A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Local data protection regulations have required data controllers to report such breaches in certain circumstances.
The Personal Data Protection Act (PDPA) includes a mandatory breach notification to the Personal Data Protection Commission (PDPC) in the event of a data breach that is likely to result in significant harm or impact to individuals or, if the breach is of a significant scale (i.e. There are 500 or more impacted individuals).
The PDPC should be notified as soon as practicable and no later than three days after determining whether the breach meets the required notification threshold. Employers and other organizations are also, with few exceptions, required to notify individuals if a breach is likely to result in significant harm or impact to affected individuals.
When notifying the PDPC, include the following information (Personal Data Protection (Notification of Data Breaches) Regulations 2021, Art. 5):
Employers should consider alerting the police in the event criminal activity is suspected. In the event of a suspected cyberattack, employers may also alert the Cyber Security Agency of Singapore through the Singapore Computer Emergency Response Team (SingCERT).
HR Best Practices: Having a data breach management program in place can help to ensure employers are prepared in the event that personal employee data is compromised. The PDPC’s Guide on Managing and Notifying Data Breaches under the PDPA (revised on 15 March 2021) recommends that programs include: