Understanding the mandatory data breach notification of Singapore

Understanding the mandatory data breach notification of Singapore

Singapore’s Personal Data Protection Commission (PDPC) has declared that the mandatory data breach notification will soon become required in Singapore. However, not all infractions must be reported. This guide is to help businesses understand when, to whom, and how to inform in the event of a data breach.

What exactly is a data breach?

A data breach is defined as any illegal access, collection, use, disclosure, copying, modification, or disposal of personal data in the ownership or control of an organization.

When and to whom should a company report a data breach?

1. When the data breach that occurred is:

2. When a data breach is likely to cause significant harm or impact to the individuals to whom the information belongs, an organization must notify affected individuals (including parents and legal guardians of minors whose personal data is compromised).

There may be exceptions where:

3. When a data intermediary (i.e., an organization that processes personal data on behalf of another) becomes aware of a data breach, it must notify that organization without undue delay (i.e., within 24 hours).

Timeline for reporting in mandatory data breach notification

To PDPC:

Reporting should be done as quickly as possible, but no later than three days after deciding that a violation is notifiable.

Organizations must:

Notifications made after three days are in violation of the PDPA.

To Individuals who have been affected:

• As soon as possible.

What information should the notification contain?

To PDPC:

To affected individuals:

Other reporting requirements in Singapore to take note of

If the organization is regulated, it may be obligated to notify the relevant sector’s regulator. In Singapore, for example, financial institutions must report the Monetary Authority of Singapore (MAS) within one hour of discovering a relevant incident (i.e., a system malfunction or IT security incident which has a severe and widespread impact on their operations or materially impacts their service to customers). They must also submit a root-cause and impact analysis report to MAS within 14 days of the incident’s discovery.

While it is not required, an organization should also tell the authorities if it detects any criminal behavior (e.g., hacking, theft, or unauthorized system access). It can also contact the Singapore Computer Emergency Response Team (SingCERT) for technical assistance in the event of a computer security problem.

Depending on the jurisdiction, obligatory notification rules may apply if the data breach affects personal data stored outside of Singapore. The EU, California, the Philippines, China, Australia, and South Korea are among the jurisdictions that currently have obligatory breach reporting laws in place.

What to do before the mandatory data breach notification kicks in