Global Data Privacy and Cybersecurity Handbook

Singapore

Select a Topic
Start Comparison
Breach Notification Requirements
Jump to
Breach Notification Requirements Start Comparison
Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

Last review date: 29 December 2023

Yes, there are obligations pursuant to the Personal Data Protection Act 2012 ("PDPA") to notify:

  • The Personal Data Protection Commission (PDPC), the statutory authority that enforces and administers the PDPA, as soon as is practicable, but in any case no later than three calendar days from the day that an organization determines that a data breach is a notifiable data breach (pursuant to Section 26D(1) of the PDPA)
  • Affected individuals whose personal data is affected by a data breach as soon as practicable, at the same time or after notifying the PDPC (pursuant to Section 26(D)(2) of the PDPA and the Advisory Guidelines on Key Concepts in the Personal Data Protection Act), and/or
  • The organization or public agency that a data intermediary is processing personal data on behalf of without undue delay from the time it has credible grounds to believe that the data breach has occurred (pursuant to Section 26C(3)(a) of the PDPA).

A data breach in relation to personal data means the unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data; or the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorized access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.

Once an organization has credible grounds to believe that a data breach has occurred, an organization would be required to take reasonable and expeditious steps to assess whether the data breach is notifiable under the PDPA. A data breach is notifiable to the PDPC if the data breach: (a) results in, or is likely to result in, significant harm to an affected individual; or (b) is, or is likely to be, of a significant scale.

Under section 14 of the CSA, designated owners of critical information infrastructure are required to report to the Commissioner of Cybersecurity in the prescribed form and manner and within the prescribed time period: the occurrence of a prescribed cybersecurity incident in respect of the critical information infrastructure or any computer or computer system under the owner's control that is interconnected with or that communicates with the critical information infrastructure, or any other type of cybersecurity incident in respect of the critical information infrastructure as specified by a written direction to the owner. "Cybersecurity incident" means an act or activity carried out without lawful authority on or through a computer or computer system that jeopardizes or adversely affects the availability, operation or integrity of a computer or computer system, or the integrity and confidentiality of information stored in, processed by or transmitted through a computer or computer system. The prescribed time period can be found in Regulation 5 of the Cybersecurity (Critical Information Infrastructure) Regulations 2018, which provides that the designated owner of critical information must notify the Commissioner of Cybersecurity of a cybersecurity incident in the required form within two hours after becoming aware of the occurrence, and provide, within 14 days of the initial submission, supplementary details on: the cause of the cybersecurity incident; its impact on the designated owner of critical information, or any interconnected computer or computer system; and what remedial measures have been taken. There are no publicly available requirements for the notification of affected data subject individuals. It is an offense for any owner of critical information infrastructure to, without reasonable excuse, fail to notify the Commissioner of the specified cybersecurity incidents, and such offense is punishable by a fine not exceeding SGD 100,000 (approximately USD 74,000) and/or imprisonment for a term not exceeding two years.

Controllers/ Owners have to notify:

Last review date: 29 December 2023

An organization (equivalent of controllers/owners) must notify the PDPC, the statutory authority that enforces and administers the PDPA, as soon as is practicable, but in any case no later than three calendar days from the day that an organization determines that a data breach is a notifiable data breach (pursuant to Section 26D(1) of the PDPA); and affected individuals whose personal data is affected by a data breach as soon as practicable, at the same time or after notifying the PDPC (pursuant to Section 26(D)(2) of the PDPA and the Advisory Guidelines on Key Concepts in the Personal Data Protection Act).

An owner of a critical information infrastructure must notify the Commissioner in the prescribed form and manner within the prescribed period.

       data protection authorities

       cybersecurity authorities

       affected individuals

       other

Processors/ Agents have to notify:

Last updated: 29 December 2023

A data intermediary (equivalent of a data processor/agent) must notify the organization or public agency that it is processing personal data on behalf of without undue delay from the time it has credible grounds to believe that the data breach has occurred (pursuant to Section 26C(3)(a) of the PDPA).

        controller/ owner

☐        data protection authorities

        cybersecurity authorities

☐        affected individuals

☐        others

{{ $store.state.loadingScreen.message }} ...