief, it can have outsized compliance consequences. The PDPA’s Second Schedule is designed to address healthcare-specific data protection considerations. By prescribing certain organisations as “prescribed healthcare bodies,” the Notification determines which entities fall within that healthcare-specific regulatory treatment.

For practitioners advising healthcare providers, the key importance lies in risk allocation and compliance planning. If an organisation is a prescribed healthcare body, it may be subject to the Second Schedule’s requirements (and potentially different operational expectations compared with non-prescribed organisations). This can affect how consent is managed, how data is used and disclosed in healthcare contexts, and how the organisation structures its internal policies and procedures.

From an enforcement and governance standpoint, the designation also matters for regulatory investigations and contractual arrangements. For example, healthcare providers often share data with service providers, laboratories, insurers, and other stakeholders. Knowing whether the provider is a prescribed healthcare body can influence how data protection clauses are drafted, how data processing roles are allocated (controller/recipient concepts under the PDPA framework), and how compliance documentation is maintained.

Finally, the existence of amendments (such as S 69/2021) underscores that the scope is not static. Organisations should monitor legislative updates and periodically re-check their status against the current Schedule. A failure to do so can lead to misclassification, which in turn can produce compliance gaps—particularly where internal policies are built on assumptions about the organisation’s regulatory category.

Related Legislation

• Personal Data Protection Act 2012 (Act 26 of 2012) — in particular:
  • Section 2(1) (definition of “prescribed healthcare body”)
  • Second Schedule (the healthcare-related compliance framework activated by this Notification)
• Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015 — as amended by S 69/2021 (effective 1 February 2021)

Source Documents

• Official Text — Singapore Statutes Online
• Archived Copy — Litt Law CDN

This article provides an overview of the Personal Data Protection (Prescribed Healthcare Bodies) Notification 2015 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the official text for authoritative provisions.