The Notification on the Criteria and Procedures for Handling Personal Data Breaches (the "Notification") was issued by the Personal Data Protection Committee (“PDPC”) of Thailand and enacted on December 15, 2022. The notification included a breach assessment guideline and breach notification version 1.0 for data controllers and data processors to assess the level of risk in data breaches.
Definition of “Data Breach”
A "breach of personal data" refers to a breach that results in the illegal or unauthorised loss, access, use, alteration, or disclosure of personal data as a consequence of an intentional, deliberate, negligent, accidental, unauthorised, or unlawful act, or an act connected to computer crimes, cyber threats, errors, accidents, or any other act.
The Categories and Risk Assessment Criteria
The Notification classifies personal data breaches into three categories: confidentiality breach, integrity breach, and availability breach.
The data breach is divided into two levels: one which puts an individual's rights and liberties at risk and one which does not.
It also provides the following criteria for assessment of risk:
- character and type of the data breach;
- character, type, and quantity of personal data involved in the breach;
- character, type, and capacity of the affected data subject;
- severity of the impact of data breach on affected data subjects;
- the efficacy of the measures taken to prevent the data breach;
- impact of the data breach on corporate operations or on the general public;
- the personal data storage systems involved in the breach and the relevant security measures, including organisational, technical, and physical measures; and
- legal status of the data controller (i.e. individual or a corporate entity) and the scale and type of the data controller’s business.
The Procedure
When there is a data breach, there is an obligation to inform the PDPC and the person whose information was affected (“data subject”) using the following steps:
- When a data controller receives notification of a breach from any person, whether orally, in writing, or by electronic means, or the data controller itself knows about the breach, the data controller must first assess the risk of the data breach using the criteria in the Notification.
- If the data breach poses a risk to a person’s rights and liberty, the data controller must notify the PDPC within 72 hours without delay, and notify the data subject of the breach with remedial directions for the data subject. The data controller must notify the PDPC in writing or via electronic method.
- Then, the data controller may execute any measures to suspend, respond, resolve, or recover personal data from the incident including preventing and minimising the effect of the incident in the future as well as revise all measures that are currently used.
Breach Assessment Guideline (version 1.0)
Following the Notification, the PDPC released the Guidelines on Data Breach Assessments and Personal Data Breach Notifications (Version 1.0) on December 16, 2022 (“the Guideline”'). The Guideline provides guidance and examples to help data controllers assess the risks associated with a personal data breach and determine whether they should notify the PDPC or the data subject.
Conclusion
According to the Notification, data controllers and data processors must take all necessary precautions to ensure that personal data is treated with the highest care and security. The Notification defines the duties and obligations of the controllers and data processors in the processing of personal data. It also specifies the steps to be followed in the event of a data breach, such as risk assessment, notification of the PDPC and impacted persons, and other actions necessary to ensure compliance with the Notification.