Registration of Criminals (DNA Database, Identification Database and Register) Rules 2023

Statute Details

• Title: Registration of Criminals (DNA Database, Identification Database and Register) Rules 2023
• Act Code: RCA1949-S358-2023
• Legislation Type: Subsidiary Legislation (SL)
• Enacting Authority: Minister for Home Affairs
• Authorising Act: Registration of Criminals Act 1949
• Commencement: 12 June 2023
• Current Version (as at): 27 Mar 2026
• Key Provisions (from extract): Sections 1–6 (definitions; removal application process and timelines; safeguards; prescribed purposes for DNA database use)
• Notable Amendments (timeline shown in extract): Amended by S 127/2025 (25 Feb 2025); Amended by S 584/2025 (08 Sep 2025); Amended by S 6/2026 (13 Jan 2026)
• Related Legislation: Criminals Act 1949; Drugs Act 1973; Internal Security Act 1960; Police Force Act 2004

What Is This Legislation About?

The Registration of Criminals (DNA Database, Identification Database and Register) Rules 2023 (“the Rules”) are subsidiary legislation made under the Registration of Criminals Act 1949. In practical terms, the Rules operationalise how Singapore manages sensitive personal information held in criminal justice databases—particularly DNA and identifying information—by setting out (i) how individuals may apply for removal of their information, (ii) the time limits for making such applications, (iii) safeguards governing the storage and security of the databases, and (iv) the specific purposes for which DNA information may be used under the Act.

While the underlying Act establishes the legal framework for the collection, retention, and use of registration information, the Rules translate that framework into detailed administrative and procedural requirements. This matters for practitioners because the Rules affect both the rights of individuals (for example, removal applications) and the compliance obligations of the Registrar and the relevant authorities (for example, cybersecurity, access controls, and auditability).

From a compliance perspective, the Rules also clarify that database systems are not treated as ordinary record-keeping. They are subject to strict technical and governance safeguards—such as separation from day-to-day systems, prohibition on internet access, monitoring through closed-circuit television (CCTV), and secure electronic audit trails. From a rights perspective, the Rules provide a defined pathway and prescribed timelines for individuals seeking removal of information from the identification database or the DNA database.

What Are the Key Provisions?

1. Citation, commencement, and definitions (Sections 1–2)
Section 1 provides the short title and commencement date: the Rules come into operation on 12 June 2023. Section 2 defines key terms used throughout the Rules. In particular, it defines a “database server” as a computer database that stores and maintains information or records of a specified database, and it defines “specified database” as the DNA database, the identification database, or the register. These definitions are important because later provisions impose obligations specifically on “specified databases” and their servers.

2. Application for removal of information (Section 3)
Section 3 addresses the procedure for an application mentioned in section 37(2) or (4) of the Act. In plain language, it tells practitioners and applicants how to submit a removal request. The Rules distinguish between two categories of applicants:

• Singpass holders: the application must be made online using the form accessible through https://police.gov.sg/E-Services/Apply-for-Removal-of-DNA-and-Identifying-Information.
• Non-Singpass holders: the application must be made in the form and manner specified on the same website.

This provision is practically significant because it is a procedural gatekeeping step. If an applicant submits the request through the wrong channel, the application may be treated as non-compliant with the Rules. For lawyers, this means removal applications should be checked for correct authentication and submission method, and evidence of submission should be preserved.

3. Prescribed time limits for removal applications (Section 4)
Section 4 prescribes the “time” for the purposes of section 37(4) of the Act. The Rules set out two alternative time triggers:

• General rule: the prescribed time is 15 days after the date of the occurrence of any one of the circumstances mentioned in section 37(3)(b) of the Act.
• Where the Registrar has previously notified the individual: if the Registrar previously notified the individual under section 39(2) of the Act, then:
  • if the circumstance in section 39(1)(a) exists (whether or not the circumstance in section 39(1)(b) also exists), the 15-day period runs after the ongoing prosecution or investigation is concluded; and
  • if the circumstance in section 39(1)(b) exists but the circumstance in section 39(1)(a) does not exist, the application may be made any time.

These provisions are legally important because time limits often determine whether an application is admissible. Practitioners should carefully map the applicant’s factual timeline (e.g., when prosecution/investigation concluded) to the statutory circumstances referenced in the Act. The Rules also show that the Registrar’s prior notification can change the computation of time—meaning that counsel should obtain and review any notification issued under section 39(2) of the Act.

4. Safeguards for specified databases (Section 5)
Section 5 imposes a set of concrete security and governance obligations on the Registrar. These safeguards are among the most operationally significant provisions in the Rules. The Registrar must:

• Use a separate backup server: ensure information and records are stored and maintained in a back-up database server that is separate and distinct from any server used for day-to-day operations.
• Prevent internet access: ensure that a database server of a specified database must not be accessible from the internet.
• Provide physical security monitoring: ensure an adequate number of CCTV cameras or other electronic visual monitoring devices are installed at suitable locations where the database (or its server) is stored or located.
• Implement protective protocols: implement appropriate protocols and processes to protect against accidental or unlawful loss, modification, destruction, unauthorised access, disclosure, copying, use or modification.
• Monitor and evaluate compliance: periodically monitor and evaluate the protocols and processes to ensure they are effective and complied with by persons who access the database.
• Maintain secure audit trails: ensure there is an electronic record of any change made to the DNA database or identification database, and that the record is secured against interference or tampering.

For lawyers advising on regulatory compliance, these requirements can be used as benchmarks for assessing whether the database administration meets statutory minimum standards. For litigators or applicants, they also provide a framework for understanding what “safeguards” the law expects—potentially relevant in disputes about misuse, unauthorised access, or the integrity of records.

5. Prescribed purposes for DNA database use (Section 6)
Section 6 specifies “prescribed purposes” for which information stored in the DNA database may be used, for the purposes of section 32(h) of the Act. The Rules limit DNA use to defined forensic and intelligence-related contexts. The prescribed purposes include:

• Forensic comparison in investigations of offences under the Misuse of Drugs Act 1973, conducted by an officer of the Bureau as defined in section 2 of the Misuse of Drugs Act 1973.
• Forensic comparison with other DNA information in the course of an investigation of an offence under the Misuse of Drugs Act 1973 or the Penal Code 1871, conducted by a military policeman serving as an investigating officer under section 177(b) of the Singapore Armed Forces Act 1972.
• Forensic comparison in the course of an inquiry into any matter relevant to the making of an order or giving of a direction by the President or Minister under section 8 of the Internal Security Act 1960, conducted by a person designated by the Minister as an intelligence officer under section 65(4) of the Police Force Act 2004.

Practitioners should note that these purposes are not open-ended. They are tied to specific offences, specific investigating bodies, and specific internal security processes. This can be crucial when assessing whether a proposed use of DNA information is within the statutory “prescribed purposes” or whether it is ultra vires the Rules.

How Is This Legislation Structured?

The Rules are structured as a short, operational instrument with six sections:

• Section 1 sets out the citation and commencement.
• Section 2 provides definitions, including “database server” and “specified database”.
• Section 3 prescribes the method for applying for removal of information from the identification database or DNA database, including online submission for Singpass holders.
• Section 4 prescribes the time limits for making such removal applications, including special timing where the Registrar has issued prior notification.
• Section 5 sets out safeguards for specified databases, covering technical separation, access restrictions, physical monitoring, security protocols, periodic evaluation, and secure audit trails.
• Section 6 lists the prescribed purposes for DNA database use under section 32(h) of the Act, focusing on forensic comparison in defined investigative and internal security contexts.

Who Does This Legislation Apply To?

The Rules primarily apply to the Registrar and the authorities administering the DNA database, the identification database, and the register under the Registration of Criminals Act 1949. The obligations in Section 5 (security safeguards) are directed at the Registrar’s operational responsibilities for maintaining and protecting the databases.

They also apply to individuals seeking removal of their information from the identification database or DNA database. Section 3 and Section 4 govern how and when an application must be made, including the submission channel (online via a specified police e-service for Singpass holders) and the prescribed time limits tied to statutory circumstances and any prior Registrar notification.

Why Is This Legislation Important?

First, the Rules provide a clear procedural pathway for individuals who want their DNA or identifying information removed. In practice, removal applications are time-sensitive and procedural. Section 3 and Section 4 help determine whether an application is properly made and within the required timeframe. For counsel, this means advising clients on documentation, submission method, and the factual timeline that triggers the 15-day period or the “any time” scenario.

Second, the safeguards in Section 5 reflect the law’s recognition that DNA and identifying information are highly sensitive. The Rules require separation of backup infrastructure, strict access controls (no internet accessibility), physical monitoring, robust security protocols, periodic evaluation, and tamper-resistant electronic audit trails. These requirements are important for accountability and for reducing the risk of unauthorised access or data integrity issues.

Third, Section 6 limits DNA database use to prescribed forensic and security-related purposes. This can be significant in disputes about whether DNA information was used for an improper purpose. By enumerating specific investigative contexts—Misuse of Drugs Act investigations, Penal Code/MDA investigations by military police, and internal security inquiries under the Internal Security Act—the Rules create a statutory boundary that practitioners can use to assess compliance.

Related Legislation

• Registration of Criminals Act 1949
• Misuse of Drugs Act 1973
• Penal Code 1871
• Internal Security Act 1960
• Police Force Act 2004
• Singapore Armed Forces Act 1972

Source Documents

• Official Text — Singapore Statutes Online
• Archived Copy — Litt Law CDN

This article provides an overview of the Registration of Criminals (DNA Database, Identification Database and Register) Rules 2023 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the official text for authoritative provisions.