Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Yes, Section 24 of the Personal Data Protection Act obliges an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

Under the Personal Data Protection Act, no explicit requirement exists for organisations to notify individuals in the event of a breach. However, the Personal Data Protection Commission (PDPC) Guide to Managing Data Breaches provides that it is good practice to notify individuals affected by a data breach.

The PDPC also considers the following as mitigating factors in the event of a breach:

  • whether the organisation informed individuals of the steps they could take to mitigate risk caused by a data breach; and
  • whether the organisation voluntarily disclosed the personal data breach to the PDPC as soon as it learned of the breach and cooperated with the PDPC’s investigation.

Organisations may also be bound by contractual obligations to notify affected individuals.

However, Singapore is planning on introducing a mandatory data breach notification regime in a couple of years. Under the proposed regime, data owners will be required to notify individuals where there is a risk of impact or harm to affected individuals. Data processers will not be required to notify individuals but will be required to notify the data owners of all data beaches.

Are data owners/processors required to notify the regulator in the event of a breach?

Currently, there are no general requirements for organisations to notify the regulator in the event of a breach exist. Data organisations are encouraged to voluntarily notify the Personal Data Protection Commission (PDPC) especially if a data beach involves sensitive personal data.

However, there are industry specific requirements. On July 1 2014 the Monetary Authority of Singapore instructed financial institutions to report all security breaches within one hour of their discovery. For further information see the Technology Risk Management Notice and Guidelines.

Nonetheless, Singapore is planning on introducing a mandatory data breach notification regime in a couple of years. Under the proposed regime, data owners will be required to notify the PDPC where there is a risk of impact of harm to affected individuals and/or where there is a significant scale of breach. Data processers will not be required to notify the PDPC but will be required to notify the data owners of all data beaches. 

Click here to view the full article.