Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

PDPA compliance for the healthcare sector

PDPA compliance for the healthcare sector
PDPA compliance for the healthcare sector is a must as healthcare institutions collect, use, and disclose data.

When an organization, such as healthcare institutions, collect, use, or disclose an individual’s personal data, they are obliged to comply with the provisions of the PDPA unless they are in the course of acting on behalf of a public agency, or else they will be imposed with a hefty fine.

PDPA compliance for the healthcare sector: Consent, Purpose Limitation, and Notification Obligations

As laid out in the Revised Advisory Guidelines for Healthcare Sector of 2014, it provides that whenever an organization undertakes activities relating to the collection, use, or disclosure of personal data, they are required to acquire consent from the individuals and notify them for such collection, use, and disclosure of personal data, unless exceptions apply.

Under the revised guidelines for the PDPA compliance for the healthcare sector, the PDPC does not state any specific manner of obtaining consent from individuals, which means that it is in the discretion of the Organization as to how they acquire it.

PDPA compliance for the healthcare sector
PDPA compliance for the healthcare sector

PDPA compliance for the healthcare sector: Considerations in obtaining consent

According to the Revised Advisory Guidelines for Healthcare Sector of 2014, concerning the consent obligations of healthcare institutions before the collection, usage, or disclosure of personal data of individuals, these healthcare institutions should consider:

a) Whether the individual (or a person who has the legal authority to validly act on behalf of the individual) had been notified of the purposes for the collection, use, or disclosure of his personal data and had given consent to such collection, use, or disclosure;

b) If consent had not been given, whether consent can be deemed to have been provided by the individual (or a person who has the legal authority to validly act on behalf of the individual) for the collection, use, or disclosure of his personal data for the purpose; and

c) Whether the collection, use, or disclosure without the consent of the individual is required or authorized under the PDPA or any other written law, in particular, assessing whether the circumstances fall within any of the exceptions from the Consent Obligation in the Second, Third or Fourth Schedules to the PDPA.

Also Read: PDPA Compliance for MCST: The importance of hiring a DPO

PDPA compliance for the healthcare sector: Access and Correction Obligation

As provided under Section 21(1) of the PDPA, upon the request of the individual, the PDPA compliance for the social service sector also includes providing the following:

a) personal data about the individual that is in their possession or under the control of the Organization; and

b) information about the ways in which that personal data has been or may have been used or disclosed by the Organization within a year before the date of the individual’s request.

Furthermore, under Sections 22(1) and 22(2) of the PDPA, individuals may request a correction of their personal data or its omission from possession of the Organization. The Organization must make the necessary corrections upon receiving the correction request unless the Organization is satisfied on reasonable grounds that the correction should not be made.

PDPA compliance for the healthcare sector
PDPA compliance for the healthcare sector

PDPA compliance for the healthcare sector: Do Not Call Provision

Under the Do Not Call provision of the PDPA, organizations are not allowed to send specified messages to the individual’s telephone or mobile number registered in the Do Not Call Registry. Otherwise, such Organizations will face a hefty fine. 

Under the Do Not Call Provision, these specified messages are messages with a purpose to offer to supply, advertise or promote goods or services, land or an interest in land, or a business or investment opportunity, or a supplier of such goods, services, land or opportunity.

However, there are exceptions to this rule: if the consent was given by the recipient, if the message was not specified, or if such message is a specified one, the Organization is exempted from complying with its obligation under the Exemption Order. 

Under the Exemption Order, if there exists an “ongoing relationship” between the sender and a recipient, the Organization is exempted from the requirement to check the relevant Do Not Call Registers. 

In the determination of an ongoing relationship between the patient and the healthcare institution, the following must be observed:

  1. The frequency of visits the patient makes to the clinic; and
  2. The patient has agreed to a course of treatment that requires several separate visits to the clinic.

Hiring a Data Protection Officer (DPO) and PDPA compliance for the healthcare sector 

Organizations that collect, use, and disclose data are covered under the PDPA. From what we have learned from the PDPC decision and undertakings, if there is a breach, regardless of its cause (i.e., if it was just a mere mistake of its employee), the Organization could be made to pay a hefty fine of up to S$1,000,000. To avoid this, the appointing of a DPO comes to play.

The DPO’s importance lies in ensuring that all the compliance with the PDPA is met. For every Organization covered by the PDPA, they are required to appoint DPOs to ensure that no breach will happen any time in the future.

This is because the DPO is tasked to do the following responsibilities to limit any data breach:

a. Putting together a personal data protection policy that sets out the purposes for which personal data may be collected, used, or disclosed by the healthcare institutions, as well as other data protection practices to ensure compliance with the PDPA and making information about this policy available to all stakeholders;

b. Raising awareness and fostering a culture of data protection among staff and key personnel

c. Developing and implementing policies and processes for the proper handling and management of personal data protection-related queries and complaints (e.g., access and correction requests) and making information about the complaints process available on request; and

d. Alerting healthcare institutions to any risks that might arise concerning collecting, using, or disclosing personal data.

Also Read: PDPA compliance for Singapore schools



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us