Suspect a PDPA Data Breach? Here’s What to Do Next
If you suspect that your personal information has been misused by an organisation, Singapore’s Personal Data Protection Act (PDPA) provides you with some protections on which you should rely.
This article will highlight the aspects of the PDPA that would be relevant in those circumstances. It will cover:
- The obligations of organisations under the PDPA
- Whether the information that has allegedly been misused is protected by the PDPA?
- What can you do if you suspect a PDPA breach?
- What are the penalties for PDPA breaches?
What are the Obligations of Organisations Under the PDPA?
First, organisations have a range of responsibilities to you in how they handle your data, pursuant to the PDPA. These responsibilities relate primarily to how they collect, store, use or share your data. In short, they need to obtain your consent to do certain things with your data, and they can only operate within the bounds of that consent.
For example, an organisation cannot share your personal data with a third-party, unless you have given your express consent for them to do so. Even if consent is given, they can share it with only the kinds of parties and for the purposes that they informed you of when they obtained your consent.
For more detail, see our other article on organisations’ obligations under the PDPA.
Is the Information that has Allegedly been Misused Protected by the PDPA?
Next, you must ensure that the data allegedly misused by an organisation is actually the kind of data that is protected by the PDPA. Most kinds of data that would personally identify you or provide information about you such as contact details or addresses would be protected.
However, your business contact information is not protected. This refers to information such as your work phone number or work email address as opposed to your personal phone number or email address.
That said, if your business contact information such as your work email address is given out for personal use, e.g. when signing up for a yoga class, then such information will not be treated as business contact information and will be protected under the PDPA in such scenarios of personal use.
What Can You Do If You Suspect a PDPA Breach?
If you believe that protected personal data has been misused by an organisation, you can file a complaint with the Personal Data Protection Commission (PDPC). The PDPC will usually open an investigation and contact the organisation to find out more.
Depending on the circumstances, you may also consider filing a police report. If you believe your data has been illegally accessed as a result of a computer hacking incident, a cybersecurity breach or something of that nature, then an offence under the Computer Misuse Act may have been committed. The police may be interested in investigating the matter if you have any evidence that suggests this is what may have happened.
In the event of a data security breach, organisations are required to report the incident to the PDPC if it had been conducted by individuals outside of the organisation, and has resulted in (or is likely to result in) significant harm to an affected individual, or if it is (or is likely to be) of a significant scale. If required, the reporting has to be done within 3 days of assessing whether the breach needs to be reported.
It is typically not possible to obtain compensation for a personal data breach in Singapore. This is because the PDPA does not create a cause of action that can form the basis for a civil suit for damages in such situations.
What are the Penalties for PDPA Breaches?
Although you may not be able to obtain compensation for a data breach, there are potential consequences for companies that fail to discharge their obligations under the PDPA. Such organisations could face a financial penalty of up to S$1 million.
Various high-profile companies including Singtel, SPH Magazines and Royal Caribbean Cruises have already been levied with financial penalties by PDPC for violating the PDPA. The usual range of financial penalties so far have been from high 4-figure sums to modest 5-figure sums.
So far, one of the largest financial penalties meted out by PDPC has been $60,000 on IT vendor Learnaholic. Many of these financial penalties have been meted out for cybersecurity breaches that have led to the unauthorised access and exposure of individuals’ personal data.
If you encounter an issue involving misuse of your personal data in Singapore and you wish to take action against the organisation responsible for it, it is advisable to consult a data protection lawyer.
A good data protection lawyer will usually be able to give you a quick assessment of whether or not you have any recourse and can assist you in preparing a more professional complaint to the PDPC.
The lawyer can also assist in drafting a letter to the offending organisation to complain about the breach, demand a copy of all of your personal data that they have, and/or demand that they destroy any of your personal data that they have.
- Appointing Company Directors in Singapore: Eligibility, Process etc.
- Managing Director vs CEO in Singapore: Roles and Obligations
- Guide to Directors' Remuneration in Singapore
- Directors' Duties in Singapore
- Shadow Directors: Who are They and What Duties Do They Owe to the Company?
- How to Remove a Director from a Company in Singapore
- Removal and Resignation of Company Auditor in Singapore
- Appointing a Company Secretary: Roles and Responsibilities
- Appointing an Authorised Representative for Foreign Companies in Singapore
- Process Agents in Singapore
- 2 Ways to Remove a Singapore Company Shareholder ASAP
- Guide to Paid-Up Capital in Singapore (Is $1 Enough?)
- Preparing a Register of Shareholders for a Singapore Company
- How to Issue Shares in a Singapore Private Company
- Guide to Transferring Shares in a Singapore Private Company
- Your Guide to Share Certificates in Singapore: Usage and How to Prepare
- Shareholder Rights in Singapore Private Companies
- Shareholder Roles and Obligations in Singapore Companies
- Dividend Payments Guide for Singapore Business Owners
- Share Transmission: What Happens If a Shareholder Dies in Singapore?
- How to Reduce the Share Capital of Your Singapore Company
- Buy-Sell Agreements: How to Write & Fund Them in Singapore
- Oppression of Minority Shareholders
- Essential Regulatory Compliance Guide for Singapore Companies
- Dormant Companies and Their Filing Obligations in Singapore
- Anti-Money Laundering Regulations and Your Business: What You Need to Know
- Price-Fixing, Bid-Rigging and Other Anti-Competitive Practices to Avoid
- Legally Conducting Lucky Draws for Singapore Businesses
- Restaurant Inspection and Food Safety Rules in Singapore
- Does Your Company Need a Legal Team (In-House Counsel)?
- How to Change the Name of Your Singapore Company
- Can Directors be Liable for Company Debts in Singapore?
- Company Loans to Directors/Shareholders in Singapore
- 3 Types of Insurance Every Singapore Business Needs
- Creating and Registering Charges in Singapore: Guide for Companies
- Guide to Effective Business Continuity Planning in Singapore
- Business Asset Sale & Disposal in Singapore: How Do They Work?
- Business Partnership Disputes in Singapore: How to Resolve
- How to Commence a Derivative Action on Behalf of a Company in Singapore
- Business Will: How to Pass on Your Business to Your Successors in Singapore
- Record-Keeping Requirements for Singapore Companies
- Company Constitutions in Singapore and How to Draft One
- Company Memorandum and Articles of Association
- Company Resolutions: What are They?
- Board Resolutions in Singapore
- Minutes of Company Meeting in Singapore: How to Record
- How to Set Up a Register of Controllers
- How to Set Up a Register of Nominee Directors
- Guide to Filing Financial Statements for Singapore Business Owners
- Filing Annual Returns For Your Business
- Singapore Corporate Tax: How to Pay, Tax Rate, Exemptions
- Start-Up Tax Exemption Guide for New Singapore Companies
- GST Registration: Requirements and Procedure in Singapore
- What is Withholding Tax and When to Pay It in Singapore
- Singapore Influencers: Here's How to Calculate Your Income Tax
- Tax Investigation of Tax-Evading Business Owners in Singapore
- Small Business Accounting Services in Singapore
- Company Audits in Singapore: Requirements and Exemptions
- Suspect a PDPA Data Breach? Here's What to Do Next
- Must You Notify PDPC About a Data Breach in Your Business?
- Summary: Your Organisation's 10 Main PDPA Obligations
- Essential PDPA Compliance Guide for Singapore Businesses
- PDPA Consent Requirements: How Can Your Business Comply?
- Is It Legal for Businesses to Ask for Your NRIC in Singapore?
- Here's a 7-Step Plan for Companies to Prevent Unauthorised Disclosure When Processing and Sending Personal Data
- Cloud Storage of Personal Data: Your Business’ Data Protection Obligations
- GDPR Compliance in Singapore: Is it Required and How to Comply
- Appointing a Data Protection Officer For Your Business: All You Need to Know
- How Can Companies Dispose of Documents Containing Personal Data?
- Check the Do-Not-Call Registry Before Marketing to Singapore Phone Numbers
- How to Legally Install CCTVs for Home/Business Use in Singapore
- Is Web Scraping or Crawling Legal in Singapore?
- Legal Options If Employees Breach Confidentiality in Singapore
- Dealing with Defamation of Your Business: Can You Sue?
- Sending Email Newsletters That Comply With Singapore Law
- A legal guide to drafting a social media policy for your company
- Your Guide to a Media Release Form in Singapore
- Your Guide to an Influencer Marketing Agreement in Singapore
- Outdoor Advertising: How to Legally Display Public Ads in Singapore
- Voluntary Suspension of Business in Singapore: How to Handle
- Winding Up a Singapore Company: Grounds and Procedure
- Closing Your Singapore Business: What You Need to Settle
- Striking Off a Company
- Can a Company that Struck Itself Off the Register Later Apply to Restore Itself?
- Dissolution of partnerships in Singapore
- What Should a Creditor Do When a Company Becomes Insolvent?
- How to File a Proof of Debt Against a Company in Liquidation
- Insolvency: Claw-Back of Assets From Unfair Preference and Undervalued Transactions
- Validation of Payments Made by Companies Being Wound Up