Are there any data breach notification requirements?
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
Singapore does not currently have a data breach notification requirement in place, and employers are not required, at this time, to inform individuals or Singapore’s Personal Data Protection Commission (PDPC). The PDPC has developed a Guide to Managing Data Breaches 2.0 (22 May 2019), which includes a number of recommendations and best practices.
In the event of a personal data breach, notification to the PDPC is recommended as soon as practicable, and within 72 hours of establishing that a breach is: (a) of significant scale (involving personal data of 500+ individuals); or, (b) likely to result in significant harm or impact to individuals whose personal data was compromised. In cases where a data breach is likely to result in significant harm or impact to individuals, the PDPC recommends that those individuals are notified as soon as practicable. When notifying the PDPC, include the following information, if available:
- the extent of the breach;
- type(s)/volume of personal data involved;
- cause or suspected cause of breach;
- whether the breach has been rectified;
- measures and processes that had been put in place at the time of the breach;
- whether impacted individuals were notified or, when the employer will notify individuals;
- best individuals to contact at the company if the PDPC has questions or needs clarification.
Employers should consider alerting the police in the event criminal activity is suspected. In the event of a suspected cyberattack, employers may also alert the Cyber Security Agency of Singapore through the Singapore Computer Emergency Response Team (SingCERT).
Personal Data Protection (Amendment) Bill 2020
The Ministry of Communications and the Personal Data Protection Commission (PDPC) have drafted amendments to the existing Personal Data Protection Act 2012. While there is no effective date yet, the Bill includes a mandatory breach notification in the event of a data breach that is likely to result in significant harm or impact to individuals; or, if the breach is of a significant scale (i.e. There are 500 or more impacted individuals).
In addition, employers and other organizations would be required to notify the PDPC as soon as practicable and no later than three days after determining whether the breach meets the required notification threshold. Employers and other organizations would, with few exceptions, be required to notify individuals if a breach is likely to result in significant harm or impact to affected individuals.
HR Best Practices: Having a data breach management program in place can help to ensure employers are prepared in the event that personal employee data is compromised. In preparation for the PDPC’s plan to add a personal data breach notification requirement, employers may wish to create data breach management programs, tailored to HR business needs.
The PDPC’s Guide to Managing Data Breaches 2.0 (22 May 2019) recommends that programs include:
- a clear explanation of what constitutes a personal data breach;
- how a personal data breach should be reported internally (For example, knowing the individual or team who should be informed of a potential breach);
- how to respond to a breach; and,
- the responsibilities of the data breach management team (creating a clear chain of command and, determining who would be responsible for assessing risks and making critical decisions).