Mandatory Breach Notification

At present no legal requirement save in relation to a "Financial Institution" (i.e. banks, insurance companies, moneylenders, pawnbrokers, moneychangers and securities service providers licensed in Brunei Darussalam).

It is anticipated that under the PDPO, organizations are required to, as soon as practicable, but in any case no later than 3 calendar days after the assessment, notify the Responsible Authority of a data breach that:

• results in, or is likely to result in, significant harm to the individuals to whom any personal data affected by a data breach relates; or
• is or is likely to be, of a significant scale.

AITI have expressed their intentions to issue guidelines on “significant harm” and “significant scale” in the near future.

Organizations are also anticipated to be required to notify the affected individuals on or after notifying the Responsible Authority if the data breach results in, or is likely to result in, significant harm to an affected individual.

Further, it is anticipated that unreasonable delays in reporting breaches that cannot be justified will be considered a breach of the data breach notification obligation.

Where a data breach is discovered by a data intermediary, it is anticipated that under the PDPO, the data intermediary will be under a duty to notify the organization or the Responsible Authority of the data breach.

A Financial Institution is obliged to report to the Brunei Darussalam Central Bank, no later than 2 hours after confirmation of all instances of cyber intrusion, disruption, malfunction, error or cybersecurity issues on a Financial Institution's system, server, network or end-point which has a severe or widespread impact on the operations and service delivery or has a material impact on the Financial Institution.