A new mandatory personal data breach notification requirement was passed by Singapore’s Parliament on 3 November 2020 as part of new amendments to the Personal Data Protection Act 2012 (“PDPA”) and is expected to be implemented by early 2021. New draft guidelines have also been published by the Personal Data Protection Commission (“PDPC”) on the implementation of this requirement. Companies and other organisations operating in Singapore should take active steps to incorporate this new requirement into their data protection procedures and data breach management plans.
Previous Voluntary Notification Regime
A data breach involves the unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data (collectively referred to in this article as “unauthorised processing”) or the loss of any storage medium or device (e.g. a misplaced portable hard disk or USB storage drive) on which personal data is stored in circumstances where unauthorised processing is likely to occur.
Prior to the amendments to the PDPA, Singapore had a voluntary notification regime whereby organisations were encouraged to notify the PDPC and affected individuals in the event of a data breach. No penalties were directly imposed for a failure to notify the PDPC or affected individuals. However, the PDPC could take into account prompt notification as a factor in an organisation’s favour when deciding on any action to be taken against the organisation where a data breach occurs.
Notifiable Data Breaches
The new mandatory breach requirement mandates that data breaches must be notified to the PDPC and affected individuals if it is likely to result in significant harm to an affected individual or is likely to be of a significant scale (i.e. 500 or more individuals). Data breaches which are likely to cause significant harm or be of significant scale are referred to as notifiable data breaches.
Upon the occurrence of a data breach, an organisation must conduct an assessment of the data breach to determine if the data breach is a notifiable data breach. There is no specific timeframe for conducting this assessment and the requirement is that this must be done in a reasonable and expeditious manner (i.e. as promptly as possible given the circumstances of the breach). Any unreasonable delay in making this assessment will be a breach of the notification requirement and will result in enforcement action being taken against the organisation.
The PDPC will require organisations to document this assessment process and organisations will likely be required to explain any delay in the assessment process. Given this requirement, organisations should ensure that they have appropriate procedures and plans in place to deal with a data breach. The lack of such procedures and plans would likely cause delays which would be apparent when the assessment process is documented.
Notifications to the PDPC
Where an organisation determines that the data breach which it has suffered is a notifiable data breach, the organisation must notify the PDPC as soon as practicable, and in any case no later than 3 calendar days from the day it determines a notifiable data breach has occurred. The notification should be based on the most accurate information available to the organisation at the point in time that the notification is made.
Further details on the content of the notification to the PDPC will be prescribed in new regulations and published in guidelines to be issued by the PDPC when the breach notification requirement is brought into force. Based on the draft guidelines published by the PDPC, these will include items pertaining to the facts of the breach such as the number of individuals affected. The organisation will also be required to provide a chronology of how it first became aware of the data breach and its plans for managing the breach (e.g. data breach management plan, remediation plan and communications plan).
Where organisations are governed by a sectoral regulator, they may also need to concurrently notify the appropriate regulatory body.
Notifications to Affected Individuals
Organisations will also generally be required to notify affected individuals in the form and manner as required by the PDPC. Such notifications will need to include certain mandatory information. The information to be provided in the notification will be prescribed in new regulations and will also be published in the PDPC’s guidelines when the breach notification requirement is brought into force. Details required are expected to include background information on how and when the data breach occurred, the types of personal data involved, the potential harm that the individual might suffer from the breach and the steps that the individual might take to prevent any potential misuse of his/her personal data.
Exceptions to Obligation to Notify Affected Individuals
Exceptions may apply to the requirement to notify affected individuals.
An organisation may decide against notifying affected individuals if it is able to take action which renders it unlikely that any significant harm will result to an affected individual. For example, where an employee erroneously sends an attachment containing personal data to an unintended recipient but is able to promptly contact the recipient, ensure that the attachment is not accessed and that the attachment is permanently deleted.
An organisation may also avoid making notifications to affected individuals where there are appropriate technological measures applied to the personal data before the data breach which renders the personal data inaccessible or unintelligible to an unauthorised party. For example, where the data is encrypted to a reasonable standard such that unauthorised access is unlikely to occur.
The PDPC or law enforcement agencies may also direct an organisation not to make notifications. Such directions would occur where notification may compromise ongoing investigations.
We will publish further updates on new requirements under the amended PDPA. It is recommended that organisations with operations in Singapore take action to prepare procedures and plans which take into account the new mandatory breach notification requirement. Such preparations should take place as soon as possible as no grace period for compliance will be provided.