Personal Data Protection in Singapore Series Part 4: Data Breach Notification Requirements 新加坡个人数据保护系列(第四章):数据泄露事件的通知义务
In the event of a data breach, the Personal Data Protection Act (“PDPA”) requires an organisation to assess whether the data breach is notifiable, and to notify the affected individuals and/or the Personal Data Protection Commission (“PDPC”) where it is assessed to be notifiable. This obligation is also referred to as the “Data Breach Notification Obligation” (“DBN Obligation”).
新加坡《个人数据保护法2012》规定在发生个人数据泄露事件时,涉事机构需要立刻评估该数据泄露事件是否需要通报。一旦并被评估为应当通报的泄露事件,那么涉事机构就需要通报受到影响的个人和/或个人数据保护委员会(“PDPC”)。该法定义务也称为“数据泄露事件通报义务”。
Data breach 数据泄露事件
A data breach in relation to personal data refers to any unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data. A data breach also includes the loss of any storage medium or device on which personal data is stored.
与个人数据有关的数据泄露事件是指对个人数据的任何未经授权的访问、收集、使用、披露、复制、修改或处置的行为。数据泄露事件还包括对任何用于存储个人数据的存储介质或设备的丢失的情况。
Duty to conduct assessment of data breach 对数据泄露事件进行评估的义务
Once an organisation has credible grounds to believe that a data breach has occurred, it is required to take reasonable and expeditious steps to assess whether the data breach is notifiable under the PDPA. Any unreasonable delay in assessing a data breach will be a breach of the DBN Obligation.
一旦涉事机构有充分证据确认发生了数据泄露事件,该机构必须采取合理与迅速的措施来评估该数据泄露事件根据《个人数据保护法2012》的规定是否需要履行数据泄露事件通报义务。对数据泄露事件的评估的任何不合理的拖延都将被视为违反了数据泄露事件通报义务。
The organisation should assess if the data breach is notifiable within 30 calendar days. If the organisation is unable to do so, it should be prepared to provide the PDPC with an explanation for the time taken or required to carry out the assessment.
涉事机构应当在三十天内做出是否需要通报的评估。若涉事机构无法在三十天内完成该评估,那么涉事机构应预备向个人数据保护委员会(PDPC)解释进行有关评估所实际发生的时间或者具体到底需要多久才能完成评估。
Criteria for data breach notification 个人数据泄露事件是否需要通报的评判标准
Significant harm to affected individuals 对受影响的个人造成重大伤害
The organisation must assess whether a data breach is notifiable as it is likely to result in significant harm to the affected individuals. Considering the likelihood of harm arising from a data breach, notification ensures that affected individuals are aware of the data breach and able to take steps to protect themselves (e.g. change their passwords, cancel their credit cards, etc.).
涉事机构必须评估数据泄露事件是否需要进行通报,因该泄露事件是否可能对受到影响的个人造成重大损害。鉴于数据泄露事件可能对受影响的个人造成损害,数据泄露通报义务可帮助受到影响的个人采取对应保护措施,例如及时更改密码、注销信用卡等。
Significant scale 个人数据泄露规模
Where a data breach affects 500 or more individuals, the organisation is required to notify the PDPC even if the data breach is not likely to result in significant harm to the affected individuals.
若数据泄露事件涉及 500人或者以上,即使该数据泄露事件不太可能对受到影响的个人造成重大伤害,涉事机构也必须及时向个人数据保护委员会(PDPC)通报该个人数据泄露事件。
Timeframes for notification 通知时限
If the organisation determines that the data breach is notifiable, it must notify:
若涉事机构确定了有关数据泄露事件属于应当通报个人数据保护委员会的事件,那么就必须采取以下行动:
- the PDPC as soon as practicable, but in any case, no later than three (3) calendar days from the time it determines that the data breach is notifiable; and
尽快通报个人数据保护委员会(PDPC),在任何情况下都必须在通报决定做出后的三天内完成该通报义务; - where required, affected individuals as soon as practicable, at the same time or after notifying the PDPC.
若有需要,尽快在通报同时或稍后通知受到影响的个人。
Any unreasonable delays in notifying the PDPC and/or the affected individuals will be a breach of the DBN Obligation.
任何不合理的延迟通报个人数据保护委员会(PDPC)和/或通知受到影响的个人的行为都将被视为违反数据泄露事件的通报义务。
Mode of notification of data breach 数据泄露事件通报方式
The organisation should ensure that the mode of notification used is appropriate and effective in reaching the affected individuals in a timely way. The organisation may determine the most efficient and effective mode of notification to inform the affected individuals.
涉事机构应确保所采用的对受影响个人的通知方式是适当、有效与及时的。涉事机构应当采用最有效及时的模式通知受到影响的个人关于该数据泄露事件。
Information to be provided in the notification of a data breach 在数据泄露事件通报中需要中提供的信息
The organisation notifying affected individuals and/or the PDPC of a data breach must provide relevant details of the data breach to the best of its knowledge and belief. The notification should also include relevant information about the organisation’s data breach management and remediation plans.
涉事机构在通报时必须尽其所能提供向受到影响的个人和/或个人数据保护委员会(PDPC)提供所有必要的相关信息。通报内容还应当包括涉事机构对数据泄露事件的管理和事后补救计划的相关信息。
The notification of the data breach should include:
数据泄露事件的通报应包括以下内容:
- facts of the data breach;
数据泄露事件的详情; - information on the organisation’s handling of the data breach; and
涉事机构处理数据泄露事件的具体情况;以及 - contact details of at least one authorised representative of the organisation.
涉事机构的至少一名授权代表人的联系方式。
The organisation’s notification to the affected individuals should be clear and simple. Further, notification should include guidance on the steps the affected individuals may take to protect themselves from the potential harm arising from the data breach. If the data breach involves information related to adoption matters or the identification of vulnerable individuals, the organisation should first notify the PDPC for guidance on notifying the affected individuals.
涉事机构对受到影响的个人的通知内容则应该简单明了。此外,通知内容还应当包括有关受到影响的个人为保护自己免受数据泄露事件所带来的潜在伤害而可以考虑采取的补救措施的指导。若该数据泄露事件涉及到收养案件或弱势人群的信息,那么涉事机构应首先通知个人数据保护委员会(PDPC)寻求委员会对受到影响的个人的通知的指导。
IMPORTANT NOTICE: This memorandum is only intended as a guide and does not purport to be an exhaustive or conclusive discussion of the matters set out herein and should not be relied on as a substitute for definitive legal advice. Reference should always be made to the applicable statutes, the relevant subsidiary legislations and other applicable guidelines. This memorandum is not to be transmitted to any other person nor is it to be relied upon by any other person or for any other purpose or quoted or referred to in any public document or filed with any governmental or other authorities without our consent in writing. This memorandum is limited to the laws of Singapore. In issuing this memorandum, we do not assume any obligation to notify or inform you of any developments subsequent to its date that might render its contents untrue or inaccurate in whole or in part at such later time. If you would like to discuss the implications of these legal developments on your business or obtain advice, please do not hesitate to approach your usual contact at Insights Law LLC or you may direct the inquiry to our key contacts stated above.
重要提示:本备忘录仅用于参考,并不视作对本文所载事项的详尽或结论性的讨论,且不应被依赖作为替代明确的法律意见。应参考所适用的法规、有关附属法例、及其他适用的原则。未经本所书面同意,本备忘录不得向任何其他人传送,任何人也不得就任何目的依赖本备忘录,并于任何公共文件引述或专署,或提交给任何政府或有关当局。本备忘录仅限于新加坡的法律。本所就这份备忘录的发行,对较后时间日期发生的任何进展导致本备忘录所呈现的全部或部分不实或不准确的内容不承担任何义务。如果您想了解这些法律发展对您业务的影响或咨询意见,请随时与您智诚法律(新加坡)的联系人联系,或直接联系上述的主要联系人。