Data Breach Notification Obligation: What your organisation should know
When organisations are found to be in breach of the obligations set by the PDPA, there is a need for them to notify both the Personal Data Protection Commission (PDPC) and those Singaporean citizens who are affected by the said breach. But before they can do so, there’s a need for organisations to assess if the data breach is notifiable before they can notify the PDPC and the affected individual.
Data intermediaries are obliged too!
Under Part 6A of the PDPA, it’s not just organisations that have to figure out if a data breach is “notifiable,” and if it is, they have to inform the people affected and/or the Commission. Data Intermediaries that process personal data on behalf of and for the purposes of another organisation (including a public agency) are also required to inform that other organisation or public agency about a data breach.
Once an organisation has good reason to believe that a data breach has happened (either because it found out on its own, got a tip from the public, or was told by its data intermediary), it must take reasonable and quick steps to figure out if the breach needs to be reported under the PDPA within 30 calendar days.
If there is a data breach and it takes too long to figure out what happened, this is a violation of the DBN Obligation, and the Commission can take action. If an organisation can’t finish its assessment within 30 days, it would be smart for the organisation to be ready to explain to the Commission why the assessment took longer than expected.
To show that it has taken reasonable and quick steps to figure out if the data breach needs to be reported, the organisation must write down all of the steps it has taken to evaluate the data breach.
Criteria for data breach notification
Significant Harm to Affected Singaporeans
Organizations are required to figure out if a data breach is one that needs to be reported because it is likely to cause significant harm to the people involved. Given how likely a data breach will cause harm, notifying the affected people makes sure they know and can take steps to protect themselves (e.g., change their password, cancel their credit card, monitor account for unusual activities).
The PDP (DBN) Regulations 2021 list the personal data (or classes of personal data) that, if compromised in a data breach, is thought to cause significant harm to affected individuals. This gives organisations a clear idea of which data breaches must be reported. If any of the required personal data is exposed in a data breach, the organisation will have to tell the people affected and the Commission about it.
Data breaches that affect a lot of people may mean that there is a problem with the organisation as a whole. Suppose these kinds of data breaches are reported to the Commission. In that case, it will be able to tell organisations how to fix the problem and make any systemic changes that are needed to stop it from happening again.
When it comes to data breaches, “significant scale” means that the personal information of at least 500 people was lost or stolen. When 500 or more people are affected by a data breach, the organisation must tell the Commission. This is true even if the breach does not involve any of the personal data listed in the PDP (DBN) Regulations 2021.
If a company can’t figure out how many people were affected by a data breach, it should inform the Commission when it has reason to think that at least 500 people were affected. This could be based on a rough estimate of the number of people affected from the first look at the data breach. When the real number of people who will be affected is known, the organisation may let the Commission know.
Timeframes for notification
If a data breach is found to be notifiable, Singaporean organisations must inform:
- the Commission as soon as possible, but no later than three (3) calendar days; and
- affected individuals as soon as possible, either at the same time as they tell the Commission or after they tell the Commission.
These deadlines for telling the Commission and/or the people affected by the data breach started when the organisation decided that the data breach needed to be reported. If they take too long to tell the affected individuals, they will be breaking the DBN Obligation.
When an organisation needs to inform Singaporean individuals affected by a data breach, it should do so at the same time or after it has told the Commission.
Notification of a data breach: Information to be provided
An organization that notifies affected people and/or the Commission about a “notifiable data breach” must, to the best of its knowledge and belief, give relevant details about the data breach. The notification should also include information about how the company will handle a data breach and how it will fix the problem.
Notification to the Commission
In order to make sure that the organisation takes proactive steps to deal with and fix the data breach, the organisation must include the following information in its notification to the Commission:
1. Facts of the data breach
i. The date and circumstances under which the organisation first learned that a data breach had happened;
ii. Information on how the notifiable data breach happened;
iii. The number of people whose personal data was affected by the notifiable data breach;
iv. The personal data or classes of personal data that were affected by the notifiable data breach; and v
v. How the notifiable data breach could harm the affected people.
2. Data breach handling
i. A timeline of the steps taken by the organisation after it found out about the data breach, including the organization’s assessment under section 26C(2) or (3)(b) of the PDPA that the data breach is a “notifiable data breach”;
ii. Information on any actions taken or to be taken by the organisation, either before or after the organisation notifies the Commission of the occurrence of the “notifiable data breach”:
- To stop or prevent the data breach from happening again;
- To solve or repair any failure or flaw that the organisation thinks caused or helped the notifiable data breach; and
iii. Information on the organization’s plan, if any, to inform all or any affected people or the public that a notifiable data breach has happened and how a person affected by the notifiable data breach can stop or lessen any harm that could come from it. The organisation may give a general idea of what steps have been taken or are planned.
c. Contact details
The contact information should be at least a person who is authorised to speak for the organisation. The representative(s) don’t have to be the DPO of the organisation or someone who takes on the DPO’s duties within the organisation.
Suppose the organisation doesn’t tell the Commission about a data breach within three (3) calendar days of finding out that it is a reportable breach. In that case, the organisation must also explain why it took so long and include any proof. The reasons for the late notification will be used to decide how serious the organization’s violation of the DBN Obligation was and, if there are any penalties, what they are and how harsh they are.
If the organisation doesn’t plan to tell any affected person, the notification to the Commission must also say why (based on the PDPA or another written law).
Notification to affected individual
Notifying those who are affected in Singapore should be clear and easy to understand. It should tell people what steps they can take to protect themselves from the possible harm that could come from the data breach. When it is applicable, organisations should tell the parents or guardians of young children whose personal information has been stolen that their information has been leaked.
Suppose the data breach involves information about adoption or the identification of people who are vulnerable. In that case, organisations should first tell the Commission to get advice on how to tell the affected people.
Organizations do not have to give the Commission the notice that will be sent to people who are affected. When organisations send notifications to people who are affected, they should include the following information:
a. Facts of the data breach
i. How the organisation first found out that a notifiable data breach had happened, and
ii. What personal data or classes of personal data about the affected person were affected by the notifiable data breach.
b. Data breach management and remediation plan
i. How the affected person might be harmed by the notifiable data breach;
ii. Information on any steps the organisation has taken or plans to take before or after notifying the affected person; –
- To stop or lessen any possible harm to the affected person as a result of the notifiable data breach;
- To address or fix any failure or shortcoming that the organisation thinks caused or helped the notifiable data breach to happen; and
iii. Steps that the affected person can take to get rid of or lessen any possible harm caused by the notifiable data breach, such as preventing misuse of the affected person’s personal data that was affected by the notifiable data breach.
c. Contact details
The contact information for at least one authorised representative that the person affected can call for more information or help. The representative(s) don’t have to be the organization’s Data Protection Officer (DPO) or a person who takes on the DPO’s duties within the organisation. They also don’t have to be the same person the organisation told the Commission about in its notification.
Organizations can change how they let affected people know, as long as they include the required information. The circumstances of the data breach also affect what the person should do next. This could mean choosing to tailor the protective actions that people should take based on the person’s situation or giving general recommendations that apply to everyone who is affected.
Also Read: A beginner’s guide to the Singapore PDPA
Organisations are required to notify the PDPC and the affected Singaporeans of a data breach when it happens. By not doing so, they are risking to breach the PDPA, which upon discovery, could mean damages in the organisation’s credibility and a hefty financial penalty ranging up to S$1,000,000.