NUS DATA MANAGEMENT

DATA INCIDENT REPORT

REPORTING LOSS OR LEAKAGE OF UNIVERSITY DATA INVOLVING PERSONAL DATA
AND BUSINESS CONTACT INFORMATION

Important Notes:

  1. Please use this Form to report data breaches to the Personal Data Protection team ("PDP Team") in the Office of Risk Management and Compliance if there are data breaches involving personal data ("PD") including Business Contact Information (BCI) (i.e., Details of individuals required for business purposes.)
    Refer to the NUS Data Management Policy (DMP) for more details.
  2. To be completed by Data Users and submitted to DPO at dpo@nus.edu.sg
  3. Please do not reference any data subjects by name in this report.
  4. Circulation of this report must be restricted to those involved in investigating/evaluating the incident.
  5. Timelines:
    • Containment of the data breach: As soon as possible and in any event no later than one (1) calendar day after the Data Steward/HOD first becomes aware of the data breach.
    • Completion of this Data Breach Report and submission to DPO at dpo@nus.edu.sg Within one (1) calendar day after the Data Steward/HOD first becomes aware of the data breach.
    • All additional information/updates related to the data breach must be reported to DPO using this Form within one (1) working day after the Data Steward/HOD first become aware of the said additional information.

Section A: Case Information

1a.
1a. Does this data breach involve PD? *
If no; there is no need to report to the NUS PDP Team. You would however need to report to NUS IT for data breaches that do not involve PD using the on-line IT security Form at https://forms.office.com/pages/responsepage.aspx?id=Xu-lWwkxd06Fvc_rDTR-gtCIKGO2DKhNkGJ8fF10JrtUNjRORkNSRlMwTzQzQzNDMTNYUDJaTFZIWCQlQCN0PWcu&route=shorturl
1b.
1b. Does the personal data relate to human subjects research? *
If “Yes”: Please ensure that NUS IRB (irb@nus.edu.sg) reporting requirements are followed.
2.
2. Date of occurrence of data breach incident: *
3.
3. When did the Reporting Personal first become aware of the data breach: *
4.
4. When did the Data Steward/HOD/RO first become aware of the data breach: *

Section B: Data Breach Report involving Personal Data

1. Please describe in detail the nature and details of the data breach: *
Category Details Response
Nature and Details of the Data Breach Describe what happened and the extent of the breach.
Personal Data (PD) Leaked List the types of PD and BCI that were exposed.
Purpose/Intent of the PD Explain why this data was collected and its intended use.
Discovery of the Data Breach Identify who first discovered the breach and how they found it.
Details of the Breach Provide information on why and how the breach occurred.
Personnel Involved Mention any individuals or teams involved in the incident.
Other Relevant Information Include any additional details that are important to note.
2. Please indicate which of the following caused/contributed to the data breach: *
3. Please provide the following details about the impacted data *
Data Category Specific Data items How many records were impacted? Action
Note: Breach of records >= 500 must be reported to PDPC within 3 calendar days once the reporting office/DPO is aware of the breach.
4. Please list the IT systems, network, servers, databases, platforms, mobile applications etc. etc. that were involved in this data breach if any *
5. Is this data breach a new incident, or has it happened before in your department or with the same staff/system/vendor? *
6. Where is/are the affected database(s)/server(s) holding the personal data involved in this incident located? *
7. Number of Individuals Affected: *
8. In your assessment would this data breach have a significant negative impact on NUS and/or the Data Subjects? *
Risk Factor Question Response
Reportable to PDPC Are 500 or more records impacted?
Is there potential harm to data subjects (e.g., credit card details leaked)?
Complaints Is there a possibility of data subjects lodging a complaint to PDPC?
Operational Disruption Will the breach disrupt operations for one work day or more?
Reputation Damage Could this breach damage the university's reputation if made public?
Public Accessibility Duration Was the compromised data publicly accessible for more than 24 hours?
Third party involvement Were there any other organisations affected?
Affected individuals Are there any Singapore-based Individuals affected?

Section C: Remediation & Corrective Actions

1. What actions have you taken immediately to contain harm or mitigate the impact of the data breach to the individuals whose PD was leaked (Data Subjects) as well as NUS? *
Action Description Response
Isolated Affected Systems Disconnected compromised systems from the network to prevent further damage.
Changed Access Credentials Reset passwords and access keys for affected accounts.
Notified Affected Individuals Informed individuals whose data was compromised and the steps being taken.
Removed Public Data Removed leaked data from public websites.
Engaged Forensic Experts Hired experts to investigate the breach and preserve evidence.
Secured Physical Areas Locked and secured physical areas related to the breach.
Updated Software and Systems Applied patches and updates to software and systems to fix vulnerabilities.
Conducted Staff Training Provided training to staff on data protection and breach response.
Reviewed and Updated Internal Process Reviewed and updated internal data protection process.
Monitored for Further Breaches Continuously monitored systems for signs of further breaches.
Verified Data Integrity Ensured the integrity and accuracy of data by cross-checking with the data subject affected.
Provided Support to Affected Individuals Offered assistance to individuals impacted by the breach (e.g., credit monitoring).
2. What follow-up corrective and prevention actions would the Department be taking to prevent future occurrence of such data breach incidents: *
Corrective Actions [Definition: Steps to address and fix the immediate effects of a data breach, containing the breach and mitigating its impact]
Action Action Owner Target Completion Date Status Action
Preventive Actions [Definition: Measures to prevent future data breaches, focusing on strengthening security, improving processes, and educating staff to reduce risks.]
Action Action Owner Target Completion Date Status Action

Section D: Declaration by Reporting Personnel

Status of investigation by Department: *
Date of completion of investigation by Department:

Contact Information

Name *
Email *

Declarations: *

I confirm the information stated herein is complete, true and accurate at the time of submission of this Report.
My Head of Department /Data Steward have been informed of the data incident and have reviewed this incident report.
If there are any changes in circumstances or updates in relation to the data breach incident, I will inform DPO immediately with an update of this report as soon as I am aware of the same.
The Department affirms that all supporting evidence of the corrective and preventive actions taken will be submitted to dpo@nus.edu.sg for verification and record-keeping.
Download Template PDF

Please ensure all required fields are completed before submitting.

Disclaimer: The views and opinions expressed herein are those of the author(s) and do not represent the views and opinions of the National University of Singapore or any of its subsidiaries or affiliates.

Privacy Notice