Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
Singapore does not currently have a data breach notification requirement in place, and employers are not required, at this time, to inform individuals or Singapore’s Personal Data Protection Commission (PDPC). That said, the PDPC has announced that it plans to introduce a mandatory breach notification requirement as part of proposed amendments to the PDPA. They have also developed a Guide to Managing Data Breaches 2.0 (22 May 2019), which includes a number of recommendations and best practices.
In the event of a personal data breach, notification to the PDPC is recommended as soon as practicable, and within 72 hours of establishing that a breach is: (a) of significant scale (involving personal data of 500+ individuals); or, (b) likely to result in significant harm or impact to individuals whose personal data was compromised. In cases where a data breach is likely to result in significant harm or impact to individuals, the PDPC recommends that those individuals are notified as soon as practicable. When notifying the PDPC, include the following information, if available:
- the extent of the breach;
- type(s)/volume of personal data involved;
- cause or suspected cause of breach;
- whether the breach has been rectified;
- measures and processes that had been put in place at the time of the breach;
- whether impacted individuals were notified or, when the employer will notify individuals;
- best individuals to contact at the company if the PDPC has questions or needs clarification.
Employers should consider alerting the police in the event criminal activity is suspected. In the event of a suspected cyberattack, employers may also alert the Cyber Security Agency of Singapore through the Singapore Computer Emergency Response Team (SingCERT).
HR Best Practices: Having a data breach management program in place can help to ensure employers are prepared in the event that personal employee data is compromised. In preparation for the PDPC’s plan to add a personal data breach notification requirement, employers may wish to create data breach management programs, tailored to HR business needs.
The PDPC’s Guide to Managing Data Breaches 2.0 (22 May 2019) recommends that programs include:
- a clear explanation of what constitutes a personal data breach;
- how a personal data breach should be reported internally (For example, knowing the individual or team who should be informed of a potential breach);
- how to respond to a breach; and,
- the responsibilities of the data breach management team (creating a clear chain of command and, determining who would be responsible for assessing risks and making critical decisions).