Singapore legislation
Section 26C
Section 26C
Duty to conduct assessment of data breach
(1)
This section applies to a data breach that occurs on or after 1 February 2021.
(2)
Subject to subsection (3), where an organisation has reason to believe that a data breach affecting personal data in its possession or under its control has occurred, the organisation must conduct, in a reasonable and expeditious manner, an assessment of whether the data breach is a notifiable data breach.
(3)
Where a data intermediary (other than a data intermediary mentioned in section 26E) has reason to believe that a data breach has occurred in relation to personal data that the data intermediary is processing on behalf of and for the purposes of another organisation —
the data intermediary must, without undue delay, notify that other organisation of the occurrence of the data breach; and
that other organisation must, upon notification by the data intermediary, conduct an assessment of whether the data breach is a notifiable data breach.
(4)
The organisation must carry out the assessment mentioned in subsection (2) or (3)(b) in accordance with any prescribed requirements.