What is not included in a breach notification
Singapore’s Personal Data Protection Commission (PDPC) has announced that data breach notification will soon become mandatory in Singapore. However, not all breaches need to be reported. We have prepared this guide to aid businesses in understanding when, to whom and how to notify should they encounter a data breach. Show As further guidance and details on the new requirements will be provided by PDPC in due course, we will follow up with an updated guide at the appropriate time. What is a data breach? A data breach refers to any unauthorized access, collection, use, disclosure, copying, modification or disposal of personal data in an organization’s possession or under its control. Is a data breach the same thing as a breach of the Personal Data Protection Act (PDPA)? Not necessarily. A data breach refers to any unauthorized access, use, disclosure, copying, modification or disposal of (or other similar risk to) personal data (i.e., data that identifies individuals) that is held by an organization. A data breach may or may not be a breach of the PDPA, depending on the exact circumstances. Conversely, a breach of the PDPA could arise regardless of whether or not there is a data breach; for instance, an organization may have failed to comply with its access obligation under the PDPA despite receiving a legitimate request from an individual. When and to whom does an organization need to report a data breach?
2. An organization needs to notify affected individuals (including parents and the legal guardians of minors whose personal data is compromised) when the data breach is likely to result in significant harm or impact to the individuals to whom the information relates. Potential exceptions exist where:
3. A data intermediary (i.e., an organization that processes personal data on behalf of another) need only notify that organization without undue delay (i.e., within 24 hours) upon its becoming aware of a data breach. What is the timeline for reporting? To PDPC:
To affected individuals:
What information should the notification(s) contain? To PDPC:
To affected individuals:
Are there any other reporting requirements in Singapore to take note of? Yes. Significant ones include:
What do I do now before the updated law kicks in? It is likely that organizations will be given some time to prepare and put in place the necessary policies and practices to comply with the new notification requirements. However, businesses should start considering taking the following steps ahead of any implementation deadline:
Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, Reed Smith). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith’s Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary. Which is included in a breach notification?These individual notifications must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include, to the extent possible, a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected ...
What is not considered a breach?If your information is shared accidentally, then it is not considered a breach. For example, say an administrator emailed a person's PHI to another person unintentionally. That email would not be considered a breach if the administrator can prove that it was accidental and it didn't happen repeatedly.
What is an exception to the definition of a breach?There are 3 exceptions: 1) unintentional acquisition, access, or use of PHI in good faith, 2) inadvertent disclosure to an authorized person at the same organization, 3) the receiver is unable to retain the PHI. @
What are the four criteria used to make a determination if a breach occurred?Four-Factor HIPAA Breach Risk Assessment. What type of PHI was involved, and to what extent? ... . Who was the unauthorized person or organization? ... . Did the person or organization acquire or view the PHI? ... . To what extent have you mitigated the risk?. |