- Upon containment of the data breach, the Centre shall conduct an in-depth assessment within 30 days from when the Centre first become aware of a potential data breach.
- If the in-depth assessment reveals that the data breach is likely to result in significant harm or impact to the affected individuals, the Centre shall notify the PDPC within 72 hours and the affected individuals as soon as practicable.
- Where the Centre is uncertain if affected individuals need to be notified, the Centre shall report to the PDPC and seek clarification.
- If the data breach involves the accidental disclosure of personal data to a trusted third party, the Centre shall take steps to request that the third party delete the personal data that was accidentally disclosed and secure the third party’s compliance with its
request.
ACTIONS FOR MANAGING DATA BREACH (4 STEPS)
- The Data Protection Officer (DPO) and the Executive Director (ED) should be notified of all suspected/confirmed data breaches immediately upon detection.
- Upon being notified, the DPO and/or the ED shall conduct an initial assessment of the data breach to determine the severity of the data breach. The initial assessment should include (but not be limited to) the following:
- Cause of the data breach and whether the breach is still ongoing
- Number of affected individuals
- Type(s) of personal data involved
- The affected systems and/or services
- Whether help is required to contain the breach
- After the initial assessment, actions should be taken to:
- Stop the identified practices that led to the data breach
- Establish whether the lost data can be recovered and steps that can be taken to
minimise any harm or impact caused by the data - Isolate the compromised system from the Internet or network, or shut down
the compromised system if necessary - Prevent further unauthorised access to the system
- Reset passwords if accounts and passwords have been compromised
- Isolate the causes of the data breach in the system, and where applicable,
change the access rights to the compromised system - Stop the identified practices that led to the data breach
- Establish whether the lost data can be recovered and steps that can be taken to minimise any harm or impact caused by the data breach (e.g. remotely disabling a lost notebook containing personal data of individuals)
- The details of the data breach and post-breach response(s) will be recorded in an Incident Record Log to allow follow-up investigations or reviews.
- The Centre shall alert the:
- Police, if criminal activity (e.g. hacking, theft or unauthorised system access by an employee) is suspected, and to preserve evidence for investigation
- Cyber Security Agency of Singapore through the Singapore Computer Emergency Response Team (SingCERT) for cyberattacks