The overarching framework
The PDPA imposes obligations on all businesses that collect, use or disclose personal data in Singapore. This includes foreign-owned and foreign-controlled businesses, even if they have no physical office in Singapore.
These obligations include having to obtain consent from individuals before using their personal data, and securing the data to prevent unauthorized access.
As of 2019, it was not compulsory for businesses to report a data breach. However, that will soon change.
When the new law is passed (as early as this year), breach reporting will be mandatory for most, but not all data breaches.
This Client Alert is intended to summarise a number of frequently asked questions on Singapore’s new data breach notification law.
What is a data breach?
A data breach refers to any unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data in an organization’s possession or under its control.
Is a data breach the same thing as a breach of the PDPA?
Not necessarily. A data breach refers to any unauthorized access, use, disclosure, copying, modification or disposal of (or other similar risk to) personal data (i.e., data that identifies individuals) that is held by an organization. A data breach may or may not be a breach of the PDPA, depending on the exact circumstances. Conversely, a breach of the PDPA could arise regardless of whether or not there is a data breach; for instance, an organization may have failed to comply with its access obligation under the PDPA despite receiving a legitimate request from an individual.
When and to whom does an organization need to report a data breach?
1. An organization needs to notify the Personal Data Protection Commission (PDPC) when the data breach is:
- likely to result in significant harm or impact to the individuals to whom the information relates; or
- of a significant scale (meaning, as a rule of thumb, that 500 or more individuals’ data is affected).
2. An organization needs to notify affected individuals (including parents and the legal guardians of minors whose personal data is compromised) when the data breach is likely to result in significant harm or impact to the individuals to whom the information relates.
Potential exceptions exist where:
- the personal data is encrypted and cannot be decrypted; or
- remedial actions were taken such that the breach is not likely to result in significant harm or impact to the individuals.
3. A data intermediary (i.e., an organization that processes personal data on behalf of another) need only notify that organization without undue delay (i.e., within 24 hours) upon its becoming aware of a data breach.
What is the timeline for reporting?
To PDPC:
- As soon as practicable, but no later than 72 hours after determining that a breach is notifiable.
- Organizations must:
- assess, within 30 days of becoming aware of a suspected breach, whether the breach is notifiable;
- document the steps taken in assessing the breach; and
- document the reasons for any delay.
- Notifications made after 72 hours are a contravention of the PDPA.
To affected individuals:
What information should the notification(s) contain?
To PDPC:
- extent of the data breach;
- type(s) and volume of personal data involved;
- cause or suspected cause of the data breach;
- whether the data breach has been rectified;
- measures and processes that the organization had in place at the time of the data breach;
- whether the organization notified or will notify affected individuals; and
- contact details of the organization’s representative(s) with whom PDPC can liaise for further information.
To affected individuals:
- how and when the data breach occurred;
- the type(s) of personal data involved;
- the type(s) of harm or impact to affected individuals, where applicable;
- steps the organization has taken or will take in response to the risks arising from the data breach;
- specific details on the data breach and relevant actions that affected individuals can take to prevent misuse of the data; and
- contact details on how affected individuals can reach the organization to obtain further information and assistance.
Are there any other reporting requirements in Singapore to take note of?
Yes. Significant ones include:
- If the organization is a regulated entity, it may be required to notify the regulator for the relevant sector. For instance, financial institutions in Singapore must notify the Monetary Authority of Singapore (MAS) within one hour of discovering a relevant incident (i.e., a system malfunction or IT security incident which has a severe and widespread impact on their operations or materially impacts their service to customers). They must also submit to MAS a root-cause and impact analysis report within 14 days from discovery of the incident.
- If the organization has been designated an owner of critical information infrastructure (CII) under the Cybersecurity Act, it must, within two hours of becoming aware of the occurrence of a prescribed cybersecurity incident, notify the Commissioner of Cybersecurity of the same. Such incidents include: (a) the unauthorized hacking of a CII; (b) the installation or execution of unauthorized software or code on a CII; (c) man-in-the-middle attacks, session hijacks or any other unauthorized interception of communications between a CII and an authorized user; and (d) denial-of-service attacks. It must submit the following details within 14 days of the initial notification: (i) the cause(s) of the cybersecurity incident; (b) any impact on the CII, interconnected computers or systems; and (c) any remedial measures that the organization took.
- While not mandatory, if an organization suspects any criminal activity (e.g., hacking, theft or unauthorized system access), it should notify the police. It can also contact the Singapore Computer Emergency Response Team (SingCERT) (an initiative of the Cyber Security Agency of Singapore) for technical assistance in response to computer security incidents.
- If the data breach involves personal data outside of Singapore, mandatory notification laws may apply depending on the jurisdiction(s). Jurisdictions that already have mandatory breach notification laws include the EU, California, the Philippines, China, Australia and South Korea.
What do I do now before the updated law kicks in?
Businesses will be given some time to prepare and put in place the necessary policies and practices to comply with the new notification requirements.
However, businesses should start implemeting the following, ahead of the enforcement deadline for the new law:
- Ensuring that agreements are reviewed to provide adequate protection against data breaches. This may include the provision of undertakings from counterparties on data privacy and security, incident reporting, subcontracting restrictions, rights to audit and insurance requirements. It is helpful to engage external counsel to make sure contracts are robust and where arrangements or negotiations are more complex.
- Updating internal policies and procedures to cater for a data breach response plan. Such plan should guide stakeholders on how to identify a breach when it occurs, whom to inform, how to record/document relevant matters, and other specific actions to take in response to an incident.
- Conducting training to familiarize employees with relevant policies, procedures and plans and setting mock data breach exercises to test employees on the same.
Reed Smith can help you navigate what needs to be done to comply with the new law, and to address risks of incurring a hefty fine.
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, "Reed Smith"). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith's Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.
Client Alert 2020-012