Singapore PDPA Incident Response Guidelines
What you need to know to prepare your organization for Singapore’s privacy law
The Singapore Personal Data Protection Act (PDPA) first passed into law in 2012 and has been amended several times since. Most recently, Singapore amended the PDPA in November 2020 and February 2021, introducing:
- New categories for consent for businesses to collect consumer data
- Mandatory data breach notifications when a breach causes harm to consumers
- New criminal offenses and a private right to action for violations of the PDPA
- New authorities for the Personal Data Protection Commission (PDPC), which administers and enforces the law
These recent amendments significantly strengthen the law, making it essential for organizations worldwide to understand what’s required under the PDPA.
Automate PDPA obligations with the BreachRx platform
Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response
Who Must Comply with the PDPA?
Any organization that collects and maintains data on Singapore residents must comply with the PDPA, regardless of where the business is located. The law grants exceptions for:
- Individuals acting on a personal or domestic basis
- Individuals acting in their capacity as an employee (the organization takes on the liability)
- Any public agency (defined as government body such as a ministry, department, agency, or organ of state or a tribunal appointed under written law) in relation to the collection, use, or disclosure of personal data
What Data Does the PDPA Cover?
The PDPA covers personal data, defined as any data (regardless of accuracy) that can be used to identify an individual, stored in both electronic and non-electronic formats.
What Data is Exempt Under the PDPA?
The PDPA does not apply to personal data over 100 years old, personal data about an individual deceased for more than 10 years, or business contact information.
The PDPA also notes special classes of personal data that are likely to result in significant harm to individuals if they are involved in a breach:
- An individual’s full name, alias, or identification number in combination with:
- Financial information that is not publicly disclosed
- Personal data that would lead to the identification of vulnerable individuals
- Life, accident, and health insurance information that is not publicly disclosed
- Specified medical information, including the assessment and diagnosis of HIV infections
- Information related to adoption matters
- A private key used to authenticate any individual or to digitally sign an electronic record or transaction
- Information relating to an individual’s account with the organization, including:
- An account identifier, such as account name or number
- Any password, security code, access code, response to a security question, biometric data, or other data that allows access to or use of the account
How is the PDPA Enforced?
The PDPC is responsible for enforcing the PDPA and has new enforcement mechanisms under the most recent amendments to the law:
Fines
Violating organizations can be fined up to 10% of annual gross turnover or S$1 million, whichever is higher. This update will take effect no earlier than February 1, 2022.
Criminal Prosecution
Cases with egregious mishandling of personal data* allow for criminal prosecution, with a fine of up to S$5,000 or imprisonment of up to two years.
Civil Lawsuits
Individuals have a private right to action if they are harmed by a violation of the law. Courts can grant any form of relief, such as an injunction or damages.
*Egregious mishandling of personal data is defined as the knowing or reckless unauthorized disclosure of personal data, unauthorized use of personal data for gain or to cause harm or loss, or unauthorized re-identification of anonymized information.
What Incident Response Measures Does the PDPA Require?
The PDPA requires organizations to investigate any data breach to determine the scope of the incident and potential harm to consumers, and it urges organizations to do so “expeditiously, as the likelihood of significant harm to affected individuals may increase with time.” Depending on the outcome of the investigation, organizations may need to issue a data breach notification.
Types of incidents that require a data breach notification | Any data breach that is likely to result in harm to individuals based on the special classes of personal data or that compromises the personal information of more than 500 Singapore residents. |
Who should receive a data breach notification | A data breach involving the special classes of personal data requires a notification to both the PDPC and all affected Singapore residents. A data breach that affects more than 500 individuals but does not involve the special classes of personal data only requires a notification to the PDPC. |
When organizations need to issue a data breach notification | Investigations into the data breach should be completed in no more than 30 calendar days. If a notification is required, organizations should notify the PDPC in no more than three calendar days and notify affected individuals at the same time or immediately after notifying the commission. |
Exceptions to issuing a data breach notification | If organizations take remedial action, the PDPC may determine the risk of harm has been reduced and organizations no longer need to notify affected individuals. |
How to Issue a Data Breach Notification
Organizations can issue the notification to the PDPC through the commission’s website and should include all of the following information:
- The date when the organization first became aware of the breach and the circumstances that made them aware of the situation
- A chronological account of the steps taken once the organization became aware of the breach, including their assessment of whether or not the breach required a notification
- Details on how the breach occurred
- The number of individuals affected
- The personal data or classes of personal data affected
- The potential harm to the affected individuals as a result of the breach
- Information on any remedial actions the organization has already taken or will take in the future to (1) eliminate or mitigate any potential harm to affected individuals and (2) address any shortcomings believed to have caused or facilitated the breach
- Information on the organization’s plans (if any) to notify affected individuals or the public about the breach and how anyone affected can eliminate or mitigate potential harm
- Business contact information for at least one authorized representative of the organization
- If the notification is later than 3 calendar days after the investigation: Reasons for the late notification and any supporting evidence
- If the organization does not intend to notify affected individuals: Specifics on the grounds for not issuing a notification to these individuals
Organizations can notify affected individuals using their regular mode of communication, as long as that is appropriate and effective in reaching people in a timely manner. They do not need to send a copy to the PDPC. This notification should include:
- The circumstances that made the organization aware a breach occurred
- The personal data or classes of personal data affected
- The potential harm to the affected individuals as a result of the breach
- Information on any remedial actions the organization has already taken or will take in the future to (1) eliminate or mitigate any potential harm to affected individuals and (2) address any shortcomings believed to have caused or facilitated the breach
- Steps affected individuals can take to eliminate or mitigate any potential harm, including preventing the misuse of their personal data involved in the breach
- Business contact information for at least one authorized representative of the organization
What Types of Incidents Can Trigger a Notification Under the PDPA?
Some of the most common examples of privacy incidents that can trigger a notification under the PDPA include:
Exfiltration
A set of techniques for stealing data in which a third party gains unauthorized access to data and transfers it to their own devices or servers. Depending on the information involved, this type of data theft can pose serious harm to individuals.
Ransomware
When a third party holds data hostage, usually in exchange for money. The attacker typically gains access through a weak security point and then installs malware on a device or server that can steal the data and hold it hostage until the ransom demands are met.
Wrongly Exposed Data
An accidental exposure, such as mistakenly sending data to the wrong person, sharing data through an unsecured channel, or leaving data unencrypted, can trigger a notification and result in fines. An employee knowingly exposing data could also lead to criminal charges.
Making Proactive Incident Response a Priority For Singapore
The latest updates to Singapore’s PDPA significantly strengthen the law’s privacy requirements and increase the PDPC’s enforcement authority. These stronger requirements as well as the fact that privacy incidents are now more a matter of “when” than “if” make proactive incident response essential.
Proactively preparing for incident response requires organizations to keep updated on regulations, assign responsibility for security and privacy policies, develop response plans before they’re needed, and regularly adjust those plans as internal and external factors evolve.
Supercharge your incident response strategy with the BreachRx platform
Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.