Once an organisation has credible grounds to believe that a data breach has occurred, it must take reasonable and expeditious steps to assess whether the data breach is notifiable under the PDPA within 30 calendar days.
Any unreasonable delay will be considered a breach of the Data Breach Notification Obligation and may result in penalties. Organisations must document all steps taken in assessing the data breach.
CRITERIA FOR DATA BREACH NOTIFICATION
(i) Significant Harm to Affected Individuals
Physical, psychological, emotional, economic and financial harm are all relevant forms of harm which are considered to be notifiable. For example, data breaches which involve the following:
- Full name, Identification number
- Account name or number with the business, or password, responses to security questions, biometric data of such accounts
- Wage, remuneration, income or net worth
- Credit card or debit card number, or bank account number
- Monetary deposits with any organisation, withdrawals, investments, or debts
- Accident, health or life insurance policy, including the terms, the premiums and the benefits payable.
Given the likelihood of harm arising from a data breach, notification of the affected individuals ensures that they are aware and able to take steps to protect themselves (e.g. by changing passwords, cancelling credit cards, monitoring account for unusual activities etc).
(ii) Significant Scale
Data breaches that meet the criteria of significant scale are those that involve the personal data of 500 or more individuals. Where a data breach affects 500 or more individuals, the organisation is required to notify the Commission, even if the data breach does not involve any prescribed personal data in the PDP (DBN) Regulations 2021.
Data breaches of a significant scale may indicate a systemic issue within the organisation. Notifying the Commission of such data breaches will allow it to provide guidance to organisations on remedial actions to address the data breach as well as any systemic changes to prevent future occurrences.
TIMEFRAMES FOR NOTIFICATION
Upon determining that a data breach is notifiable, the organisation must notify:
a. the Commission as soon as practicable, but in any case, no later than three (3) calendar days; and
b. where required, affected individuals as soon as practicable, at the same time or after notifying the Commission.
