On Thursday 14 May 2020, the Ministry of Communications and Information and the Personal Data Protection Commission of Singapore launched an online public consultation of the Personal Data Protection (Amendment) Bill 2020.
It is no surprise that the amendment bill includes mandatory data breach reporting. The Commission conducted consultations on data breach notification two or three years ago. In the interim it has published guides about managing data breaches and has encouraged organisations to notify it about data breaches that may indicate that a systemic issue is the cause of the breach.
The Commission notes in the Public Consultation Paper that data breach notifications are central to organisations' accountability because they encourage organisations to establish risk-based internal monitoring and reporting systems to detect data incidents. The Commission also expressed the view that, when coupled with breach management plans, data breach notifications are integral to organisations' incident response and remediation.
The Commission said that accountable organisations may also couple breach notification and breach mitigation plans in order to apply for a statutory undertaking. Please see the separate paper about voluntary undertakings for more information on them (also referred to as statutory undertakings).
A data breach means, in relation to personal data:
By the way, please note that the draft amendment bill changes the Protection Obligation. Presently, it provides that an organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
'The loss of any storage medium or device on which personal data is stored' will be added to the Protection Obligation.
A data breach is a notifiable data breach if it:
Not surprisingly, the 'affected individual' in relation to a data breach is defined to mean any individual to whom any personal data affected by a data breach relates.
Classes of personal data have yet to be prescribed. However, in the Public Consultation Paper the Commission said that the intention is to prescribe categories of personal data which, if compromised in a data breach, will be considered likely to result in significant harm to the individuals. This makes clear, it says, the types of data breaches about which organisations will be required to notify affected individuals.
The Commission notes that several jurisdictions have adopted a similar 'whitelist' approach for data breach notification to affected individuals and/or the authorities. For instance, various States in the US (such as California and Washington) have prescribed categories of personal data for notification to affected individuals and relevant authorities where a data breach meets the requirements for notification.
The Commission goes on to say that examples of data categories prescribed by other jurisdictions include social security numbers, drivers' licence numbers, state identification numbers, credit / debit card numbers, health insurance information and medical history information.
Obligations of an organisation
Where an organisation has reason to believe that a data breach has occurred affecting personal data in its possession or under its control, the organisation must conduct an assessment of whether the data breach is a notifiable data breach. This must be done in a reasonable and expeditious manner.
An assessment must be done:
The assessment must be carried out in accordance with any prescribed requirements.
Obligations of a data intermediary
Where a data intermediary has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation, the data intermediary must notify the organisation, its customer, of the occurrence of the data breach. It must do so 'without undue delay'.
Where an organisation assesses that a data breach is a notifiable data breach it must notify the Commission as soon as is practicable, but in any case, no later than three days after the day the organisation makes the assessment. In other words, an organisation has a maximum of three days in which to notify the Commission but should notify it more quickly if doing so is practicable.
The Commission includes an example in the Public Consultation Paper of how the three days is calculated: if the organisation makes the determination on 9 March, it must notify PDPC by 12 March. (The Commission's 'Diagram 1: Timeline for data breach notification' published in the Public Consultation Paper is included below.)
The Commission notes that prescribing a cap of three calendar days provides clarity for organisations on when they must notify the Commission.
The Commission also says that as the considerations in determining how expeditiously the Commission can be notified are different from those in determining how expeditiously the affected individuals should be notified, the expectation is not for notification to the Commission and to affected individuals to be made simultaneously. However, the Commission must be notified before or at the same time as affected individuals are notified, to allow the Commission to assist affected individuals who contact the Commission once they are notified.
The notification must contain all the information that is prescribed for this purpose and be made in the form and submitted in the manner required by the Commission. Hence, the information that is required and how the breach is to be notified to the Commission is not known currently.
Obligation to notify
The following obligation must be satisfied on or after notifying the Commission of a notifiable data breach.
The obligation is for the organisation to notify each affected individual to whom significant harm results or is likely to result from a notifiable data breach.
The notification must be made in any manner that is reasonable in the circumstances. It must contain all the information that is prescribed for this purpose and be made in the form and submitted in the manner required by the Commission. Hence, the information that is required and how the breach is to be notified to affected individuals is not known currently.
When notification is not required
The notification to affected individuals is not required in the following circumstances:
When notification is not permitted
An organisation must not notify any affected individual of a notifiable data breach if a prescribed law enforcement agency instructs it not to do so. In the Public Consultation Paper, the Commission says that this prohibition is intended to cater to circumstances where notification to affected individuals may compromise any investigations or prejudice any enforcement efforts under the law. (This includes investigations by public agencies authorised by the law.)
In addition, an organisation must not notify an individual of a notifiable data breach if the Commission directs it not to do so. In the Public Consultation Paper, the Commission says that this is to cater to exceptional circumstances where notification to affected individuals may not be desirable. This includes circumstances where there are over-riding national security or national interests.
Application for waiver of notification obligation
An organisation may make a written application to the Commission to waive the requirement to notify an affected individual about a notifiable data breach. The Commission may issue such a waiver subject to any conditions that the Commission considers fit.
An organisation that notifies the Commission and/or that notifies affected individuals about a notifiable data breach is not to be regarded as being in breach of any duty or obligation under any written law or rule of law or any contract as to secrecy or other restriction on the disclosure of information. In addition, it is not to be regarded as being in breach of any rule of professional conduct applicable to the organisation.
The obligation to notify the Commission of a notifiable data breach and the obligation to notify individuals of a notifiable data breach does not affect any obligation of the organisation under other written law to notify any other person (including any public agency) of the occurrence of a data breach, or to provide any information relating to a data breach. This is the case even if the Commission directs an organisation not to notify any affected individuals (as mentioned above).
Timeline for data breach notification
Written by Lyn Boxall, Director, Lyn Boxall LLC
The views and opinions expressed in this article are those of the author and do not necessarily reflect the official view or position of DPEXNetwork.
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
In the wake of major breaches, the Public Sector Data Security Review Committee…
Wikipedia tells us that Zoom Video Communications was founded in 2011 by Eric Y…
Businesses usually set up websites and provide apps because they want to sell g…