Data Breach Notification (Singapore)

A Data Breach Notification in Singapore gives formal notice of the matter it concerns to the recipient.

A 'data breach' under the PDPA is defined as unauthorised access to, collection, use, disclosure, copying, modification, or disposal of personal data in an organisation's possession or control, or the loss of a storage medium or device on which personal data is stored. Section 26B of the PDPA requires organisations to conduct a reasonable and expeditious assessment upon becoming aware that a data breach may have occurred. The assessment must determine whether the breach is notifiable — meaning it is likely to result in significant harm to affected individuals, or it affects 500 or more individuals in Singapore. The PDPA's Second Schedule specifies categories of personal data whose breach is deemed likely to result in significant harm: NRIC numbers, financial account information, health data, biometric data, passwords and security codes, private sexual images, and personal data of minors.

The notification timeline under section 26D requires the organisation to notify the PDPC within three calendar days of completing the assessment that a breach is notifiable. The organisation has up to 30 calendar days from the date of becoming aware of the breach to complete its assessment, but must begin assessment immediately. The PDPC provides an online notification portal (www.pdpc.gov.sg) for breach submissions. Simultaneously, organisations must notify affected individuals as soon as practicable where the breach is likely to result in significant harm.

The PDPC — a statutory body established under Part IX of the PDPA — administers breach notification requirements, investigates reported breaches, and issues enforcement decisions. The PDPC has published the Guide on Managing and Notifying Data Breaches Under the PDPA (revised 2022), which provides detailed guidance on breach assessment, notification content, and notification to affected individuals. Organisations found to have breached section 26D face financial penalties of up to S$1 million or 10% of annual Singapore turnover under the enhanced penalty framework introduced in 2021.

Notable PDPC enforcement decisions have established important precedents for breach notification practice in Singapore. The PDPC's decision in the SingHealth data breach case (2018) — where personal data of 1.5 million patients was compromised — resulted in a S$750,000 financial penalty and mandatory security improvements. The PDPC's decisions are published on its website and serve as guidance for organisations preparing their breach notification procedures.

The PDPC also maintains a voluntary breach notification mechanism for breaches that do not meet the mandatory notification threshold. Organisations experiencing non-notifiable breaches may still choose to notify the PDPC voluntarily, and the PDPC may provide guidance on remediation measures. The PDPC's enforcement track record — with over 200 published decisions since 2014 — provides a substantial body of precedent that organisations should review when developing their breach notification procedures and assessing whether a specific breach meets the notifiability threshold.

A Data Breach Notification must be submitted to the PDPC in Singapore in the following circumstances, as prescribed by section 26D of the Personal Data Protection Act 2012.

Breaches affecting 500 or more individuals in Singapore are notifiable regardless of whether significant harm is likely. The PDPC counts the number of affected individuals, not the number of data records — a single individual whose data appears in multiple compromised records counts as one affected individual. Where the exact number of affected individuals cannot be determined during the initial assessment, the organisation should estimate the number and update the PDPC as more information becomes available.

Breaches involving Second Schedule personal data that are likely to result in significant harm to affected individuals are notifiable regardless of the number of individuals affected. Second Schedule data includes: NRIC numbers, FIN numbers, and other government-issued identification numbers; financial account numbers (bank accounts, credit cards, insurance policies); passwords, security codes, and access credentials; health information (medical records, test results, prescriptions); biometric data (fingerprints, facial recognition data, iris scans); private sexual images; and personal data of individuals below 18 years of age.

Breaches involving other categories of personal data may be notifiable where the organisation's assessment concludes that the breach is likely to result in significant harm based on the sensitivity of the data, the circumstances of the breach (was the data encrypted? was access limited?), and the likelihood that the data will be misused.

Breach discovery triggers the assessment obligation even if the full extent of the breach is not yet determined. Section 26B of the PDPA requires organisations to begin assessment immediately upon becoming aware that a breach may have occurred — for example, when an employee reports a phishing compromise, a security monitoring tool detects unauthorised access, or a third-party processor notifies the organisation of a breach affecting its data.

Data processor breaches require the data intermediary (processor) to notify the organisation (controller) without undue delay under section 26C of the PDPA. The controller organisation is then responsible for assessing the breach and filing the PDPC notification if the breach is notifiable.

Organisations that have previously assessed a breach as non-notifiable but subsequently discover additional affected individuals or more sensitive data categories must reassess and may need to file a late notification to the PDPC.

A complete Singapore PDPC Data Breach Notification (as required under Section 26D of the PDPA) must include the following elements, as specified in the PDPC's Guide on Managing and Notifying Data Breaches and the PDPC's online notification portal.

**Organisation Details** provides the organisation's registered name, Unique Entity Number (UEN) issued by ACRA, registered address, and the name, designation, email address, and phone number of the Data Protection Officer (DPO) or the authorised contact person for the breach notification. The PDPC communicates with the named contact throughout the investigation.

**Breach Discovery and Assessment Timeline** records: the date and manner in which the organisation first became aware of the breach (section 26B); the date the assessment was completed (which starts the three-calendar-day notification clock under section 26D); and the date of the PDPC notification. The PDPC scrutinises the timeline to verify compliance with the 30-day assessment and 3-day notification deadlines.

**Breach Description** details the nature of the breach: whether it involved unauthorised access, disclosure, loss, copying, modification, or disposal of personal data; the technical cause (cyber attack, employee error, system misconfiguration, physical loss of device, third-party vendor breach); and the sequence of events leading to the breach.

**Systems and Data Involved** identifies the IT systems, databases, applications, or storage media affected by the breach, and specifies the categories of personal data compromised (names, NRIC numbers, addresses, financial data, health data, etc.). The PDPC uses this information to assess the severity of the breach and the adequacy of the organisation's security measures.

**Individuals Affected** states the estimated or confirmed number of affected individuals in Singapore, their categories (customers, employees, patients, students, etc.), and whether the data of individuals below 18 years of age is involved (which triggers heightened concern under the PDPA).

**Second Schedule Assessment** evaluates whether the breached data falls within the categories listed in the PDPA's Second Schedule and whether the breach is likely to result in significant harm. The assessment must consider the sensitivity of the data, the context of the breach, and the likelihood that the data will be used for identity theft, financial fraud, harassment, or other harmful purposes.

**Containment Actions** describes the immediate steps taken to contain the breach, prevent further data exposure, and preserve evidence for investigation: disabling compromised accounts, isolating affected systems, revoking access credentials, notifying law enforcement (Singapore Police Force), and engaging forensic investigators.

**Remediation Plan** outlines the corrective actions planned to address the root cause and prevent recurrence: patching vulnerabilities, strengthening access controls, implementing encryption, enhancing monitoring capabilities, updating data protection policies, and conducting staff training.

**Notification to Affected Individuals** confirms whether affected individuals have been notified, the method and timing of notification (email, SMS, letter, in-app notification), and the content of the notification (description of the breach, personal data involved, recommended protective actions, and the organisation's contact information). The PDPC requires individual notification to be clear, factual, and not unnecessarily alarming.

**Declaration** requires the DPO or authorised officer to declare that the information provided in the notification is true and correct to the best of the organisation's knowledge at the time of submission.

The forms-legal.com Data Breach Notification template follows the PDPC's prescribed notification format, enabling organisations to prepare the required information systematically before submitting through the PDPC's online portal.

**Supporting Documentation** should accompany the PDPC notification or be available upon request: incident log documenting the timeline of discovery, assessment, and response; system access records identifying compromised accounts and access points; forensic investigation reports (if engaged); police report reference number (if a criminal complaint has been filed with the Singapore Police Force); and copies of notification letters sent to affected individuals. The PDPC may request additional documentation during the post-notification investigation phase.

**Supporting Documentation** should accompany the PDPC notification or be available upon request: incident log documenting the timeline of discovery, assessment, and response; system access records identifying compromised accounts and access points; forensic investigation reports (if engaged); police report reference number (if a criminal complaint has been filed with the Singapore Police Force); and copies of notification letters sent to affected individuals. The PDPC may request additional documentation during the post-notification investigation phase. Under Singapore law, Section 26D of the Personal Data Protection Act 2012 (PDPA) governs the core requirements for this type of document.