Skip to main content
MOH Office for Healthcare Transformation
  1. Home
  2. MOHT PDPA Standards

MOHT PDPA Standards

MOHT's vendor requirements for handling personal data in compliance with Singapore's PDPA.

Last updated 11 February 2025

  1. Compliance with PDPA. The Vendor shall comply with the PDPA and shall not do any act or engage in any activity that will or is likely to cause itself, and/or MOHT and MOHT Affiliates (“MOHT Group”) to be in breach of or is likely to compromise or affect the MOHT Group’s ability to comply with the PDPA

  2. Collection of Personal Data. To the extent that the Vendor collects Personal Data from third parties or individuals pursuant to or for the purposes this Agreement or for such purposes as may be informed by MOHT, the Vendor undertakes and warrants that it shall ensure that appropriate consents in accordance with all applicable laws, including without limitation, the PDPA, have been obtained from the individuals and/or the third parties and provide proof of such consents to MOHT upon request.

  3. Use of Personal Data. The Vendor shall:

    1. process, disclose, and/or use Personal Data strictly in accordance with and to the extent required only for the purposes of fulfilling its obligations under this Agreement or pursuant to MOHT’s written instructions;

    2. comply with any reasonable directions or requests in respect of Personal Data, which MOHT may provide the Vendor from time to time; and

    3. immediately cease the collection, processing, use and/or disclosure of Personal Data of an individual if that individual withdraws his/her consent for the collection, processing, use, and/or disclosure of his/her Personal Data, or otherwise upon MOHT’s request.

  4. Disclosure of Personal Data to third parties. Except in response to a valid court order, to the extent legally required in response to a request from a law enforcement agency or in order to comply with applicable laws or strictly for the purposes of executing its obligations under this Agreement, the Vendor shall not, without the written authority of MOHT and in any such cases only to the minimum extent required, disclose Personal Data to any third party. The Vendor shall immediately notify MOHT when it becomes aware that a disclosure of Personal Data may be required.

  5. Access and Correction. The Vendor shall:

    1. put in place adequate measures to ensure that Personal Data is accurate and complete and take steps to correct Personal Data in Vendor’s control or possession upon MOHT’s written request; and

    2. provide MOHT with details of Personal Data that Vendor has in its possession or control upon MOHT’s written request.

  6. Records. The Vendor shall maintain complete and accurate records of the manner in which Personal Data has been used or disclosed by Vendor and shall provide MOHT with such information upon MOHT’s written request.

  7. Security. The Vendor shall:

    1. protect Personal Data by making reasonable security arrangements to prevent any unauthorized access, collection, use, disclosure, copying, modification and/or disposal of Personal Data, including without limitation, employing administrative, physical, and technical safeguards (including safeguards against worms, Trojan horses, and other disabling or damaging codes);

    2. immediately notify MOHT and provide full particulars of any breach of the terms of this Schedule 4 or breach of security, that may result in the unauthorised access, collection, use, disclosure, copying, modification and/or disposal of Personal Data, and shall:

      1. assist MOHT in relation to the investigation and remedy of such breach and any claim, allegation, action, proceeding, or litigation in this respect; and

      2. implement all steps necessary to prevent further unauthorised access, collection, use, disclosure, copying, modification and/or disposal of Personal Data or other breaches of this Schedule 4, and providing MOHT with such reports or information concerning such steps, as and when requested by MOHT.

  8. Transfer, processing, and/or use of Personal Data outside of Singapore. The Vendor shall not transfer, process, and/or use Personal Data outside of Singapore without the prior written approval of MOHT, which approval may be granted by MOHT subject to any further terms and conditions which MOHT may choose to impose upon the Vendor at MOHT’s sole discretion. Where MOHT has given approval for such transfer, process and/or use of Personal Data outside Singapore, the Vendor shall:

    1. continue to be bound by and comply with its obligations under this Agreement (including this Schedule 4) notwithstanding the transfer, process and/or use of Personal Data outside of Singapore; and

    2. ensure that prior to any such transfer, legally enforceable obligations have been imposed by the Vendor on the recipient(s) of Personal Data, ensuring that Personal Data transferred is accorded a standard of protection, which is at least comparable to the protection set out in this Agreement (including this Schedule 4) and under the PDPA. Where required by MOHT, Vendor shall furnish MOHT with proof that Vendor has made such imposition on the recipient(s) of the Personal Data.

  9. MOHT Notices and Directions. The Vendor shall keep itself apprised of any and all guidelines, notices and circulars which MOHT Group, the Personal Data Protection Commission, the Singapore Government, its ministries and agencies, may from time to time, notify to the Vendor, relating to Personal Data (“Publications”), and to perform its duties or discharge its liabilities pursuant to this Agreement in a manner consistent with the Publications, and will not cause MOHT Group to be in breach of the same.

  10. Sub-Contracting and Vendor Personnel. The Vendor agrees that:

    1. to the extent that Vendor Personnel are required to access Personal Data for the purpose of fulfilling the Vendor’s obligations under this Agreement, the Vendor shall ensure that:

      1. such access shall be limited only to those Vendor Personnel who strictly need to have the Personal Data in order to perform their functions; and

      2. it will ensure that, such Vendor Personnel shall comply with the terms of this Schedule 4 and shall execute an undertaking in favour of MOHT (the form of which shall be determined by MOHT at its sole discretion) to such effect;

    2. to the extent that the Vendor sub-contracts its obligations under this Agreement and has been permitted by MOHT to do so, the Vendor shall ensure that clause 6 of this Agreement and the whole of this Schedule 4 are incorporated into the Vendor’s contract with the sub-contractor; and

    3. notwithstanding this clause 10 of this Schedule 4, any breach of clause 6 of this Agreement and/or this Schedule 4 by the Vendor Personnel or the Vendor’s sub-contractor shall be deemed as a breach by the Vendor.

  11. Return and Deletion of Personal Data. The Vendor shall, upon MOHT’s request, or upon the termination or expiration of this Agreement, notwithstanding any other provisions in this Agreement and regardless of the form in which Personal Data is in, and/or the media it is contained in, immediately:

    1. return the Personal Data to MOHT;

    2. delete the Personal Data in its possession or control; and/or

    3. instruct and ensure that all third parties to whom it has disclosed Personal Data to return or delete the Personal Data.

  12. Audits. The Vendor shall permit MOHT or any qualified independent third party appointed by MOHT to conduct audits on Vendor’s premises and systems, receipts, invoices, vouchers, working papers, records, reports and other documents to ensure that the processing, use, collection, and disclosure of Personal Data are in accordance with this Schedule 4.

    The Parties shall bear their own respective costs and expenses incurred in respect of compliance with their obligations under Clause 12 of Schedule 4 of this Agreement, unless the audit identifies a material breach and/or default of Schedule 4 of this Agreement by the Vendor, in which case the Vendor shall reimburse the Government and/or MOHT (as the case may be) for all of the Government’s and/or MOHT’s (as the case may be) reasonable costs incurred in connection with the audit.

  13. Handling Data Breaches. In the event that the Vendor is aware of a Data Breach (as defined below) in respect of MOHT Personal Data, the Vendor shall immediately notify MOHT. The Vendor shall also:

    i. take appropriate actions to rectify or mitigate the Data Breach and use all reasonable efforts to prevent its reoccurrence; and

    ii. make all reasonable efforts to assist MOHT in relation to the investigation and remedy of such Data Breach and any claim, allegation, action, proceeding or litigation with respect to the Data Breach.

Data Breach, in relation to Personal Data, means: (a) the unauthorized access, collection, use, disclosure, copying, modification or disposal of Personal Data, or (b) the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorized access, collection, use, disclosure, copying, modification or disposal of the Personal Data is likely to occur.

Without prejudice to the generality of the foregoing, the Vendor also agrees to comply with the requirements regarding the handling of data breaches as set out in the Appendix, appended below.