COUNSELLING AND CARE CENTRE DATA BREACH MANAGEMENT PLAN

ACTIONS FOR MANAGING DATA BREACH (4 STEPS)

STEP 1: CONTAINING THE DATA BREACH TO PREVENT FURTHER COMPROMISE OF PERSONAL DATA
  • The Data Protection Officer (DPO) and the Executive Director (ED) should be notified of all suspected/confirmed data breaches immediately upon detection.
  • Upon being notified, the DPO and/or the ED shall conduct an initial assessment of the data breach to determine the severity of the data breach. The initial assessment should include (but not be limited to) the following:
    • Cause of the data breach and whether the breach is still ongoing
    • Number of affected individuals
    • Type(s) of personal data involved
    • The affected systems and/or services
    • Whether help is required to contain the breach
  • After the initial assessment, actions should be taken to:
    • Stop the identified practices that led to the data breach
    • Establish whether the lost data can be recovered and steps that can be taken to
      minimise any harm or impact caused by the data
    • Isolate the compromised system from the Internet or network, or shut down
      the compromised system if necessary
    • Prevent further unauthorised access to the system
    • Reset passwords if accounts and passwords have been compromised
    • Isolate the causes of the data breach in the system, and where applicable,
      change the access rights to the compromised system
    • Stop the identified practices that led to the data breach
    • Establish whether the lost data can be recovered and steps that can be taken to minimise any harm or impact caused by the data breach (e.g. remotely disabling a lost notebook containing personal data of individuals)
  • The details of the data breach and post-breach response(s) will be recorded in an Incident Record Log to allow follow-up investigations or reviews.
  • The Centre shall alert the:
    • Police, if criminal activity (e.g. hacking, theft or unauthorised system access by an employee) is suspected, and to preserve evidence for investigation
    • Cyber Security Agency of Singapore through the Singapore Computer Emergency Response Team (SingCERT) for cyberattacks
STEP 2: ASSESSING THE DATA BREACH BY GATHERING THE FACTS AND EVALUATING THE RISKS, INCLUDING THE HARM TO AFFECTED INDIVIDUALS
  • Upon containment of the data breach, the Centre shall conduct an in-depth assessment within 30 days from when the Centre first become aware of a potential data breach.
  • If the in-depth assessment reveals that the data breach is likely to result in significant harm or impact to the affected individuals, the Centre shall notify the PDPC within 72 hours and the affected individuals as soon as practicable.
  • Where the Centre is uncertain if affected individuals need to be notified, the Centre shall report to the PDPC and seek clarification.
  • If the data breach involves the accidental disclosure of personal data to a trusted third party, the Centre shall take steps to request that the third party delete the personal data that was accidentally disclosed and secure the third party’s compliance with its
    request.
STEP 3: REPORTING THE DATA BREACH TO THE PERSONAL DATA PROTECTION COMMISSION (PDPC) AND/OR AFFECTED INDIVIDUALS, IF NECESSARY
  • The Centre shall notify the PDPC and/or affected individuals when the data breach is –
    • likely to result in significant harm or impact to the individuals to whom the information relates; or
    • of a significant scale (i.e. data breach involves personal data of 500 or more individuals)
  • Information to be included in the notice to the PDPC: –
    • Extent of the data breach;
    • Type(s) and volume of personal data involved;
    • Cause or suspected cause of the breach;
    • Whether the breach has been rectified;
    • Measures and processes that the organisation had put in place at the time of the breach;
    • Information on whether affected individuals of the data breach were notified and if not, when the organisation intends to do so; and
    • Contact details of person(s) whom the PDPC could contact for further information or clarification.
    • Submit the notification at https://eservice.pdpc. gov.sg/case/db or call 6377 3131 during working hours.
  • Information to be included in the notice to the affected individuals: –
      • How and when the data breach occurred;
      • Types of personal data involved in the data breach;
      • What the organisation has done or will be doing in response to the risks brought about by the data breach
      • Specific facts on the data breach where applicable, and actions individuals can take to prevent that data from being misused or abused;
      • Contact details and how affected individuals can reach the Centre for further information or assistance (e.g. helpline numbers, e -mail addresses or websites); and/or
      • Where applicable, what type of harm/impact the individual may suffer from the compromised data
      • The DPO or ED shall send email the notice to the affected individuals. Refer to ANNEX A for template.
STEP 4: EVALUATING CENTRE’S RESPONSE TO THE DATA BREACH INCIDENT AND CONSIDER THE ACTIONS WHICH CAN BE TAKEN TO PREVENT FUTURE DATA BREACHES.
  • The Centre shall review and take action to improve its personal data handling practices and prevent the reoccurrence of similar data breaches.
  • Actions may include the following:
    • Implementation/continuing efforts of the remediation actions
    • Identification of areas of weakness and taking action to strengthen them
    • Effectiveness of the organisation’s data breach response(s)
    • Corrective actions to be taken

ANNEX A - SAMPLE MAIL

Dear [NAME]:

We value your business and respect the privacy of your information, which is why, as a precautionary measure, we are writing to let you know about a data security incident that [may involve/involves] your personal information.

[[Between/On] [IDENTIFY TIME PERIOD OF BREACH], [SUMMARIZE BREACH INCIDENT].] The data accessed [may have included/included] personal information such as [IDENTIFY TYPES OF PERSONAL INFORMATION AT ISSUE]. [To our knowledge, the data accessed did not include any [IDENTIFY TYPES OF PERSONAL INFORMATION NOT INVOLVED]].

We value your privacy and deeply regrets that this incident occurred. We are conducting a thorough review of the potentially affected [records/computer system/IDENTIFY OTHER] , [and will notify you if there are any significant developments]. We have implemented additional security measures designed t o prevent a recurrence of such an attack, and to protect the privacy of the Centre’s valued

Data Breach Management Plan

[The Centre also is working closely with the Personal Data Protection Commission (PDPC) to ensure the incident is properly addressed.]

For further information and assistance, please contact our Data Protection Officer or Executive Director at 6536 6366 during working days, between 8.30am and 5.30pm or visit our website at www.counsel.org.sg

Sincerely
[Name of DPO or ED]
[Designation]

  • This website is developed with co-funding support from the VWOs-Charities Capability Fund (VCF)

    • The website content is copyrighted.