26A. In this Part, unless the context otherwise requires —
“affected individual” means any individual to whom any personal data affected by a data breach relates;
“data breach”, in relation to personal data, means —
(a)
the unauthorised access, collection, use, disclosure, copying, modification or disposal of personal data; or
(b)
the loss of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur.
[40/2020]
Notifiable data breaches
26B.—(1) A data breach is a notifiable data breach if the data breach —
(a)
results in, or is likely to result in, significant harm to an affected individual; or
(b)
is, or is likely to be, of a significant scale.
[40/2020]
(2) Without limiting subsection (1)(a), a data breach is deemed to result in significant harm to an individual —
(a)
if the data breach is in relation to any prescribed personal data or class of personal data relating to the individual; or
(b)
in other prescribed circumstances.
[40/2020]
(3) Without limiting subsection (1)(b), a data breach is deemed to be of a significant scale —
(a)
if the data breach affects not fewer than the prescribed number of affected individuals; or
(b)
in other prescribed circumstances.
[40/2020]
(4) Despite subsections (1), (2) and (3), a data breach that relates to the unauthorised access, collection, use, disclosure, copying or modification of personal data only within an organisation is deemed not to be a notifiable data breach.
[40/2020]
Duty to conduct assessment of data breach
26C.—(1) This section applies to a data breach that occurs on or after 1 February 2021.
[40/2020]
(2) Subject to subsection (3), where an organisation has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, the organisation must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach.
[40/2020]
(3) Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation —
(a)
the data intermediary must, without undue delay, notify that other organisation of the occurrence of the data breach; and
(b)
that other organisation must, upon notification by the data intermediary, conduct an assessment of whether the data breach is a notifiable data breach.
[40/2020]
(4) The organisation must carry out the assessment mentioned in subsection (2) or (3)(b) in accordance with any prescribed requirements.
[40/2020]
Duty to notify occurrence of notifiable data breach
26D.—(1) Where an organisation assesses, in accordance with section 26C, that a data breach is a notifiable data breach, the organisation must notify the Commission as soon as is practicable, but in any case no later than 3 calendar days after the day the organisation makes that assessment.
[40/2020]
(2) Subject to subsections (5), (6) and (7), on or after notifying the Commission under subsection (1), the organisation must also notify each affected individual affected by a notifiable data breach mentioned in section 26B(1)(a) in any manner that is reasonable in the circumstances.
[40/2020]
(3) The notification under subsection (1) or (2) must contain, to the best of the knowledge and belief of the organisation at the time it notifies the Commission or affected individual (as the case may be), all the information that is prescribed for this purpose.
[40/2020]
(4) The notification under subsection (1) must be made in the form and submitted in the manner required by the Commission.
[40/2020]
(5) Subsection (2) does not apply to an organisation in relation to an affected individual if the organisation —
(a)
on or after assessing that the data breach is a notifiable data breach, takes any action, in accordance with any prescribed requirements, that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual; or
(b)
had implemented, prior to the occurrence of the notifiable data breach, any technological measure that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual.
[40/2020]
(6) An organisation must not notify any affected individual in accordance with subsection (2) if —
(a)
a prescribed law enforcement agency so instructs; or
(b)
the Commission so directs.
[40/2020]
(7) The Commission may, on the written application of an organisation, waive the requirement to notify an affected individual under subsection (2) subject to any conditions that the Commission thinks fit.
[40/2020]
(8) An organisation is not, by reason only of notifying the Commission under subsection (1) or an affected individual under subsection (2), to be regarded as being in breach of —
(a)
any duty or obligation under any written law or rule of law, or any contract, as to secrecy or other restriction on the disclosure of information; or
(b)
any rule of professional conduct applicable to the organisation.
[40/2020]
(9) Subsections (1) and (2) apply concurrently with any obligation of the organisation under any other written law to notify any other person (including any public agency) of the occurrence of a data breach, or to provide any information relating to a data breach.
[40/2020]
Obligations of data intermediary of public agency
26E. Where an organisation —
(a)
is a data intermediary processing personal data on behalf of and for the purposes of a public agency; and
(b)
has reason to believe that a data breach has occurred in relation to that personal data,
the organisation must, without undue delay, notify the public agency of the occurrence of the data breach.
