25 Reporting of personal data breach
Every data fiduciary shall by notice inform the Authority about the breach of any personal data processed by the data fiduciary where such breach is likely to cause harm to any data principal.
The notice referred to in sub-section (1) shall include the following particulars, namely
(a) nature of personal data which is the subject-matter of the breach;
(b) number of data principals affected by the breach;
(c) possible consequences of the breach; and
(d) action being taken by the data fiduciary to remedy the breach.
The notice referred to in sub-section (1) shall be made by the data fiduciary to the Authority as soon as possible and within such period as may be specified by regulations, following the breach after accounting for any period that may be required to adopt any urgent measures to remedy the breach or mitigate any immediate harm.
Where it is not possible to provide all the information specified in sub-section (2) at the same time, the data fiduciary shall provide such information to the Authority in phases without undue delay.
Upon receipt of a notice, the Authority shall determine whether such breach should be reported by the data fiduciary to the data principal, taking into account the severity of the harm that may be caused to such data principal or whether some action is required on the part of the data principal to mitigate such harm.
The Authority may, in addition to requiring the data fiduciary to report the personal data breach to the data principal under sub-section (5), direct the data fiduciary to take appropriate remedial action as soon as possible and to conspicuously post the details of the personal data breach on its website.
The Authority may, in addition, also post the details of the personal data breach on its website.
- Section 25 is not applicable to "small entity" (Ref:Section 39(1))
The contents of the website is provided "as is", without warranty of any kind, express or Implied, including but not limited to the warranties of merchantability, Fitness for a particular purpose and noninfringement. In no event shall the Authors or copyright holders or sponsorers be liable for any claim, damages or other Liability, whether in an action of contract, tort or otherwise, arising from, Out of or in connection with the website or the use or other dealings in the website.