Draft Notification regarding Criteria and Method for Reporting the Personal Data Breach Published for Public Hearing

Due to the fact that the Personal Data breach is a commonly occurring issue under the Personal Data Protection Act B.E. 2562 (2019) (the “PDPA”), the criteria and method for reporting a Personal Data breach is very much needed to help guide the Data Controller on what to do when the said breach occurs. In response to such necessity, the Personal Data Protection Committee (the “PDPC”) opened a public hearing for the “Draft Notification of the PDPC regarding Criteria and Method for Reporting the Personal Data Breach” (“Draft Notification”) during 2 to 20 November 2022. For your better understanding of the Draft Notification, we have summarised certain crucial points below. 

The Draft Notification contains provisions that help amplify Section 37(4) of the PDPA, which states that the Data Controller must report the Personal Data breach to the Office of the PDPC (the “Office”) without delay and within 72 hours after becoming aware of such breach. Also, by clearly defining the Personal Data breach, the Draft Notification provides a concrete scope of what would be considered as the Personal data breach. To clarify, according to the Draft Notification, Personal Data breach means: “leakage or breach of security measures of Personal Data which may be caused by intentional acts, willful or negligent acts or accidental or unlawful acts which lead to damage, loss, alteration to accurate Personal Data; or unauthorised or unlawful disclosure or access to Personal Data, dissemination of Personal Data and retention of Personal Data; including any other acts without the consent of the data subject, or any acts that are not fallen under the exemptions under the PDPA or that is not allowed under specific laws to collect, use or disclose Personal Data”.

Moreover, the Draft Notification further explains that the Personal Data breach may be caused by actions of the Data Controller, Data Processor, their agents, related parties or other factors which are the result of intentional acts, willful or negligent acts, unauthorised or unlawful acts, accidental acts, error in processing of computer systems or information technology media - including computer crimes, cyber threats or any other causes that affect the completeness and accuracy of the Personal Data, as well as the rights of the data subject. The Personal Data breach is divided into three categories: 1) Confidentiality Breach, i.e., leakage of confidential Personal Data; 2) Integrity Breach, i.e., wrongful amendment on the accuracy and completeness of Personal Data; and 3) Availability Breach, i.e., causing Personal Data to be unavailable for use.

When the Personal Data breach occurs, the Data Controller is required to examine the security standard of Personal Data in the aspects of Organisational Measure, Technical Measure and Physical Measure. The Data Controller is also required to assess potential risks to the data subject, as to whether there may be a high risk affecting the rights and freedoms of a data subject or not. If there is a high risk, in addition to reporting the Personal Data breach to the Office, the Data Controller is required to notify the data subject of such Personal Data breach along with the preliminary remedial measures without delay. In the event that the Data Controller is unable to contact the data subject, the Data Controller may notify the data subject through public media, social media, electronic media or any other method which the public can easily access.

The Draft Notification also provides details that need to be included in the report to be submitted to the Office when the Personal Data breach occurs, as follows: 1) nature and category of the Personal Data breach such as the amount and quantity of the leaked or breached Personal Data; 2) list of names and addresses of the Data Protection Officers; 3) potential consequences of the Personal Data breach; and 4) security measures which the Data Controller or Data Processor adopt to prevent the Personal Data breach, as well as the remedy for the damage through the personnel, operational and technological aspects. If the Data Controller cannot report the Personal Data breach within 72 hours after becoming aware of the Personal Data breach, the Data Controller must clarify the reasons and details demonstrating the unavoidable necessity for such delay; such clarification must be notified to the Office no later than 15 days from the date of becoming aware of the Personal Data breach.

According to the Draft Notification, the Data Controller may raise an exemption in reporting the Personal Data breach to the Office (as well as to the data subject) if the Data Controller can prove that such breach does not pose a risk of impacting the rights and freedoms of the data subject as the Personal Data in question is not personally identifiable or the Personal Data is not in a normally available condition for it has adequate technological measures or other legally reliable reason. Nevertheless, the Data Controller is obligated to clarify and deliver detailed information concerning its justifications for such exemption for the PDPC’s consideration, comprising of details concerning the Personal Data security prevention measure, security measure, technological measure or any other evidence.

The Draft Notification also includes an attachment which provides examples with different scenarios showing how to assess the level of risk for the Personal Data breach. For instance, in the case that the Data Controller stores the backup Personal Data on a USB drive and such USB drive, which contains the Personal Data that is encrypted and stored by trustworthy technology, is stolen, this scenario is considered to have a low risk as the Personal Data is encrypted with a technological measure and thus such data cannot be opened for use; therefore, the report to the Office and the data subject is not required. Another example would be in the case that the Data Controller provides a service of online Personal Data storage and a cyber threat emerges which results in leakage of the Personal Data from the Data Controller’s computer system, this scenario is considered to be high risk since such Personal Data is in the normally available and personally identifiable condition and the cyber threat may pose significant problems which incur damage to the data subject; therefore, the report to both the Office and the data subject is required.

Currently, there is no official English translation of the Draft Notification provided by the authority. However, as this Draft Notification may help Data Controllers to have a clearer comprehension of the Personal Data breach, therefore, our lawyer has translated the Draft Notification from Thai into English. We can provide you with the English translation of the Draft Notification for your reference, upon request.

As this is merely the Draft Notification and not the final version, there may be variations to the Draft Notification when it is actually enforced; and therefore the Draft Notification must be read with care. It is anticipated that the PDPC will enforce this Draft Notification, subject to variations if any, in due time.

This is intended merely to provide a regulatory overview and not to be comprehensive, nor to provide legal advice. Should you have any questions on this or on other areas of law, please do not hesitate to contact:

Chanakarn Boonyasith
Partner

Pimsiri Harnpanicharoen
Attorney-at-Law