27 June 2019

On 22 May 2019, the Personal Data Protection Commission (“PDPC”) issued a revised Guide to Managing Data Breaches 2.0 which fleshes out the existing voluntary breach notification system by providing detailed guidance on the contents of a data breach management plan and the steps for responding to data breaches. PDPC also released a new Guide on Active Enforcement which provides insights into PDPC’s enforcement policy. PDPC also updated the Guide to Developing a Data Protection Management Programme to highlight the role of senior management in managing data protection risks.

Managing data breaches under updated Guide to Managing Data Breaches 2.0

Organisations are encouraged to adopt the recommendations in the revised Guide to Managing Data Breaches 2.0 as this will allow them to respond to data breaches confidently and prepare for PDPC’s planned introduction of mandatory breach notification. PDPC welcomes feedback from organisations that have implemented these changes in order to make further improvements before breach notification becomes mandatory.

The revised guide fleshes out the voluntary breach notification system by providing detailed guidance on the contents of a data breach management plan and the steps for responding to data breaches. This is encapsulated in a four-step CARE framework as set out briefly below:

  • Contain breach to prevent further compromise of personal data: An assigned individual or individuals should be notified of all suspected/confirmed data breaches immediately upon detection. He/she should then activate the data breach management team. An initial assessment of the data breach should be conducted to ascertain the severity of the data breach. The details of the data breach and post-breach response(s) should be recorded in an Incident Record Log to allow follow-up investigations or reviews. 
  • Assess risks and impact of the breach: Upon containment of the data breach, organisations should conduct an in-depth assessment of the data breach. In assessing the likely impact of the data breach, organisations should consider the context of the data breach, ease of identifying individuals from the compromised data and the circumstances of the data breach.   
  • Report breach to PDPC and inform affected individuals if necessary: Organisations are to carry out their assessment of the data breach expeditiously within 30 days from when they first become aware of a potential data breach. Organisations should notify PDPC and/or affected individuals of a data breach that is (i) likely to result in significant harm or impact to the individuals to whom the information relates, or (ii) of a significant scale (i.e. data breach involves personal data of 500 or more individuals). PDPC should be notified as soon as practicable, no later than 72 hours from the time the organisation has completed its assessment. Affected individuals are to be notified as soon as practicable. Where organisations are uncertain if they should notify affected individuals, they should report to PDPC and seek clarification. 
  • Evaluate response to breach and review actions taken to prevent further data breaches: Where the containment efforts/initial remedial actions are ineffective and more lapses are found, the organisation may also implement other remedial actions to further reduce the harm to the affected individuals. The organisation should also review and learn from the data breach incident to improve their personal data handling practices and prevent the reoccurrence of similar data breaches.

Option to submit undertaking and expedited breach decision under Guide on Active Enforcement

The Guide on Active Enforcement articulates PDPC’s new approach in deploying its enforcement powers to act effectively and efficiently on the increasing number of incidents. Targeting consumers and organisations that handle personal data, the guide outlines how PDPC handles data protection complaints, investigates incidents and the types of enforcement actions that the PDPC may undertake in various circumstances. PDPC introduced the following two enforcement actions in the guide to motivate organisations to develop and implement accountable practices:

  • Option to submit an undertaking: PDPC and/or the organisation may initiate an undertaking process when (i) the organisation is able to demonstrate it has in place accountable practices, for example a Data Protection Trustmark certified organisation, and is ready to implement its remediation plan, or (ii) PDPC is of the view that an undertaking achieves a similar or better enforcement outcome more effectively and efficiently than a full investigation. The organisation must request to invoke the undertaking process very soon after the incident is known, i.e. either upon commencement of investigations and/or in the early stages of investigations, and the organisation will not be given additional time to produce the remediation plan. The acceptance of an undertaking is solely within PDPC’s discretion. The undertaking process includes a written agreement between the organisation(s) involved and PDPC in which the organisation(s) voluntarily commits to remedy the breaches and take steps to prevent recurrence.
  • Expedited breach decision: There is a new expedited decision process which brings investigations on clear-cut data breaches to a conclusion quickly. An expedited decision may be considered by PDPC at its discretion in certain circumstances and there is an upfront admission of liability for breaching relevant obligation(s) under the Personal Data Protection Act 2012 (“PDPA”) by the organisation(s) involved on its/their role in the cause of breach. The process draws on data breach cases in the last four years and feedback from stakeholders. Where financial penalties are involved, the organisation’s admission of its role in the incident will be taken into consideration as a strong mitigating factor. However, admissions might not be considered as a mitigating factor for repeated data breaches. In general, PDPC will consider an expedited decision when the only breach of the PDPA by the organisation(s) involved is that it has no Data Protection Officer or equivalent and/or no privacy policy, or when the nature of the data breach is similar to precedent cases with similar categories of facts.

Reference materials

The following materials are available on the PDPC website www.pdpc.gov.sg:


Download PDF