The new Personal Data Protection (Amendment) Bill 2020 passed on 2 November 2020 seeks to strengthen the accountability of organisations, to align closer to international standards, bringing greater organisations to greater accountability yet supporting greater flexibility for companies to use personal data to innovate. However, one of the amendments to the act includes mandatory data breach reporting within 72 hours.
The Commission has conducted consultations on data breach notifications. In the interim, guides about managing data breaches have been published. They have also encouraged organisations to notify them about data breaches that indicate a systemic issue might be the cause of the breach.
That said, many organisations have invested in DPaaS or Data Protection-as-a-Service. In essence, DPaaS is an integrated bundle of Data Protection Services that will enable organisations to train their DPOs and set up Data Protection Management and Data Breach Management Programmes.
The commission noted in the Public Consultation Paper that breach notifications are considered central to an organisations’ accountability because they can help encourage organisations to set up risk-based reporting systems and internal monitoring that detect data incidents.
The commission also expressed that when coupled with breach management plans, data breach notifications are considered crucial to the incident response and remediation of an organisation. According to the commission, accountable organisations may also breach notification and breach mitigation plans to apply for a statutory undertaking.
Data Breach in a Nutshell
In relation to personal data, a data breach means:
- Unauthorised collection, use, access, copying, modification, disposal, or disclosure of personal data or
- The loss of any storage device or medium on which personal data is stored in circumstances where the unauthorised collection, use, disclosure, access, modification or disposal of the personal data will occur.
When is data breach notifiable?
A data breach is considered a notifiable data breach if:
- Results can pose significant harm to the person affected—a data breach is likely to result in significant harm to an individual if the data breach affects any prescribed class of personal data that relates to the individual or
- It affects not fewer than the minimum number of affected persons prescribed. While the number has not yet been prescribed, it is noted that the Commission has previously used 500 as a rule of thumb to determine if there are possible systemic issues within the organisation.
Classes of personal data are yet to be prescribed. In the Public Consultation Paper, the Commission indicated that the intention is to prescribe categories of personal data which are likely to result in significant harm to the individuals when a data breach occurs.
The Commission takes into account that several jurisdictions have a similar “whitelist” approach for data breach notifications to the authorities and the affected individuals. Case in point: some states in the United States such as Washington and California have prescribed categories of personal data for notification to relevant authorities and individuals affected.
The Commission also states that examples of data categories that are prescribed by other jurisdictions can include state identification numbers, debit/credit numbers, social security numbers, health insurance information, medical history information, and drivers’ license numbers.
Obligations of an Organisation
When an organisation believes a data breach has occurred that affects personal data under its control or possession, the organisation needs to perform an assessment to gauge if the data breach is a notifiable data breach. This should be done in an expeditious and reasonable manner.
An assessment must be done:
- Where the personal data is in the organisation’s possession and the organisation itself collects, uses, or discloses the relevant personal data and
- Where the personal data that is in the possession of an organisation’s data intermediary and the data intermediary notifies it of the data breach in the use, disclosure, or collection done by the data intermediary on behalf of the organisation.