Restricted, Sensitive (Normal)
NON-DISCLOSURE & SECURITY AWARENESS UNDERTAKING
FOR EXTERNAL USERS AT SINGHEALTH & SINGHEALTH INSTITUTIONS
(“Undertaking”)
DETAILS OF EXTERNAL USERS:
Name (as per NRIC / other identification :
documents)
NRIC No. / FIN No. / Passport No. :
(last 4 characters e.g. xxxxx321A)
Job Title :
MCR / DCR Number (where applicable) :
Project Title (where applicable) :
Work Scope :
Institution / Hospital of External User :
Host Institution(s) :
DEFINITIONS FOR THE PURPOSES OF THIS UNDERTAKING:
EXTERNAL USER
An “external user” shall refer to any person not employed by SingHealth or any SingHealth
Institution, who:
(a) visits or uses any premises of SingHealth and/or any SingHealth Institution as authorized
by SingHealth and/or any SingHealth Institution; or
(b) accesses or is provided by SingHealth and/or any SingHealth Institution with Confidential
Information (as defined below),
to engage in any work, studies, training, programmes, experiments, evaluations, assessments or
other activities, including but not limited to locums, interns, external legal counsel, visiting /
attachment personnel, local or overseas medical students and visiting fellows and doctors.
SINGHEALTH & SINGHEALTH INSTITUTION
“SingHealth” refers to Singapore Health Services Pte Ltd.
“SingHealth Institution” refers to a subsidiary of SingHealth.
“Host Institution” refers to SingHealth and/or any SingHealth Institution receiving External User
for Work Scope as stated above.
CONFIDENTIAL INFORMATION
”Confidential information” shall mean all information (that is marked confidential or is clear by its
nature confidential) in any form (including all oral and visual information and all information
recorded in writing or electronically, or in any other medium or by any other method) disclosed to,
or obtained by the External User, from SingHealth, any SingHealth Institution, and/or a third party
acting on their behalf, and without prejudice to the generality of the foregoing shall include data,
financial statements, staff information, patient information, processes, trade secrets, ideas, know-
Page 1 of 7
Updated as of 29 Dec 2020
� Restricted, Sensitive (Normal)
NON-DISCLOSURE & SECURITY AWARENESS UNDERTAKING
FOR EXTERNAL USERS AT SINGHEALTH & SINGHEALTH INSTITUTIONS
(“Undertaking”)
how, blue-prints, formulae, designs, specifications, concepts, forecasts, strategies and all other
information relating to SingHealth and/or any SingHealth Institution.
ACKNOWLEDGEMENT AND DECLARATION:
I declare / acknowledge and agree:
Confidential Information
1. not to use Confidential Information for any purpose other than for the purposes of my Work
Scope as an External User;
2. not to disclose and/or publish any Confidential Information, without the prior written consent
of the Host Institution and the relevant patients (where applicable), to any party not
authorized to receive such information during or after my Work Scope as an External User;
3. that I shall only reproduce, duplicate and/or copy such Confidential Information to the extent
that is necessary for the proper execution of my Work Scope as an External User and shall
also take all steps to prevent any reproduction, duplication and/or copying of the Confidential
Information by others. I shall also ensure that such copies be properly disposed of as
instructed by the Host Institution;
4. that I shall take reasonable care at all times of Confidential Information and to conduct
myself with regard to the care and custody of Confidential Information in such a way as not
to endanger the safety or secrecy of the information. Without limiting the generality of the
foregoing:
(a) I must not display, upload, store, transfer or forward any Confidential Information on or
to the internet, personal devices, external systems, servers, portals, websites, blog
sites or cloud-based services without all necessary approvals;
(b) I must ensure that the Confidential Information in my care is secure from loss, damage
and theft;
(c) I must properly dispose of and not leave Confidential Information in electronic or
physical form on printers, photocopiers, fax machines, waste bins and other non-
secured devices and containers;
(d) I must use secured means when handling and transferring Confidential Information,
and comply with all IT security policies and processes as required by the Host Institution;
and
(e) I must not remove, tamper or disable corporate anti-virus and other corporate software
installed on IT resources (as defined in the SingHealth Acceptable Use Policy
(attached)) that I am given access to for my Work Scope;
Page 2 of 7
Updated as of 29 Dec 2020
� Restricted, Sensitive (Normal)
NON-DISCLOSURE & SECURITY AWARENESS UNDERTAKING
FOR EXTERNAL USERS AT SINGHEALTH & SINGHEALTH INSTITUTIONS
(“Undertaking”)
5. not to remove any documents or any other items containing Confidential Information from
the premises of the Host Institution at any time without prior written authorization;
6. that upon the Host Institution’s request and, in any event, upon my ceasing to be an External
User, I am to:
(a) in accordance with the Host Institution’s policies and/or applicable law, return to the
Host Institution or at its direction, destroy all documents and any other items containing
Confidential Information and any notes, memoranda or written record containing
Confidential Information including any copies made, which are in my possession or
under my control; and
(b) observe all other obligations of an External User as required under applicable laws
and/or owed to the Host Institution and abide by all other directions that the Host
Institution may give for the return or proper disposition of Confidential Information;
7. not to access or attempt to access information of a confidential nature that I am not
authorised to access, including patient-related data in the Electronic Medical Records /
Electronic Dental Records (“EMR / EDR”);
8. where I have obtained individually-identifiable information or human biological material for
the purposes of human biomedical research, I must take all reasonable steps and
safeguards as may be necessary to protect such information from accidental or unlawful
loss, modification or destruction, or unauthorized access, disclosure, copying, use or
modification. Where I have been tasked with the act of rendering information or material
non-identifiable, and possess the ability to unlock the identity of person(s) to which such
information or material relate, I shall not attempt to re-identify, or disclose the method to re-
identify, the information or material except as permitted under applicable laws and by the
Host Institution. For the purposes of this clause, “individually-identifiable information” and
“human biological material” shall bear the same meaning as set out in the Human
Biomedical Research Act 2015;
9. that to receive Confidential Information of any third party for the performance of the Work
Scope, I may from time to time be required additionally to give an undertaking in writing to
maintain obligations of confidentiality in respect of such information;
10. that the Confidential Information and all rights therein are and shall remain the sole and
exclusive property of SingHealth and/or SingHealth Institutions as the case may be;
Use of EMR / EDR
11. that where accessing EMR / EDR is required as part of my Work Scope, I am required prior
to such access to undergo any orientation programme specific to the protection of the
confidentiality of EMR / EDR and to sign any written undertakings as are required by
SingHealth and/or any SingHealth Institution. I shall not access the EMR / EDR without first
giving my undertaking to comply with such requirements;
Page 3 of 7
Updated as of 29 Dec 2020
� Restricted, Sensitive (Normal)
NON-DISCLOSURE & SECURITY AWARENESS UNDERTAKING
FOR EXTERNAL USERS AT SINGHEALTH & SINGHEALTH INSTITUTIONS
(“Undertaking”)
Identification card, password and computer security
12. that where connecting to any Host Institution’s computer network system (collectively
referred to as “SingHealth computer network system”) is required as part of my Work Scope,
I am required prior to such use to familiarize myself with the applicable IT Security policies.
I shall not access the computer network system without first giving my undertaking to comply
with such requirements;
13. that I have read and understood the SingHealth Acceptable Use Policy and will comply with
the said policy;
14. that I am solely responsible and accountable for the security and use of any log-in
identification or password assigned to me. I will not at any point leave a computer terminal
unsecured or unattended whilst I am logged into the SingHealth computer network system;
15. that my password to log into the SingHealth computer network system is equivalent to my
signature and that such signature may be used to sign electronic orders and documents. I
agree not to reveal such password to anyone nor allow it to be accessible to anyone;
16. that I am solely responsible and accountable for any door access card assigned to me. I
agree to return such door access card (if any) when I cease to be an External User;
MOHH personal undertaking
17. that I have read and fully understood, and undertake to ensure full compliance with, the
MOHH Group Policy on Data Protection and Data Security attached as Annex A. The MOHH
Group of companies, defined as “the Group” in Annex A, refers to Public Healthcare
Institutions and healthcare entities in the Singapore Public Healthcare Family;
Consequences of breach
18. that in the event of any breach or neglect of my obligations in this Undertaking, any Host
Institution (where there is more than one) may exercise its right to refuse my access to
and/or use of the Host Institution’s facilities and may terminate my authorization as an
External User to enter or remain on its premises;
19. that breach of confidentiality obligations in respect of certain Confidential Information may
constitute an offence punishable by law, including the Official Secrets Act (Cap. 213);
20. that if I should breach any provision of this Undertaking, SingHealth and/or any SingHealth
Institution may suffer immediate and irrevocable harm for which damages may not be an
adequate remedy. Hence, in addition to any other remedy that may be available in law,
SingHealth or the affected SingHealth Institution is entitled to injunctive relief to prevent a
breach of this Undertaking; and
21. that even after I cease my Work Scope, the confidential obligations herein shall continue to
subsist.
Page 4 of 7
Updated as of 29 Dec 2020
� Restricted, Sensitive (Normal)
NON-DISCLOSURE & SECURITY AWARENESS UNDERTAKING
FOR EXTERNAL USERS AT SINGHEALTH & SINGHEALTH INSTITUTIONS
(“Undertaking”)
Signature of External User * :
Date :
Name of External User * (as per NRIC /
:
other identification document)
Signature of Witness :
Date :
Name of Witness :
*Where External User is under 21 years of age, please obtain a parent’s / legal guardian’s signature.
I am aware of the External User’s Work Scope at the Host Institution. I undertake to ensure due
compliance by the External User of this Undertaking.
Signature of External User’s parent /
:
legal guardian
Name of External User’s parent / legal
guardian (as per NRIC / other :
identification document)
NRIC / FIN No. / Passport No. of
External User’s parent / legal guardian :
(last 4 characters e.g. xxxxx321A)
Relationship with External User :
Date :
Signature of Witness :
Date :
Name of Witness :
Page 5 of 7
Updated as of 29 Dec 2020
� Restricted, Sensitive (Normal)
NON-DISCLOSURE & SECURITY AWARENESS UNDERTAKING
FOR EXTERNAL USERS AT SINGHEALTH & SINGHEALTH INSTITUTIONS
(“Undertaking”)
ANNEX A
PERSONAL UNDERTAKING: MOHH GROUP POLICY ON DATA PROTECTION
AND DATA SECURITY
Patient confidentiality is a core value of the MOHH Group of companies (“the Group”). You play an
important role in safeguarding the confidentiality of Group Information (as defined below) which you
encounter in the course of your work.
It is important for you to note the following:
WHAT YOU MUST DO & WHAT YOU CANNOT DO
1. You must comply with all applicable laws, statutes, subsidiary legislation, rules, guidelines regarding
legal and regulatory compliance from any relevant authority and any contractual obligations that protect
the confidentiality of information owned by the Group, information which the Group handles on behalf
of another party as an agent, data intermediary or collaborator, personal data (as defined in the
Personal Data Protection Act 2012) and de-identified individualised datasets (“Group Information”).
Group information may include the Group’s internal circulars or policies, MOH’s or other regulatory
authorities’ circulars or policies as may be applicable, and legal and financial documents such as
contracts and financial statements, research findings, etc. Personal data typically refers to records of
patients, staff, contractors and other individuals, such as name, NRIC, health records, income data,
etc.. De-identified records of individuals may form part of Group Information under non-disclosure
obligations and may also be re-identifiable.
2. You must abide by all governing policies, practices and guidelines issued, amended and supplemented
from time to time, by the MOH, MOHH and the MOHH Group entity which you are employed under,
appointed, attached or seconded to, or render services to, which include: (i) data and IT security policies
set out in the HealthTech Instruction Manual and other directives and circulars; (ii) personal data
protection policies, procedures, standards and guidelines; and (iii) employee handbooks (if applicable).
3. At any time during and/or after your posting / appointment / training / attachment / internship /
secondment (“Employment”) with us and/or any other entity within the Group (“Company”):-
a) you must ensure that the confidentiality of the Group Information is strictly maintained at all times
and use the Group Information only for authorised purposes and do not divulge any Group
Information to any unauthorised person;
b) you must understand that Group Information is made available to you purely to enable you to
perform all duties assigned to you by us or a Company (“Assigned Duties”);
c) you must not access, copy, reproduce or use any Group Information for any unauthorised purpose;
d) unless it is in the proper course of the performance of your Assigned Duties and you have proper
authorisation to do so, you must not at any time:
(i) remove any documents or any other items containing Group Information from any of the
Group’s premises;
(ii) capture or publish on social media or any public electronic platform, the image or audio of any
persons, documents, materials, events, incidents or equipment constituting or containing
Page 6 of 7
Updated as of 29 Dec 2020
� Restricted, Sensitive (Normal)
NON-DISCLOSURE & SECURITY AWARENESS UNDERTAKING
FOR EXTERNAL USERS AT SINGHEALTH & SINGHEALTH INSTITUTIONS
(“Undertaking”)
Group Information or on matters concerning any Group Information (whether conveyed formally
or otherwise);
(iii) communicate to any external parties and/or organisations (including but not limited to business
contacts, media, competitors, external authorities, etc.) on matters concerning any Group
Information (whether conveyed formally or otherwise); or
(iv) attempt to re-identify, or disclose the method to re-identify the information or material, if you
process or are given access to de-identified individualised data.
e) at all times, you must be vigilant in the disclosure of Group Information and ensure that the
disclosures are authorised and compliant with security safeguards;
f) you must promptly return all Group Information and ensure no part or copies remain in your
possession upon termination or expiration of your Employment, and/or abide by any direction we
may give for its proper disposition;
g) you must only access IT systems which you have been authorised to access and use to discharge
your duties and for no other purpose, and you must not attempt to exceed the access levels given
to you;
h) you must observe and abide by all terms and conditions that relate to the use of our IT systems
that you are authorised to use;
i) after accessing these IT systems and after use, you must log off from your account;
j) you must not share or reveal any log-in identification or password assigned to you with anyone or
allow it to be accessible to anyone;
k) if you inadvertently receive access to any information not normally received during the course of
your Assigned Duties, you must notify your supervisor immediately and comply with their directions;
and
l) you must notify your supervisors immediately if you become aware of any potential or actual breach
of confidentiality of Group Information.
WHAT YOU SHOULD KNOW
4. A failure to observe confidentiality of Group Information is a breach of the terms and conditions of your
Employment with us. You may be subject to internal disciplinary action, including termination of your
Employment.
5. A failure to comply with the Group’s policies, terms and conditions for the use and access of IT systems,
contractual obligations and/or applicable laws, may also render you liable to disciplinary action and
legal action in the event of a data breach, and termination of access to Group Information.
6. In addition, some breaches of confidentiality may also render you liable to criminal prosecution under
the applicable laws, statutes and relevant subsidiary legislation.
Page 7 of 7
Updated as of 29 Dec 2020
