Breach Response Readiness, Data Retention Policy, and Security Arrangements
Prepared by: Data Protection Officer (DPO)
Jurisdiction: Singapore
Primary Reference: Personal Data Protection Act 2012 (PDPA)
1. Purpose
This document establishes the organisation’s:
- Breach response readiness framework;
- Data retention and disposal policy; and
- Security arrangements for the protection of personal data.
The objective is to ensure compliance with the Singapore Personal Data Protection Act (PDPA), including obligations relating to:
- Protection of personal data;
- Retention limitation;
- Accountability;
- Breach assessment;
- Breach notification; and
- Organisational governance.
This framework applies to:
- Employees;
- Contractors;
- Vendors;
- Service providers;
- Consultants;
- Platform administrators; and
- Any individual handling personal data on behalf of the organisation.
2. Scope
This policy applies to all personal data processed, stored, transmitted, or accessed by the organisation, including:
- Customer data;
- Patient or client records;
- Employee records;
- Financial information;
- Communications data;
- Platform usage data;
- Identification documents;
- Health-related information;
- Operational records; and
- Any data capable of identifying an individual.
The policy applies regardless of format, including:
- Electronic systems;
- Cloud services;
- Physical documents;
- Email communications;
- Messaging platforms; and
- Portable storage devices
3. Roles and Responsibilities
3.1 Data Protection Officer (DPO)
The DPO shall:
- Oversee PDPA compliance;
- Maintain breach response procedures;
- Coordinate breach investigations;
- Assess notification obligations;
- Maintain records of incidents;
- Review retention schedules;
- Conduct staff training;
- Coordinate with regulators;
- Review vendor compliance; and
- Ensure ongoing policy effectiveness
3.2 Management
Management shall:
- Support implementation of this framework;
- Allocate sufficient resources;
- Ensure operational compliance;
- Escalate incidents promptly; and
- Support remediation efforts.
3.3 Employees and Personnel
All personnel shall:
- Protect personal data;
- Follow approved security procedures;
- Report suspected breaches immediately;
- Complete mandatory training; and
- Only access data necessary for authorised duties.
3.4 Vendors and Service Providers
Third parties handling personal data must:
- Implement reasonable security arrangements;
- Comply with contractual data protection obligations;
- Notify the organisation promptly of incidents;
- Restrict access to authorised personnel; and
- Cooperate during investigations or audits.
4. Breach Response Readiness Framework
4.1 Definition of a Data Breach
A data breach refers to any unauthorised:
- Access;
- Collection;
- Use;
- Disclosure;
- Copying;
- Modification;
- Disposal; or
- Loss of personal data.
This includes incidents resulting from:
- Cybersecurity attacks;
- Human error;
- Misdirected communications;
- Lost devices;
- Accidental disclosures;
- System vulnerabilities;
- Improper disposal;
- Vendor incidents; or
- Insider misuse.
Refer to this guide to help Data Protection Officers (DPOs) assess, manage and report data breaches under the Personal Data Protection Act (PDPA)
CONTAIN, ASSESS, REPORT, EVALUATE (C.A.R.E)
Each data breach response needs to be tailored to the circumstances of the incident. Generally, the actions taken in the event of a data breach should follow four key steps (using the acronym of C.A.R.E):
Contain the data breach to prevent further compromise of data and implement mitigating action(s) to minimise potential harms from the breach.
Assess the data breach by gathering the facts and assessing the effectiveness of containment action(s) taken thus far before proceeding to implement full remedial actions. Where necessary, continuing efforts should be made to prevent further harm from the data breach.
Report the data breach to:
• The PDPC (mandatory if the breach is a notifiable data breach under the PDPA. Organisations may inform PDPC of the breach voluntarily); and/or
• The affected individuals (if required under the DBN Obligation).
Evaluate response to the data breach and consider the actions which can be taken to prevent future data breaches.
5. Breach Response Team
The organisation shall maintain a breach response team consisting of:
- Data Protection Officer;
- Information Security personnel;
- Senior Management;
- Legal or Compliance representatives;
- Operations personnel; and
- Communications representatives where necessary.
Contact details for all breach response personnel shall be maintained and reviewed quarterly.
6. Incident Reporting Requirements
6.1 Immediate Reporting
All personnel must report suspected or confirmed breaches immediately upon discovery.
Reports may be made through:
- Incident reporting channels;
- Designated email addresses;
- Hotline procedures; or
- Direct escalation to the DPO.
Personnel must not attempt to conceal or independently resolve breaches without escalation.
6.2 Initial Incident Information
Incident reports should include where available:
- Date and time discovered;
- Description of incident;
- Systems affected;
- Categories of personal data involved;
- Number of affected individuals;
- Potential risks or impacts;
- Whether containment has occurred; and
- Relevant screenshots or evidence.
7. Breach Response Process
7.1 Step 1 – Identification and Containment
Upon discovery of an incident, the organisation shall:
- Isolate affected systems;
- Revoke compromised credentials;
- Suspend affected accounts where necessary;
- Prevent further unauthorised access;
- Preserve logs and evidence;
- Secure backups; and
- Coordinate with IT or vendors for containment.
Containment actions should occur as soon as reasonably practicable.
7.2 Step 2 – Preliminary Assessment
The DPO and relevant personnel shall conduct an initial assessment to determine:
- Whether personal data is involved;
- The categories of affected individuals;
- Sensitivity of the data;
- Whether the breach is ongoing;
- Likelihood of harm;
- Number of individuals affected; and
- Whether notification obligations may arise.
7.3 Step 3 – Investigation
The organisation shall investigate:
- Root cause;
- Duration of exposure;
- Extent of access or disclosure;
- Security gaps;
- Whether data was exfiltrated;
- Potential impact on individuals; and
- Corrective actions required.
Investigation records shall be documented and retained.
8. Breach Assessment Obligations
8.1 Assessment Timeline
The organisation shall conduct a reasonable and expeditious assessment of whether a breach is notifiable.
Assessment must be completed no later than 30 calendar days after the organisation becomes aware of the potential breach.
Internal escalation procedures should target substantially shorter operational timelines where possible.
8.2 Notifiable Breaches
A breach may be notifiable if it:
- Results in, or is likely to result in, significant harm to affected individuals; or
- Involves personal data of 500 or more individuals.
The organisation shall assess factors including:
- Type and sensitivity of data;
- Whether health or financial information is involved;
- Risk of identity theft or fraud;
- Vulnerability of affected individuals;
- Whether data was encrypted or protected;
- Whether malicious actors accessed the data; and
- Likelihood of misuse.
9. Notification Obligations
9.1 Notification to the Personal Data Protection Commission (PDPC)
Where a breach is assessed to be notifiable, the organisation shall notify the Personal Data Protection Commission (PDPC) as soon as practicable, and in any event no later than 3 calendar days after making the determination that the breach is notifiable.
The notification should include:
- Description of the breach;
- Date and circumstances;
- Categories of personal data affected;
- Number of affected individuals;
- Containment actions taken;
- Potential impacts;
- Remediation steps; and
- Contact details of the DPO.
9.2 Notification to Affected Individuals
Where required under the PDPA, affected individuals shall be notified as soon as practicable.
Notifications should include:
- Nature of the breach;
- Personal data involved;
- Potential consequences;
- Recommended protective actions;
- Actions taken by the organisation; and
- Contact information for assistance.
9.3 Exceptions
Notification to affected individuals may not be required where:
- Remedial actions render the risk unlikely to result in significant harm;
- Exceptions under applicable law apply; or
- Notification is otherwise exempted by the PDPC.
Legal or regulatory advice may be sought before relying on any exception.
10. Documentation and Incident Register
The organisation shall maintain a breach register documenting:
- Date of incident;
- Nature of breach;
- Systems affected;
- Assessment findings;
- Notification decisions;
- Remediation actions;
- Communications issued; and
- Lessons learned.
Records shall be retained for audit, regulatory, and governance purposes.
11. Post-Incident Review
Following a breach, the organisation shall:
- Conduct a post-incident review;
- Identify control weaknesses;
- Update procedures;
- Improve technical safeguards;
- Provide additional training where required; and
- Monitor remediation implementation.
Material incidents should be reported to senior management.
12. Data Retention Policy
12.1 Retention Principles
The organisation shall not retain personal data longer than necessary for:- Business purposes;
- Legal obligations;
- Regulatory requirements;
- Contractual obligations; or
- Dispute resolution.
12.2 Retention Schedule
The organisation shall maintain documented retention schedules for categories of personal data. Examples include:| Data Category | Example Retention Period |
| Customer records | 6–7 years after last interaction |
| Financial records | Minimum statutory retention period |
| Employment records | Duration of employment + applicable limitation period |
| Incident logs | Minimum 2–7 years depending on severity |
| Marketing consent records | Until withdrawal + audit period |
| Health-related records | In accordance with applicable healthcare or professional obligations |
- Legal obligations;
- Regulatory guidance;
- Insurance requirements;
- Litigation holds; or
- Operational needs.
12.3 Secure Disposal
When retention is no longer necessary, personal data shall be:- Securely deleted;
- Anonymised;
- Destroyed; or
- Rendered inaccessible.
- Secure wiping;
- Cryptographic erasure;
- Physical shredding;
- Secure destruction services; or
- Certified disposal procedures.
12.4 Suspension of Disposal
The organisation may suspend disposal where:- Litigation is anticipated;
- Regulatory investigations are ongoing;
- Insurance requirements apply; or
- Preservation obligations arise.
13. Security Arrangements
13.1 General Security Obligation
The organisation shall implement reasonable security arrangements to protect personal data from:
- Unauthorised access;
- Collection;
- Use;
- Disclosure;
- Copying;
- Modification;
- Disposal; and
- Similar risks.
Security controls shall be proportionate to:
- Sensitivity of data;
- Volume of data;
- Operational risk;
- Nature of services; and
- Technical environment.
14. Administrative Controls
The organisation shall implement administrative safeguards including:
- Written policies and procedures;
- Role-based access management;
- Staff confidentiality obligations;
- Mandatory training;
- Acceptable use policies;
- Vendor due diligence;
- Incident response procedures;
- Access reviews; and
- Periodic audits.
14.1 Training
Personnel handling personal data shall receive:
- Data protection awareness training;
- Security awareness training;
- Phishing and social engineering training;
- Incident reporting guidance; and
- Refresher training at least annually.
15. Technical Controls
Technical safeguards should include where appropriate:
- Multi-factor authentication;
- Encryption in transit and at rest;
- Strong password policies;
- Network segmentation;
- Endpoint protection;
- Secure backups;
- Logging and monitoring;
- Vulnerability management;
- Access controls;
- Session timeout controls;
- Audit trails; and
- Secure software development practices.
15.1 Access Management
Access to personal data shall:
- Be limited to authorised personnel;
- Follow least privilege principles;
- Be reviewed periodically; and
- Be revoked promptly upon termination or role changes.
15.2 Cloud and Third-Party Systems
Where cloud providers or vendors are used, the organisation shall:
- Conduct reasonable due diligence;
- Review contractual protections;
- Assess security capabilities;
- Require confidentiality obligations;
- Evaluate incident response procedures; and
- Ensure appropriate data protection commitments.
16. Physical Security Controls
Physical safeguards may include:
- Restricted office access;
- Visitor management;
- Locked storage;
- Secure disposal bins;
- CCTV where appropriate;
- Device security requirements; and
- Clean desk practices.
Portable devices containing personal data should:
- Be encrypted;
- Be password protected; and
- Not be left unattended in unsecured environments.
17. Monitoring and Review
This framework shall be reviewed:
- At least annually;
- Following material incidents;
- Following regulatory changes; or
- Following significant operational or technological changes.
Internal audits or assessments may be conducted periodically to verify compliance.
18. Vendor and Processor Management
Contracts with vendors handling personal data should include provisions relating to:
- Confidentiality;
- Security safeguards;
- Breach notification obligations;
- Subprocessor restrictions;
- Data return or deletion;
- Audit rights; and
- Compliance with applicable laws.
Vendors should notify the organisation promptly upon discovery of incidents affecting organisational data.
19. Cross-Border Transfers
Where personal data is transferred outside Singapore, the organisation shall implement appropriate safeguards to ensure comparable standards of protection, including:
- Contractual protections;
- Transfer assessments;
- Vendor due diligence; and
- Appropriate technical and organisational controls.
20. Enforcement and Non-Compliance
Failure to comply with this framework may result in:
- Disciplinary action;
- Revocation of access privileges;
- Contractual remedies; or
- Other appropriate corrective measures.
Serious breaches may be escalated to senior management or regulators where required.
21. Contact Information
Questions relating to this framework or personal data handling practices should be directed to the organisation’s Data Protection Officer.
The organisation shall maintain updated DPO contact details internally and externally where required.
22. Operational Breach Response Timeline Summary
| Timeline | Requirement |
| Immediately upon discovery | Internal escalation and containment |
| As soon as practicable | Preliminary assessment begins |
| Within 30 calendar days of awareness | Complete assessment of whether breach is notifiable |
| Within 3 calendar days after determining breach is notifiable | Notify PDPC |
| As soon as practicable after determination | Notify affected individuals where required |
23. Recommended Supporting Documents
The organisation should maintain the following supporting documents:
- Incident response playbook;
- Data inventory and data flow maps;
- Access control matrix;
- Vendor register;
- Retention schedule register;
- Security standards;
- Bring-your-own-device (BYOD) policy;
- Acceptable use policy;
- Business continuity plan; and
- Disaster recovery procedures.
24. Approval and Version Control
| Version | Date | Description |
| 1.0 | 19 May 2026 | Initial issue |
Approved by: ____________________
Date: ____________________