Singapore: PDPC finds no breach of consent obligation by Institute of Mental Health

27 Aug 2025 4 minute read

- Share by email
- Share on
- Twitter
- LinkedIn
- Facebook
- Google plus
- Get link
- Get QR Code
- Download
- Print

In brief

On 21 May 2025, the Personal Data Protection Commission (PDPC) found that the Institute of Mental Health (“Organization”) did not breach the consent obligation of the Personal Data Protection Act (PDPA) in relation to a complaint about the use of personal data to participate in a medical study.

In more detail

Key facts

The incident occurred on 20 March 2024, when the complainant was waiting to see a doctor in a waiting room in the Organization’s clinic. A research officer from the Organization approached the complainant, identified the complainant by their full name and sought the complainant’s consent to participate in a study relating to certain medical conditions affecting outpatients at tertiary psychiatric hospitals.

The complainant lodged a complaint with the Organization on the same day, seeking an explanation as to why the doctor had disclosed the complainant’s name, health condition and/or medical history to the research officer without their consent.

Findings

The key issue for determination was whether the Organization obtained the complainant’s consent or deemed consent by notification before using their personal data for the purpose of recruiting the complainant for the study.

Implied consent

Although the complainant did not provide express consent to the use of their personal data for the purpose of being recruited for the study, the PDPC found that the Organization had obtained their implied consent for the same purposes.

The Organization had displayed a notification (“Notification”) prominently at registration counters, payment counters and pharmacy counters in the clinic (high-traffic areas and therefore highly likely to be visible to all patients visiting the clinic). Among other things, the Notification states: “We may use your personal data to invite you to participate in suitable care programmes or shortlist you for participation in relevant research studies”.

The PDPC concluded as follows:

By prominently displaying the Notification prior to the date of the incident, the Organization had taken reasonable steps to bring the Notification to the attention of its patients, including the complainant.
The complainant had provided implied consent to the use of their personal data for the purpose of being recruited for the study by, among other things, continuing to visit the Organization, not objecting to the use of their personal data and continuing to provide their personal data to the Organization after being afforded reasonable opportunities to view the Notification over a period of 10 years, among other reasons.

Thus, it was found that the Organization was not in breach of the consent obligation.

Deemed consent by notification

That said, the PDPC did make an observation that the Organization did not satisfy the conditions for obtaining the complainant’s deemed consent by notification.

To rely on deemed consent by notification, an organization must take reasonable steps to alert the individual to the means and time period within which the individual may notify the organization that they do not consent to the relevant use of their personal data.

While the Organization pointed to how its data protection officer’s contact details were displayed on its website and how patients could speak directly to its counter staff or quality service manager about concerns relating to participating in research studies, the PDPC held that these measures were insufficient as they placed the onus on the individual to navigate the organization’s bureaucracy to find out how to opt out.

Express consent

The PDPC also stated that, as a matter of best practice, the Organization could have done better to ensure that it obtained the express consent of the individuals concerned prior to collecting, using or disclosing their personal data, particularly when this involved an individual’s medical information.

The Organization has since voluntarily reviewed its processes and issued a revised guideline on the recruitment of subjects for research studies and clinical trials, with the intent of relying on the express, rather than implied, consent of individuals before using medical information to recruit participants for research studies. The PDPC stated that it was satisfied with these changes.

Key takeaways

Business owners should conduct frequent reviews of their guidelines and processes pertaining to collection of consent from data subjects. While implied consent may be valid under specific circumstances, businesses should strive to seek express consent as a matter of best practice, particularly when an individual’s medical information is involved.

* * * * *

© 2025 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Contact Information

Andy Leck
Principal
Singapore
Read my Bio
andy.leck@bakermckenzie.com

Ren Jun Lim
Principal
Singapore
Read my Bio
ren.jun.lim@bakermckenzie.com

Ken Chia
Principal
Singapore
Read my Bio
ken.chia@bakermckenzie.com

Sanil Khatri
Local Principal
Singapore
Read my Bio
sanil.khatri@bakermckenzie.com

Daryl Seetoh
Local Principal
Singapore
Read my Bio
daryl.seetoh@bakermckenzie.com

Natalie Joy Huang
Local Principal
Singapore
Read my Bio
natalie.huang@bakermckenzie.com

Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.