Tan Tung Wee Eddie v Singapore Health Services Pte Ltd [2025] SGHC 10

Case Details

• Citation: [2025] SGHC 10
• Court: General Division of the High Court of the Republic of Singapore
• Decision Date: 21 January 2025
• Coram: Chua Lee Ming J
• Case Number: Originating Claim No 361 of 2023
• Hearing Date(s): 29–31 July, 1–2, 5–6 August, 8 August 2024
• Claimants / Plaintiffs: Tan Tung Wee Eddie
• Respondent / Defendant: Singapore Health Services Pte Ltd
• Counsel for Claimants: The claimant in-person
• Counsel for Respondent: Kuah Boon Theng SC, Yong Shuk Lin Vanessa, and Shenna Tjoa (Legal Clinic LLC)
• Practice Areas: Employment Law — Unfair dismissal; Confidentiality; Data Privacy; Statutory Duty

Summary

In Tan Tung Wee Eddie v Singapore Health Services Pte Ltd [2025] SGHC 10, the General Division of the High Court delivered a landmark ruling clarifying the limits of "self-help" investigations by employees and the restricted scope of the "iniquity exception" in the context of data privacy. The claimant, a senior neurosurgeon, was summarily dismissed by the defendant ("SingHealth") after an internal audit revealed he had accessed the Electronic Medical Record ("EMR") system to view the sensitive medical data of over 70 patients who were not under his clinical care. The claimant’s primary defense was that his actions were a form of whistleblowing intended to uncover alleged professional misconduct by a colleague, Dr. Chen. He argued that the "iniquity exception" negated his duty of confidentiality and that the defendant’s disciplinary process was negligent and in breach of statutory duties under the Medical Registration Act 1997.

Chua Lee Ming J dismissed the claimant’s claim in its entirety, providing a definitive analysis of what constitutes "gross misconduct" in the digital age. The court held that the claimant’s unauthorized access to patient records was a fundamental breach of his express contractual obligations and professional duties. Crucially, the judgment establishes that the "iniquity exception"—a principle that prevents confidentiality or privilege from attaching to communications made in furtherance of a crime or fraud—cannot be used as a "sword" to justify an individual’s own breach of confidentiality to conduct a private investigation. The court emphasized that the existence of proper reporting channels, such as the Singapore Medical Council ("SMC") or internal whistleblowing policies, renders "self-help" data harvesting legally and ethically unjustifiable.

The decision also reinforces the established principle in Singapore law that, absent specific contractual terms, there is no implied duty for an employer to follow a particular "fair" process before exercising a contractual right to terminate for cause. The court rejected the claimant’s attempt to impose a tortious duty of care on the employer during the investigative phase, noting that such a duty would be inconsistent with the contractual nature of the employment relationship. Furthermore, the court clarified that the Medical Registration Act 1997 does not create a private right of action for employees to challenge disciplinary outcomes or mandate that all misconduct matters be referred to the SMC in lieu of internal employment actions.

This case stands as a significant precedent for practitioners dealing with wrongful dismissal claims involving IT policy violations and data breaches. It underscores the high threshold required to displace an employer’s right to summary dismissal when a clear breach of a "root" term—such as patient confidentiality in a healthcare setting—is established. By affirming the dismissal and awarding costs to the defendant, the High Court has sent a clear signal: professional "whistleblower" intentions do not provide a legal shield for unauthorized access to computer material or the violation of third-party privacy rights.

Timeline of Events

1. 1 August 2018: The claimant, Dr. Tan Tung Wee Eddie, commences employment as a neurosurgeon with the defendant, Singapore Health Services Pte Ltd.
2. 9 September 2020: The claimant begins raising internal concerns regarding the professional conduct and clinic participation of his colleague, Dr. Chen.
3. 14 September 2020: The claimant continues to engage in communications regarding Dr. Chen’s alleged improper participation in surgical cases.
4. 16 September 2020: Further internal correspondence occurs regarding the claimant's allegations of administrative irregularities.
5. 20 September 2020: The claimant raises additional issues concerning the allocation of subspecialty clinic sessions.
6. 23 October 2020: The claimant’s internal reports regarding Dr. Chen’s conduct are formally documented.
7. 20 November 2020 – 24 November 2020: A series of communications take place between the claimant and hospital management regarding the investigation into his allegations.
8. 27 January 2021: An internal audit or meeting occurs where the claimant's unauthorized access to the EMR system is first detailed.
9. 5 February 2021: The defendant formally initiates disciplinary proceedings against the claimant following the audit findings.
10. 17 February 2021 – 23 February 2021: Disciplinary meetings are held; the claimant attempts to justify his data access as a necessary part of his "investigation."
11. 25 June 2021 – 8 July 2021: The disciplinary process proceeds through various stages of review, including an assessment of the claimant’s "whistleblower" defense.
12. 10 September 2021 – 15 November 2021: The defendant finalizes its internal review and determines that the claimant’s actions constitute gross misconduct.
13. 13 December 2021: The defendant issues a formal notice to the claimant regarding the impending termination of his employment.
14. 21 January 2022: The claimant is officially dismissed from his employment with the defendant.
15. 1 April 2022: The claimant receives a letter from the police containing a stern warning for offenses under the Computer Misuse Act 1993.
16. 29 April 2022: The defendant informs the claimant that it has decided not to file a formal complaint with the SMC, ostensibly to allow him to move on in his career.
17. 10 November 2023: The claimant files Originating Claim No 361 of 2023 in the High Court.
18. 29 July 2024 – 8 August 2024: The substantive hearing of the claim takes place before Chua Lee Ming J.
19. 21 January 2025: The High Court delivers its judgment dismissing the claimant's claim in its entirety.

What Were the Facts of This Case?

The claimant, Dr. Tan Tung Wee Eddie, was a Consultant Neurosurgeon employed by Singapore Health Services Pte Ltd ("SingHealth"), the largest public healthcare cluster in Singapore. His employment was governed by a contract that incorporated strict confidentiality clauses and IT usage policies. These policies explicitly prohibited the access of patient medical records unless such access was required for the clinical care of patients under the doctor's direct charge. The Electronic Medical Record ("EMR") system used by the defendant was a central repository of sensitive patient data, protected by both contractual terms and the Computer Misuse Act 1993.

The dispute was rooted in a professional conflict between the claimant and another neurosurgeon, Dr. Chen. During the COVID-19 pandemic, the claimant was primarily based at Sengkang General Hospital ("SKH"), while Dr. Chen was based at Singapore General Hospital ("SGH"). The claimant alleged that Dr. Chen was being given preferential treatment, specifically regarding participation in complex skull base surgeries and subspecialty clinics at SGH—opportunities the claimant felt should have been his. The claimant suspected that Dr. Chen was misrepresenting his involvement in these cases or that administrative records were being manipulated to favor Dr. Chen. Specifically, the claimant alleged that Dr. Chen was participating in clinics and surgeries that he was not authorized to lead, thereby depriving the claimant of clinical experience and professional advancement.

Driven by these suspicions, the claimant embarked on a "self-help" investigation. Between 2020 and 2021, he used his credentials to access the EMR system and review the medical records of more than 70 patients. It was an admitted fact that none of these patients were under the claimant’s clinical care at the time of access. The claimant’s objective was to examine "encounter" notes and surgical logs to verify which doctors were listed as the attending physicians, thereby attempting to gather evidence that Dr. Chen was attending clinics or surgeries he was not authorized to lead. The claimant did not seek permission from the patients, the hospital administration, or the relevant department heads before conducting these searches. He argued that this was the only way to "prove" the alleged iniquity, as he believed the hospital administration was complicit or indifferent to his concerns.

The defendant’s internal audit systems flagged the claimant’s access patterns as highly irregular. This triggered a comprehensive internal investigation. When confronted, the claimant did not deny accessing the records but argued that he was acting in the "public interest" to expose what he perceived as Dr. Chen’s professional misconduct and administrative irregularities. He characterized himself as a whistleblower. The defendant, however, viewed the claimant’s actions as a severe breach of patient confidentiality and a violation of the trust essential to the doctor-patient and employer-employee relationship. The defendant noted that the claimant had bypassed established internal whistleblowing channels and had instead chosen to violate the privacy of over 70 individuals. The defendant also pointed out that the claimant's actions potentially exposed the hospital to legal liability and reputational damage.

The matter was reported to the police, and on 1 April 2022, the claimant was issued a stern warning for unauthorized access to computer material under the Computer Misuse Act 1993. The claimant rejected the warning, maintaining that his motives were pure and that the law should recognize a "whistleblower" exception for such actions. Meanwhile, the defendant concluded its disciplinary inquiry and summarily dismissed the claimant on 21 January 2022. The claimant subsequently initiated legal proceedings, seeking damages of $4,442,570.53 for lost future earnings, alleging wrongful dismissal, negligence in the investigation, and breach of statutory duty under the Medical Registration Act 1997. He contended that the defendant should have referred the matter to the SMC rather than dismissing him and that the "iniquity exception" justified his breach of confidentiality.

What Were the Key Legal Issues?

The case required the High Court to resolve several complex legal issues concerning the boundaries of employment law, the protection of confidential information, and the interaction between private employment contracts and statutory regulatory frameworks.

• Wrongful Dismissal and Gross Misconduct: Whether the claimant’s unauthorized access to the medical records of over 70 patients constituted "gross misconduct" justifying summary dismissal under the employment contract and at common law. This involved determining if the breach went to the "root" of the contract.
• The Scope of the Iniquity Exception: Whether the "iniquity exception" could be invoked by an employee to justify a breach of confidentiality. The claimant argued that because he was seeking to uncover alleged misconduct by Dr. Chen, the duty of confidentiality was negated.
• Negligence in Disciplinary Investigations: Whether an employer owes an employee a tortious duty of care to conduct internal investigations and disciplinary proceedings with reasonable care and skill. The claimant argued that the defendant’s "unfair" process caused him foreseeable economic loss and reputational harm.
• Statutory Duty under the Medical Registration Act 1997: Whether Section 59A(3) of the MRA imposed a mandatory duty on the defendant to refer the claimant’s misconduct to the SMC, and whether a breach of this duty (if any) gave rise to a private right of action or invalidated the dismissal.
• Whistleblower Protections and Self-Help: Whether an employee’s status as a self-styled "whistleblower" provides a legal defense for unauthorized data access and breaches of the Computer Misuse Act 1993.

How Did the Court Analyse the Issues?

Chua Lee Ming J’s analysis began with the contractual framework of the employment relationship. The court found that the claimant’s contract and the defendant’s IT policies were unambiguous: patient records were to be accessed only for clinical care. The claimant’s admission that he accessed over 70 records for his own investigative purposes established a prima facie breach of contract.

The Iniquity Exception: Shield vs. Sword

The claimant’s most significant legal argument was the "iniquity exception." He relied on the maxim that "there is no confidence as to the disclosure of iniquity." The court conducted a deep dive into the authorities, including Al Sadeq v Dechert LLP [2024] 3 WLR 403 and the foundational case of R v Cox and Railton (1884) 14 QBD 153. The court clarified that the exception is a rule of evidence and substantive law that prevents privilege or confidentiality from attaching to communications made in furtherance of a crime, fraud, or other equivalent iniquity.

"It is not confined to cases in which the legal adviser is party to, or aware of, the iniquity." (at [103], citing Al Sadeq)

However, the court held that the exception was entirely inapplicable to the claimant’s situation for two primary reasons. First, the "iniquity" alleged—Dr. Chen’s administrative irregularities and clinic participation—did not meet the high threshold of gravity required to trigger the exception. The court noted that the exception typically applies to serious crimes or frauds, not internal administrative disputes or professional disagreements. Second, and more fundamentally, the court ruled that the exception does not authorize "self-help" breaches of confidentiality. The exception exists to prevent the suppression of evidence of wrongdoing; it does not grant an individual the right to create evidence by breaching the confidentiality of third parties (the patients). The court cited R v Central Criminal Court, Ex p Francis & Francis [1989] AC 346 to reinforce that the exception cannot be used as a sword to justify unauthorized data harvesting when proper reporting channels, such as the SMC or internal whistleblowing policies, are available. The court emphasized that the claimant's duty of confidentiality was owed to the patients and the hospital, and he had no right to unilaterally waive that duty for his own purposes.

Wrongful Dismissal and the "Root" of the Contract

In analyzing the dismissal, the court applied the test from Leiman, Ricardo and another v Noble Resources Ltd and another [2020] 2 SLR 386. The court held that an employer is entitled to dismiss an employee without notice if the employee has committed a breach of contract that is so serious it goes to the root of the contract or shows an intention no longer to be bound by it. The court found that the claimant’s breach was indeed "gross misconduct":

"The claimant was dismissed because he had accessed the records of patients who were not under his care, without authorisation. As he had no justification for doing so, his actions amounted to a breach of confidentiality." (at [118])

The court rejected the claimant’s argument that the defendant’s failure to follow a "fair" or "due" process rendered the dismissal wrongful. Following the Leiman principle, the court affirmed that "absent a term in the contract to the contrary, there is no basis for finding that an employer is obliged to accord to an employee the right to any particular process before undertaking any action" (at [127]). Since the claimant’s breach was established and was sufficiently grave, the summary dismissal was contractually justified regardless of the perceived flaws in the investigation process. The court noted that the defendant had, in fact, conducted an extensive internal inquiry and given the claimant multiple opportunities to explain his actions, even though it was not strictly contractually bound to do so.

Rejection of a Tortious Duty of Care

The claimant’s attempt to frame the case in negligence was also dismissed. He argued that the defendant owed him a duty of care to conduct the investigation in a way that protected his reputation and future employability. The court declined to recognize such a duty. Chua Lee Ming J reasoned that imposing a tortious duty of care in the context of a disciplinary investigation would be inconsistent with the contractual nature of the employment relationship. The court held that the rights and obligations of the parties regarding termination and investigation are governed by the contract. To allow a claim in negligence would be to circumvent the contractual bargain and the established limits of employment law. The court also noted that the claimant's loss (his job and reputation) flowed from his own misconduct, not from any alleged negligence in the investigation.

Statutory Duty under the Medical Registration Act

The claimant further argued that the defendant breached a statutory duty under Section 59A(3) of the Medical Registration Act 1997 by failing to refer his misconduct to the SMC. The court found this reliance "misconceived." The court held that Section 59A(3) is a regulatory provision intended to protect the public by ensuring that the SMC can regulate the medical profession; it does not create a private right of action for individual doctors to challenge their dismissal. Furthermore, the court noted that the defendant's decision not to file a formal complaint was actually intended to benefit the claimant by allowing him to continue his career elsewhere. The court distinguished the regulatory functions of the SMC from the private employment rights of the defendant as an employer.

What Was the Outcome?

The High Court dismissed the claimant’s claim in its entirety. The court found that the defendant was fully justified in summarily dismissing the claimant for gross misconduct. The claimant’s unauthorized access to the medical records of over 70 patients constituted a fundamental breach of his contractual and professional duties of confidentiality. The court rejected all of the claimant's legal defenses, including the "iniquity exception," the alleged tortious duty of care, and the alleged breach of statutory duty under the Medical Registration Act 1997.

"I dismiss the claimant’s claim in its entirety." (at [161])

Regarding the specific orders and costs:

• Dismissal of Claims: The court dismissed the claims for wrongful dismissal, negligence, and breach of statutory duty. The claimant's prayer for damages in the sum of $4,442,570.53 was rejected.
• Costs: The court ordered the claimant to pay costs to the defendant. The costs are to be assessed if not agreed between the parties.
• Disposition per Party: The judgment was entirely in favor of the defendant, Singapore Health Services Pte Ltd. The claimant, Tan Tung Wee Eddie, received no relief.
• Operative Paragraph: Paragraph [161] serves as the final disposition of the matter, confirming the dismissal of the claim and the costs order.

The court's decision emphasizes that even if an employee believes they are acting in the public interest, they cannot resort to illegal or contractually prohibited "self-help" measures that violate the privacy of third parties. The judgment affirms the primacy of the employment contract in governing the relationship and the high value placed on patient confidentiality in the healthcare sector.

Why Does This Case Matter?

This case is of profound significance for employment law practitioners, healthcare professionals, and data privacy experts in Singapore. It provides much-needed clarity on several fronts:

1. The Limits of Whistleblowing and "Self-Help": The judgment establishes a clear boundary for employees who suspect wrongdoing within their organizations. While whistleblowing is encouraged through proper channels, "self-help" investigations that involve unauthorized data access or breaches of confidentiality are not legally protected. This is particularly critical in sectors like healthcare, where the data involved is highly sensitive. The court’s refusal to allow the "iniquity exception" to justify such breaches ensures that individuals cannot take the law into their own hands under the guise of the public interest.

2. Clarification of the Iniquity Exception: The court’s analysis of the iniquity exception as a "shield" rather than a "sword" is a vital doctrinal contribution. By clarifying that the exception does not authorize the acquisition of information through breach of confidence, the court has prevented the exception from being used as a loophole for data harvesting. This reinforces the sanctity of confidentiality and professional privilege in Singapore law.

3. Affirmation of the Leiman Principle: The case reaffirms the Leiman principle that there is no implied duty of procedural fairness in private employment contracts unless explicitly stated. This provides certainty for employers in Singapore, confirming that if a "root" breach of contract is established, summary dismissal is justified regardless of the internal process followed. This distinguishes Singapore’s position from jurisdictions that might imply a broader duty of "fairness" or "trust and confidence" in the dismissal process.

4. Rejection of Tortious Duties in Disciplinary Contexts: The court’s refusal to recognize a tortious duty of care in the conduct of disciplinary investigations is a significant win for employers. It prevents employees from using negligence claims to bypass the limitations of contract law and the high threshold for wrongful dismissal. This maintains the contractual nature of the employment relationship and prevents the "tortification" of employment disputes.

5. Interpretation of the Medical Registration Act: For the healthcare sector, the judgment clarifies that the Medical Registration Act 1997 is a regulatory tool and not a source of private rights for doctors facing disciplinary action. This ensures that hospitals can manage their staff through internal employment processes without being forced to refer every instance of misconduct to the SMC, provided they act within their contractual rights.

Practice Pointers

• For Employers: Ensure that IT usage policies and confidentiality clauses are express, clear, and regularly communicated to employees. The court relied heavily on the fact that the claimant’s access was "unauthorised" under established policies.
• For Employees: If you suspect professional misconduct, use established internal whistleblowing channels or report directly to the relevant regulatory body (e.g., the SMC). Do not attempt to gather evidence by accessing data you are not authorized to view.
• On the Iniquity Exception: Practitioners should note that the exception is a rule of disclosure, not a license for breach. It cannot be used to justify "self-help" data breaches or the violation of third-party privacy.
• On Procedural Fairness: While not strictly required by law (absent a contractual term), following a robust and documented internal disciplinary process is still best practice to ensure that the underlying "gross misconduct" can be clearly proven in court.
• On Negligence Claims: Be aware that the Singapore courts are highly resistant to recognizing a tortious duty of care in the context of employment investigations and dismissals. The primary remedy remains in contract.
• On Statutory Duties: When dealing with regulated professions, distinguish between the regulator's powers (e.g., the SMC under the MRA) and the employer's private contractual rights. One does not necessarily override the other.

Subsequent Treatment

As this is a recent 2025 decision, there is no recorded subsequent treatment in the extracted metadata. However, the ratio of the case—that an employer is justified in dismissing an employee for gross misconduct where the employee has breached express contractual confidentiality obligations by accessing patient records without authorisation—is expected to be followed in future employment disputes involving data breaches and "self-help" investigations.

Legislation Referenced

• Computer Misuse Act 1993 (2020 Rev Ed)
• Medical Registration Act 1997 (2020 Rev Ed)
• Medical Registration Act (1997 (2020 Rev Ed)), s 59A(3), s 59G, s 23, s 41, s 5(f)

Cases Cited

• Applied: Leiman, Ricardo and another v Noble Resources Ltd and another [2020] 2 SLR 386
• Considered: Al Sadeq v Dechert LLP [2024] 3 WLR 403
• Referred to: R v Central Criminal Court, Ex p Francis & Francis [1989] AC 346
• Referred to: R v Snaresbrook Crown Court, Ex p Director of Public Prosecutions [1988] QB 532
• Referred to: R v Cox and Railton (1884) 14 QBD 153

Source Documents

• Original judgment PDF: Download (PDF, hosted on Legal Wires CDN)
• Official eLitigation record: View on elitigation.sg