Understanding the mandatory data breach notification of Singapore

Singapore’s Personal Data Protection Commission (PDPC) has declared that the mandatory data breach notification will soon become required in Singapore. However, not all infractions must be reported. This guide is to help businesses understand when, to whom, and how to inform in the event of a data breach.

What exactly is a data breach?

A data breach is defined as any illegal access, collection, use, disclosure, copying, modification, or disposal of personal data in the ownership or control of an organization.

When and to whom should a company report a data breach?

1. When the data breach that occurred is:

likely to cause significant harm or effect to the people to whom the information relates; or
on a significant scale (as a rule of thumb, data from 500 or more individuals is affected).

2. When a data breach is likely to cause significant harm or impact to the individuals to whom the information belongs, an organization must notify affected individuals (including parents and legal guardians of minors whose personal data is compromised).

There may be exceptions where:

the personal information has been encrypted and cannot be decoded; or
corrective efforts were implemented so that the breach is unlikely to cause significant harm or impact on the persons.

3. When a data intermediary (i.e., an organization that processes personal data on behalf of another) becomes aware of a data breach, it must notify that organization without undue delay (i.e., within 24 hours).

Timeline for reporting in mandatory data breach notification

To PDPC:

Reporting should be done as quickly as possible, but no later than three days after deciding that a violation is notifiable.

Organizations must:

determine whether a suspected violation is notifiable within 30 days of becoming aware of it;
document the procedures taken to assess the violation and keep track of the reasons for any delays.

Notifications made after three days are in violation of the PDPA.

To Individuals who have been affected:

• As soon as possible.

What information should the notification contain?

To PDPC:

the magnitude of the data leak;
the type(s) and quantities of personal data involved;
the cause or probable cause of the data leak;
whether the data breach has been resolved;
the controls and processes in place at the time of the data breach;
whether the organization has notified or will notify affected individuals; and
contact information for the organization’s representative(s), with whom PDPC can communicate for more information.

To affected individuals:

the manner and time of the data leak;
the type(s) of personal data at issue;
the nature(s) of the injury or impact on impacted individuals, if appropriate;
actions performed or planned by the organization in response to the dangers posed by the data breach;
detailed information about the data breach and related steps that impacted individuals should take to avoid data misuse; and
contact information for affected individuals to contact the organization for additional information and support.

Other reporting requirements in Singapore to take note of

If the organization is regulated, it may be obligated to notify the relevant sector’s regulator. In Singapore, for example, financial institutions must report the Monetary Authority of Singapore (MAS) within one hour of discovering a relevant incident (i.e., a system malfunction or IT security incident which has a severe and widespread impact on their operations or materially impacts their service to customers). They must also submit a root-cause and impact analysis report to MAS within 14 days of the incident’s discovery.

While it is not required, an organization should also tell the authorities if it detects any criminal behavior (e.g., hacking, theft, or unauthorized system access). It can also contact the Singapore Computer Emergency Response Team (SingCERT) for technical assistance in the event of a computer security problem.

Depending on the jurisdiction, obligatory notification rules may apply if the data breach affects personal data stored outside of Singapore. The EU, California, the Philippines, China, Australia, and South Korea are among the jurisdictions that currently have obligatory breach reporting laws in place.

What to do before the mandatory data breach notification kicks in

Organizations will most likely be granted some time to establish and implement the required policies and practices to comply with the new notification requirements. However, organizations should start thinking about the following actions far in advance of any implementation deadline:
Ensure that agreements are evaluated to provide proper data breach protection. This may include counterparty promises on data privacy and security, incident reporting, subcontracting limits, audit rights, and insurance requirements. It is beneficial to retain outside counsel to ensure that contracts are strong and where arrangements or negotiations are more complex.
Create a data breach response plan by updating internal policies and procedures. Such a plan should instruct stakeholders on how to detect a breach, who to notify, how to record/document essential information, and other particular activities to take in reaction to an occurrence.
Provide training to staff to familiarize them with essential policies, processes, and plans, as well as setting up fake data breach exercises to put them to the test.