Personal Data Protection (Notification of Data Breaches) Regulations 2021

Statute Details

• Title: Personal Data Protection (Notification of Data Breaches) Regulations 2021
• Act Code: PDPA2012-S64-2021
• Type: Subsidiary Legislation (SL)
• Authorising Act: Personal Data Protection Act 2012 (PDPA 2012), specifically section 65
• Commencement: 1 February 2021
• Enacting/Approval: Made by the Personal Data Protection Commission (PDPC) with the approval of the Minister for Communications and Information
• Key Provisions:
  • Section 1: Citation and commencement
  • Section 2: Definitions (including “bank” and “finance company”)
  • Section 3: When a data breach is “deemed” to result in significant harm to individuals (for section 26B(2) PDPA)
  • Section 4: Prescribed threshold for “significant scale” (500 affected individuals)
  • Section 5: Contents and form/manner of notification to the PDPC
  • Section 6: Contents of notification to affected individuals
  • The Schedule: Prescribed personal data and prescribed circumstances under section 26B(2) PDPA
• Amendment History (high level): Amended by S 735/2021 (1 Oct 2021) and S 800/2024 (15 Oct 2024); current version shown as at 27 Mar 2026

What Is This Legislation About?

The Personal Data Protection (Notification of Data Breaches) Regulations 2021 (“Breach Notification Regulations”) operationalise the breach-notification regime in Singapore’s Personal Data Protection Act 2012 (“PDPA”). In plain terms, the Regulations specify when a data breach must be treated as a “notifiable data breach”, and they set out what organisations must tell the Personal Data Protection Commission (PDPC) and affected individuals.

The PDPA’s breach notification framework is designed to ensure that individuals can take timely steps to protect themselves against potential harm arising from unauthorised access, disclosure, or other compromise of their personal data. The Regulations therefore focus on two practical questions: (1) whether the breach is serious enough to trigger notification; and (2) what information must be included in the notifications so that regulators and individuals can understand the risk and the response.

Although the Regulations are subsidiary legislation, they are highly consequential for compliance. They define key concepts (such as “significant harm” and “significant scale”) and prescribe detailed notification content requirements. For practitioners, these requirements affect internal incident response workflows, legal sign-off processes, and the drafting of regulator-facing and consumer-facing communications.

What Are the Key Provisions?

1) Definitions and contextual scope (Section 2)
Section 2 provides definitions used in the Regulations, including references to the Banking Act and the Finance Companies Act. The practical effect is to ensure that when the Regulations refer to “bank” or “finance company”, the meaning is anchored to those sectoral statutes. This matters because the breach-notification thresholds and the types of account-related data captured by the “significant harm” test can vary in application depending on the organisation’s regulated status.

2) “Significant harm” deemed to exist for certain data categories (Section 3 and the Schedule)
Section 3 is central. For the purposes of section 26B(2) of the PDPA, a data breach is “deemed” to result in significant harm to an individual if it relates to specified personal data categories. The Regulations identify two main pathways:

• Full identity or identification number combined with sensitive personal data: A breach involving the individual’s full name or alias or identification number, together with personal data (or classes of personal data) set out in Part 1 of the Schedule (subject to Part 2 of the Schedule).
• Account compromise data: A breach involving all of the following personal data relating to an individual’s account with an organisation:
  • the account identifier (e.g., account name or number); and
  • any password, security code, access code, response to a security question, biometric data, or other data used or required to allow access to or use of the account.

Section 3(2) further clarifies that, for paragraph 3(1)(b), “account identifier” includes a number assigned to any account the individual has with an organisation that is a bank or finance company. This is a targeted compliance point: where account identifiers and authentication credentials (including biometric data) are exposed, the Regulations treat the breach as likely to cause significant harm, thereby triggering notification obligations under the PDPA.

3) “Significant scale” threshold: 500 affected individuals (Section 4)
Section 4 prescribes the number of affected individuals for the purposes of section 26B(3)(a) of the PDPA. The threshold is 500 affected individuals. Practically, this means that even if the breach does not fall within the “significant harm” deemed categories, it may still be notifiable if it meets the “significant scale” threshold (subject to the PDPA’s overall notifiable criteria).

For incident response teams, this threshold is a key decision point. Organisations must be able to estimate the number of affected individuals with reasonable accuracy and document the basis for that estimate, because the notification trigger can depend on whether the breach crosses the 500-person line.

4) Notification to the PDPC: mandatory content and timing consequences (Section 5)
Section 5 prescribes what an organisation must include when notifying the PDPC of a notifiable data breach under section 26D(1) of the PDPA. The notification must include, at minimum:

• the date on which and circumstances in which the organisation first became aware of the breach;
• a chronological account of steps taken after awareness, including the organisation’s assessment that the breach is notifiable under section 26C(2) or (3)(b) of the PDPA;
• information on how the breach occurred;
• the number of affected individuals;
• the personal data or classes of personal data affected;
• the potential harm to affected individuals;
• actions taken (before or after notification) to eliminate or mitigate harm and to address or remedy failures/shortcomings believed to have caused or enabled the breach;
• the organisation’s plan to inform affected individuals or the public (if any) and how individuals may mitigate harm;
• business contact information of at least one authorised representative.

Section 5(2) adds an important compliance consequence: if the organisation notifies the PDPC after the period specified in section 26D(1) of the PDPA, the notification must additionally specify reasons for late notification and include supporting evidence. This effectively turns timing into a substantive compliance issue, not merely a procedural one.

Section 5(3) addresses a scenario where the organisation does not intend to notify certain affected individuals mentioned in section 26B(1)(a) of the PDPA. In that case, the PDPC notification must specify the grounds for not notifying those individuals, whether under the PDPA or other written law. Practically, this requires careful legal analysis of any statutory exemptions or other lawful bases for non-notification.

Finally, Section 5(4) requires that the notification be made in the form and manner specified on the PDPC’s website. For practitioners, this means that compliance is not only about content; it also depends on using the prescribed submission channels and templates/processes.

5) Notification to affected individuals: required elements (Section 6)
Section 6 sets out what must be included when notifying affected individuals under section 26D(2) of the PDPA. The notification must contain:

• the circumstances in which the organisation first became aware of the breach;
• the personal data or classes of personal data relating to the individual affected by the breach;
• the potential harm to the affected individual;
• information on actions taken (before or after notification) to eliminate or mitigate harm and to address or remedy failures/shortcomings believed to have caused or enabled the breach;
• steps the affected individual may take to eliminate or mitigate harm, including preventing misuse of the affected personal data;
• business contact information of at least one authorised representative.

From a drafting perspective, Section 6 requires both risk communication (what happened and what harm may result) and action guidance (what the individual can do). The inclusion of “preventing misuse” signals that the notification should be practical and tailored to the data types involved (e.g., credentials, identification numbers, or other sensitive categories).

How Is This Legislation Structured?

The Regulations are structured as a short instrument with a clear compliance logic:

• Part/Sections 1–2: Citation/commencement and definitions.
• Section 3: Deemed “significant harm” categories, linked to the Schedule and to account-related credential exposure.
• Section 4: Prescribed “significant scale” threshold (500 affected individuals).
• Sections 5–6: Detailed notification content requirements for (i) the PDPC and (ii) affected individuals.
• The Schedule: Prescribed personal data and prescribed circumstances under section 26B(2) of the PDPA, which interacts with Section 3(1)(a).

Notably, the Regulations do not themselves create the breach-notification duty; rather, they specify how the PDPA’s notifiable-breach triggers and notification obligations are to be implemented in practice.

Who Does This Legislation Apply To?

The Regulations apply to “organisations” subject to the PDPA breach-notification provisions. In practice, this includes private sector entities and other PDPA-covered organisations that experience a data breach meeting the PDPA’s notifiable criteria. The Regulations also contain definitions that reference banks and finance companies, indicating that the regime is designed to operate across different sectors, including regulated financial institutions.

Applicability is triggered by the occurrence of a “notifiable data breach” under the PDPA. Therefore, the Regulations’ obligations are not universal for every incident; they become relevant when the breach involves the deemed significant harm categories in Section 3 (and the Schedule), or when it meets the significant scale threshold in Section 4, and when the PDPA’s assessment and notification mechanics are satisfied.

Why Is This Legislation Important?

These Regulations are important because they convert broad statutory concepts into operational compliance requirements. For lawyers advising organisations, the Regulations provide the “checklist” content that must be included in regulator and individual notifications. This reduces ambiguity and increases the likelihood that notifications will be assessed against objective criteria.

From an enforcement and risk perspective, Section 5’s late-notification provision is particularly significant. If notification is late, the organisation must not only explain why, but also provide supporting evidence. This elevates the evidentiary record of incident response—timestamps, detection logs, internal assessments, and decision rationales—into a legal compliance asset.

Additionally, the Regulations require notifications to be both legally accurate and practically useful. Section 6’s requirement to include steps individuals may take to mitigate harm means that communications must be drafted with a clear understanding of the data types exposed and the likely misuse scenarios. Poorly tailored notifications can undermine the purpose of the regime and may increase regulatory scrutiny.

Finally, the prescribed “significant scale” threshold of 500 affected individuals is a concrete trigger that affects decision-making under time pressure. Organisations must be able to estimate affected individuals quickly and document the methodology, because crossing the threshold can transform an incident from a manageable internal matter into a statutory notification obligation.

Related Legislation

• Personal Data Protection Act 2012 (PDPA 2012): In particular sections 26B, 26C, 26D and the breach-notification framework
• Banking Act (Cap. 19): Definition of “bank” used in the Regulations
• Finance Companies Act (Cap. 108): Definition of “finance company” used in the Regulations
• Legislation timeline / amendments: S 735/2021 and S 800/2024 (as reflected in the Regulations’ version history)

Source Documents

• Official Text — Singapore Statutes Online
• Archived Copy — Litt Law CDN

This article provides an overview of the Personal Data Protection (Notification of Data Breaches) Regulations 2021 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the official text for authoritative provisions.