Use the Lexology Navigator tool to compare the answers in this article with those from 20+ other jurisdictions.

Data security and breach notification

Security obligations Are there specific security obligations that must be complied with? Yes, Section 24 of the Personal Data Protection Act obliges an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

Breach notification Are data owners/processors required to notify individuals in the event of a breach? Under the Personal Data Protection Act, no explicit requirement exists for organisations to notify individuals in the event of a breach. However, the Personal Data Protection Commission (PDPC) Guide to Managing Data Breaches provides that it is good practice to notify individuals affected by a data breach.

The PDPC also considers the following as mitigating factors in the event of a breach:

  • whether the organisation informed individuals of the steps they could take to mitigate risk caused by a data breach; and
  • whether the organisation voluntarily disclosed the personal data breach to the PDPC as soon as it learned of the breach and cooperated with the PDPC’s investigation.

Organisations may also be bound by contractual obligations to notify affected individuals.

Are data owners/processors required to notify the regulator in the event of a breach? No general requirements for organisations to notify the regulator in the event of a breach exist. However, there are industry specific requirements. On July 1 2014 the Monetary Authority of Singapore instructed financial institutions to report all security breaches within one hours of their discovery. For further information see the Technology Risk Management Notice and Guidelines.

Click here to view the full article.