PDPA Lawful Bases for Investigators — Three Doors Into Personal Data, and Where Each One Stops
Every open-source investigation in Singapore processes personal data. Names, photographs, employment histories, vehicle registrations, company shareholdings — the raw material of the work is exactly what the Personal Data Protection Act 2012 regulates. And the PDPA's default lawful basis, consent, is the one door an investigator can almost never use: you do not ask the subject of a fraud inquiry to sign a consent form before you look at them.
Parliament understood this. The Act's First Schedule sets out when personal data may be collected, used or disclosed without consent, and three of its provisions carry nearly all legitimate investigative work. Each one is a real door. Each one also stops somewhere specific — and most PDPA trouble in this profession comes from treating a door as a corridor.
Door 1 — Publicly available data (First Schedule, Part 2)
The most-used basis in OSINT is also the most misunderstood. Part 2 of the First Schedule — "matters affecting the public" — permits collection, use and disclosure of personal data that is publicly available: data an ordinary member of the public could genuinely access. A public LinkedIn profile, a court judgment, a news article, an ACRA filing, a post the individual published to the open web.
Where it stops:
- Breached data is not publicly available data. A leaked credentials dump circulating on a forum is data obtained through unauthorised access; under the Computer Misuse Act, s 8A, obtaining or dealing in it can itself be an offence. "Anyone can download it" is not the statutory test.
- Behind a login is not public. Content visible only to approved friends, members of a closed group, or a paying subscriber base was not made available to the general public, and pretexting your way in does not change that.
- Reasonableness still overlays everything. Section 18 of the Act requires that collection be for purposes a reasonable person would consider appropriate in the circumstances. "It was public" answers may I look? — it does not answer may I compile, profile and disclose without limit?
Door 2 — The investigations exception (First Schedule, Part 3, paragraph 3)
This is the working basis of the licensed investigation industry. Personal data may be collected, used or disclosed without consent where it is necessary for any investigation or proceedings — and "investigation" is defined in s 2(1) in three limbs: an investigation relating to a breach of an agreement; a contravention of written law or of professional-conduct rules or regulatory requirements; or a circumstance or conduct that may result in a remedy or relief being available under any law.
Read those limbs against a real caseload and the fit is striking. Employee misconduct is a breach of agreement. Fraud is a contravention of written law. A matrimonial matter maps to remedies under the Women's Charter; an IP infringement to remedies under the trade-mark and copyright statutes. Most legitimate instructions a licensed agency accepts sit squarely inside a limb.
Where it stops:
- The investigation must be real. The exception attaches to an actual matter — ongoing, or genuinely in contemplation — not to a hypothetical future one. Building a speculative dossier "in case a client ever needs it" is collection without a basis.
- "Necessary" means necessary. It is a proportionality word. Data that is merely convenient, interesting, or nice-to-have for the matter is not covered; the basis extends exactly as far as the investigative need does.
- The exception unlocks consent, not the Act. Accuracy, protection, and retention-limitation obligations continue to apply in full to everything collected under it.
Door 3 — General legitimate interests (First Schedule, Part 3, paragraph 1)
The 2020 amendments added a residual basis: collection, use or disclosure in the legitimate interests of the organisation or another person, where those interests outweigh any adverse effect on the individual. It exists for the genuine edge cases — fraud-prevention screening, security monitoring — that no specific exception quite covers.
Where it stops: the conditions are the point. The organisation must conduct and document the balancing assessment before relying on the exception, and must disclose that reliance. The Personal Data Protection Commission's first decision on this exception turned on precisely that discipline. Legitimate interests is a door with paperwork — it is not a catch-all for collection that a narrower exception was designed to refuse.
The purpose is the boundary
Here is the provision that catches technologists, including — especially — anyone building with AI: a lawful basis authorises collection for a purpose, and the purpose travels with the data. Personal data collected under the investigations exception for one matter cannot be quietly repurposed — for marketing, for analytics, or for training a model — because the original collection was lawful. A new purpose needs its own basis, and under s 25 the data must go when the original purpose is served and retention is no longer needed. A drawer of closed case files is many things; free training data is not one of them. What can be reused is what identifies no one: the methodology, the report structures, the decision patterns — the shape of the work, never the people in it.
Making the basis machine-visible
In our practice this walkthrough is not a memo — it is enforced in software. Every case on our platform records its lawful basis and instructing context at intake, before any collection runs. Scope guardrails then hold collection inside that basis: excluded parties are machine-blocked, and every exhibit's audit record shows which door it came through and for which matter. The provenance pack a client ultimately receives opens with the lawful-collection record for exactly this reason: the first attack on open-source evidence is rarely "it's false" — it's "you had no right to collect it." A finding should have to prove its legality before anyone debates its truth.
The PDPA is not the obstacle to professional OSINT in Singapore. It is the specification for it — three doors, each honestly wide, each with a wall. The investigators who last are the ones who can show, matter by matter and exhibit by exhibit, which door they walked through.
General information for practitioners, not legal advice. AI9OS is an open-source-intelligence technology platform; investigation services are conducted solely by licensed agencies under Singapore's Private Security Industry Act.
AI9OS turns public information into verified, chain-of-custody findings for licensed investigation agencies, law firms and corporate risk teams.
Request a demo