No surprises - data breach reporting becomes mandatory

On Thursday 14 May 2020, the Ministry of Communications and Information and the Personal Data Protection Commission of Singapore launched an online public consultation of the Personal Data Protection (Amendment) Bill 2020.

It is no surprise that the amendment bill includes mandatory data breach reporting. The Commission conducted consultations on data breach notification two or three years ago. In the interim it has published guides about managing data breaches and has encouraged organisations to notify it about data breaches that may indicate that a systemic issue is the cause of the breach.

The Commission notes in the Public Consultation Paper that data breach notifications are central to organisations' accountability because they encourage organisations to establish risk-based internal monitoring and reporting systems to detect data incidents. The Commission also expressed the view that, when coupled with breach management plans, data breach notifications are integral to organisations' incident response and remediation.

The Commission said that accountable organisations may also couple breach notification and breach mitigation plans in order to apply for a statutory undertaking. Please see the separate paper about voluntary undertakings for more information on them (also referred to as statutory undertakings).

What is a data breach?

A data breach means, in relation to personal data:

1. the unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data or
2. the loss of any storage medium or device on which personal data is stored in circumstances where the unauthoriszed access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur

By the way, please note that the draft amendment bill changes the Protection Obligation. Presently, it provides that an organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

'The loss of any storage medium or device on which personal data is stored' will be added to the Protection Obligation.

When a data breach is notifiable

A data breach is a notifiable data breach if it:

1. results in, or is likely to result in, significant harm to the affected individual - without limiting this general statement, a data breach is deemed to be likely to result in significant harm to an individual if the data breach affects any prescribed class of personal data relating to the individual - or
2. affects not fewer than the minimum number of affected individuals prescribed - the number has not yet been prescribed, though it is noted that the Commission has previously used 500 as a rule of thumb to indicate that there may be a systemic issue within an organisation

Not surprisingly, the 'affected individual' in relation to a data breach is defined to mean any individual to whom any personal data affected by a data breach relates.

Classes of personal data have yet to be prescribed. However, in the Public Consultation Paper the Commission said that the intention is to prescribe categories of personal data which, if compromised in a data breach, will be considered likely to result in significant harm to the individuals. This makes clear, it says, the types of data breaches about which organisations will be required to notify affected individuals.

The Commission notes that several jurisdictions have adopted a similar 'whitelist' approach for data breach notification to affected individuals and/or the authorities. For instance, various States in the US (such as California and Washington) have prescribed categories of personal data for notification to affected individuals and relevant authorities where a data breach meets the requirements for notification.

The Commission goes on to say that examples of data categories prescribed by other jurisdictions include social security numbers, drivers' licence numbers, state identification numbers, credit / debit card numbers, health insurance information and medical history information.

Duty to conduct an assessment of a data breach

Obligations of an organisation

Where an organisation has reason to believe that a data breach has occurred affecting personal data in its possession or under its control, the organisation must conduct an assessment of whether the data breach is a notifiable data breach. This must be done in a reasonable and expeditious manner.

An assessment must be done:

1. where the personal data is in the possession of the organisation and the organisation itself is, collecting, using or disclosing the relevant personal data and
2. where the personal data is in the possession of a data intermediary of the organisation (and it follows that the personal data is under the control of the organisation) and the data intermediary notifies it of the occurrence of a data breach in the collection, use or disclosure being done by the data intermediary on behalf of and for the purposes of the organisation

The assessment must be carried out in accordance with any prescribed requirements.

Obligations of a data intermediary

Where a data intermediary has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation, the data intermediary must notify the organisation, its customer, of the occurrence of the data breach. It must do so 'without undue delay'.

Duty to notify the Commission of the occurrence of a notifiable data breach

Where an organisation assesses that a data breach is a notifiable data breach it must notify the Commission as soon as is practicable, but in any case, no later than three days after the day the organisation makes the assessment. In other words, an organisation has a maximum of three days in which to notify the Commission but should notify it more quickly if doing so is practicable.

The Commission includes an example in the Public Consultation Paper of how the three days is calculated: if the organisation makes the determination on 9 March, it must notify PDPC by 12 March. (The Commission's 'Diagram 1: Timeline for data breach notification' published in the Public Consultation Paper is included below.) 

The Commission notes that prescribing a cap of three calendar days provides clarity for organisations on when they must notify the Commission.

The Commission also says that as the considerations in determining how expeditiously the Commission can be notified are different from those in determining how expeditiously the affected individuals should be notified, the expectation is not for notification to the Commission and to affected individuals to be made simultaneously. However, the Commission must be notified before or at the same time as affected individuals are notified, to allow the Commission to assist affected individuals who contact the Commission once they are notified.

The notification must contain all the information that is prescribed for this purpose and be made in the form and submitted in the manner required by the Commission. Hence, the information that is required and how the breach is to be notified to the Commission is not known currently.

Duty to notify affected individuals of the occurrence of a notifiable data breach

Obligation to notify

The following obligation must be satisfied on or after notifying the Commission of a notifiable data breach.

The obligation is for the organisation to notify each affected individual to whom significant harm results or is likely to result from a notifiable data breach.

The notification must be made in any manner that is reasonable in the circumstances. It must contain all the information that is prescribed for this purpose and be made in the form and submitted in the manner required by the Commission. Hence, the information that is required and how the breach is to be notified to affected individuals is not known currently.

When notification is not required

The notification to affected individuals is not required in the following circumstances:

1. If the organisation takes any action, in accordance with any prescribed requirements, that renders it unlikely that the notifiable data breach will result in significant harm to the affected individuals the notification requirement will not apply. The requirements that may be prescribed are not yet known.
2. If the organisation had implemented, prior to the occurrence of the notifiable data breach, any technological measure that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual the notification requirement will not apply.

When notification is not permitted

An organisation must not notify any affected individual of a notifiable data breach if a prescribed law enforcement agency instructs it not to do so. In the Public Consultation Paper, the Commission says that this prohibition is intended to cater to circumstances where notification to affected individuals may compromise any investigations or prejudice any enforcement efforts under the law. (This includes investigations by public agencies authorised by the law.) 

In addition, an organisation must not notify an individual of a notifiable data breach if the Commission directs it not to do so. In the Public Consultation Paper, the Commission says that this is to cater to exceptional circumstances where notification to affected individuals may not be desirable. This includes circumstances where there are over-riding national security or national interests.

Application for waiver of notification obligation

An organisation may make a written application to the Commission to waive the requirement to notify an affected individual about a notifiable data breach. The Commission may issue such a waiver subject to any conditions that the Commission considers fit.

No breach of secrecy or of professional obligations

An organisation that notifies the Commission and/or that notifies affected individuals about a notifiable data breach is not to be regarded as being in breach of any duty or obligation under any written law or rule of law or any contract as to secrecy or other restriction on the disclosure of information. In addition, it is not to be regarded as being in breach of any rule of professional conduct applicable to the organisation.

Other notification obligations

The obligation to notify the Commission of a notifiable data breach and the obligation to notify individuals of a notifiable data breach does not affect any obligation of the organisation under other written law to notify any other person (including any public agency) of the occurrence of a data breach, or to provide any information relating to a data breach. This is the case even if the Commission directs an organisation not to notify any affected individuals (as mentioned above).

Timeline for data breach notification

Written by Lyn Boxall, Director, Lyn Boxall LLC

The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.