The Singapore OSINT Legal Checklist: 12 Statutes to Screen Before Any Investigation

2026-07-13 · Philip Choo · AI9OS

Before a single search runs, a lawful open-source investigation in Singapore has already answered one question: which statutes govern this collection, and is there a lawful basis under each? This checklist covers the twelve Acts we screen every case against, and the cases that show what happens when screening is skipped. It is general information for practitioners, not legal advice — engage counsel for any live matter.

The licensing gate

  • Private Security Industry Act 2007 (PSIA) — in Singapore, private-investigation services may only be provided and advertised by licensed private investigators and agencies (ss 5, 6, 19). Section 23 sets conduct requirements, and s 11(4) read with s 32(3)(a) makes taking an assignment without required approval an offence with real penalties. In October 2025, the Singapore Police Force announced charges against two private investigators — one matter involving PSIA s 11(4) and, notably, a Penal Code s 204A charge for deleting phone evidence. The lesson: the licensing perimeter is enforced, and destroying evidence of your own work compounds it.

Data protection

  • Personal Data Protection Act 2012 (PDPA) — collection, use and disclosure of personal data needs a lawful basis (ss 13–18). For investigators the load-bearing provisions are in the First Schedule, Part 3: the investigations and proceedings basis, the publicly available data basis and the legitimate interests basis. None of them is a blank cheque — proportionality and purpose limitation still apply, and s 24 imposes a protection obligation on whatever you hold. Re Singapore Taekwondo Federation [2018] SGPDPC (S$30,000 penalty) shows the regulator treats minors' NRIC data as aggravating.

Harassment, stalking and doxxing

  • Protection from Harassment Act 2014 (POHA) — ss 3–5 cover harassment including the 2019 doxxing amendments (publishing identity information to harass or facilitate violence), and s 7 creates the offence of unlawful stalking. A course of surveillance conduct can itself be the offence: see PP v Mohammad Faizal bin Omar on s 7. If the method of an investigation would harass or stalk the subject, the case fails screening regardless of the client's motive.

Computer misuse

  • Computer Misuse Act 1993 (CMA) — s 3 (unauthorised access), s 5 (unauthorised modification), s 6 (unauthorised interception), and — critical for OSINT practitioners — s 8A (2017): dealing in personal information obtained through a CMA offence is itself an offence. Buying breach data to "check" a subject is not open-source collection; it is a CMA exposure.

Live proceedings

  • Administration of Justice (Protection) Act 2016 (AJPA) — s 3(1)(b) prohibits publications and conduct that pose a real risk of prejudice to pending proceedings (sub judice), and s 3(1)(a) covers scandalising the court. The first convictions were Jolovan Wham and John Tan [2020] SGCA 16, and in December 2025 the Attorney-General's Chambers publicly warned over sub judice commentary in a high-profile matter. Investigating around a live court matter needs counsel's instruction and tight scope.

The Penal Code cluster

  • Penal Code 1871 — s 204A obstruction of justice (post-2020: conduct with a tendency to obstruct, done with knowledge), ss 182/193 false information and evidence, ss 499–502 defamation, ss 503–507 criminal intimidation, and ss 107–108 abetment — the provision that catches an investigator who "merely helps" a client do something unlawful.

Evidence integrity

  • Evidence Act 1893 — ss 128/131 protect legal-professional privilege, and s 116A creates presumptions about electronic records — which is why tamper-evident, hash-chained handling of digital findings matters from the first capture, not just at trial. And the leading admissibility case cuts both ways: Law Society v Tan Guat Neo Phyllis [2007] SGHC 207 holds that improperly obtained evidence may still be admissible — but admissibility has never made the collection lawful. The investigator carries the exposure either way. ANB v ANC [2015] SGCA 43 (spouse copies husband's laptop with a PI's help; breach-of-confidence injunction follows) shows the civil consequences.

The rest of the screen

  • Children and Young Persons Act 1993 (CYPA) — ss 111–112 (2020 Rev Ed; the old s 35 was repealed and renumbered) restrict publication of identifying information about minors in proceedings. Any case touching a minor gets heightened scrutiny.
  • Criminal Procedure Code 2010 and Coroners Act 2010 — govern what belongs to state investigators, not private ones.
  • POFMA 2019 — falsehood-correction directions can attach to published "findings."
  • Copyright Act 2021 — collection and republication of protected material in reports.

Turning the checklist into practice

A checklist only works if it runs every time, before acceptance, and leaves a record. Our approach is a pre-investigation gate: seven acceptance questions, eight red-line auto-stops (covert methods, live-matter interference, no lawful PDPA basis, minors without basis, intimate-partner surveillance, unlawful purpose, unmanageable conflicts, work outside the PSIA perimeter), and a scored risk rubric — with every gate and red line tied to the statute above that governs it. The signed decision is hashed and timestamped into an append-only evidence locker, so any bundle later handed to counsel opens with proof that the matter was lawfully screened before collection ran.

That discipline is buildable by any agency: write the gates, cite the statutes, log the decision immutably, and refuse the cases that fail. The statutes are public. The cases above are what non-compliance costs.


Sources: Singapore Statutes Online (sso.agc.gov.sg) current revised editions; SGCA/SGHC judgments as cited; SPF and AGC public releases; PDPC enforcement decisions. Verified July 2026.

AI9OS turns public information into verified, chain-of-custody findings for licensed investigation agencies, law firms and corporate risk teams.

Request a demo