Data Breach Notification in Singapore: The 3-Day Rule

Name: LOCK.PUB
Author: LOCK.PUB

Since February 1, 2021, organisations in Singapore are legally required to notify the Personal Data Protection Commission (PDPC) of certain data breaches. This is not optional — it is a mandatory obligation under the amended PDPA.

The stakes are high. Failure to notify can result in financial penalties of up to 10% of your annual turnover in Singapore or S$1 million, whichever is higher.

This guide breaks down exactly when you must notify, how quickly you must act, and what information you need to provide.

When Is a Breach Notifiable?

Not every data breach triggers the notification requirement. A breach is notifiable if it meets either of these conditions:

Condition	Threshold
Significant harm	The breach results in, or is likely to result in, significant harm to affected individuals
Scale	The breach affects 500 or more individuals, regardless of whether harm is likely

What Counts as "Significant Harm"?

The PDPA defines significant harm broadly. It includes:

Identity theft or fraud
Financial loss
Threat to physical safety
Blackmail or extortion
Harassment
Loss of employment opportunities
Damage to reputation

If any of these outcomes are likely, the breach is notifiable — even if it affects just one person.

The 3-Day Notification Timeline

Once you have assessed that a breach is notifiable, you must notify PDPC within 3 calendar days. Not business days — calendar days, including weekends and public holidays.

Step-by-Step Timeline

Day 0: Breach discovered
  ↓
Contain the breach immediately
  ↓
Assess: Is it notifiable? (Do this as quickly as reasonably possible)
  ↓
Day 1-3 after assessment: Notify PDPC
  ↓
As soon as practicable: Notify affected individuals (if significant harm likely)

Important: You cannot delay the assessment indefinitely to avoid the 3-day clock. PDPC expects organisations to assess breaches promptly.

What to Include in Your PDPC Notification

Your notification to PDPC must include:

Nature of the breach — What happened (e.g., unauthorised access, accidental disclosure, ransomware)
Types of personal data affected — NRIC numbers, financial data, health records, contact details, etc.
When the breach occurred — Date and time, if known
Number of affected individuals — Exact or estimated count
Remedial actions taken — What you have done or plan to do
Contact information — Who PDPC can reach for follow-up queries

The PDPC notification form is available on the PDPC website.

Notifying Affected Individuals

If the breach is likely to result in significant harm, you must also notify affected individuals as soon as practicable. Your notification should tell them:

What personal data was compromised
What they can do to protect themselves (e.g., change passwords, monitor accounts)
How to contact your organisation for more information

Required Steps for Breach Response

Step	Action	Timeline
1	Contain the breach — stop the leak, isolate systems	Immediately
2	Assess the breach — determine if it is notifiable	As soon as reasonably possible
3	Notify PDPC — submit the notification form	Within 3 calendar days of assessment
4	Notify individuals — if significant harm is likely	As soon as practicable
5	Document and review — record what happened and improve	Ongoing

Real Cases and Penalties

Singapore has actively enforced the breach notification requirement. Organisations that failed to implement adequate data protection measures have faced significant penalties:

SingHealth (2018): S$250,000 fine each for SingHealth and IHIS following a breach affecting 1.5 million patients
Grabcar (2019): S$10,000 fine for a data exposure incident

These cases underscore that PDPC takes enforcement seriously, regardless of organisation size.

Sharing Breach Reports Securely

When a breach occurs, your incident response team needs to share sensitive assessment reports, forensic findings, and remediation plans with stakeholders — legal counsel, management, insurers, and potentially PDPC itself.

These documents contain details about your vulnerabilities and the personal data that was compromised. Sending them via regular email or iMessage is risky.

LOCK.PUB provides password-protected memos that let you share breach assessment documents securely. You can set an expiration time to limit access, which is especially important for documents containing details about active security vulnerabilities.

Preparing Before a Breach Happens

The worst time to figure out your breach response plan is during an actual breach. Prepare now:

Document your response plan — Who does what, and in what order
Identify your notification team — DPO, legal, IT, communications
Pre-draft notification templates — For both PDPC and affected individuals
Run tabletop exercises — Simulate a breach to test your response
Review and update annually — Threat landscapes change

Key Takeaways

Mandatory breach notification has been in effect since February 1, 2021
You must notify PDPC within 3 calendar days of assessing a breach as notifiable
A breach is notifiable if it causes significant harm OR affects 500+ individuals
Failing to notify can result in penalties up to 10% of annual turnover or S$1 million
Prepare your breach response plan before an incident occurs

When you need to share breach-related documents securely during an incident, LOCK.PUB offers a simple way to add password protection with automatic expiration.

Don't wait for a breach to happen — prepare your response plan today.

Data Breach Notification in Singapore: The 3-Day Rule Explained