Data Protection in Sri Lanka

Breach notification in Sri Lanka

A ‘personal data breach’ is broadly defined in the PDPA to mean “any act or omission that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. The PDPA imposes a general obligation on a controller to notify the Authority in the event of a personal data breach.

The draft “Personal Data Protection (Personal Data Breach Notification) Rules” (“Breach Notification Rules”) recently published by the Data Protection Authority provide for such notification requirements. The said Breach Notification Rules are still in draft form and thus may be subject to change.

As per the said Breach Notification Rules, a controller must notify the Authority where a personal data breach has occurred or is reasonably likely to have occurred, unless such personal data breach is unlikely to result in a risk, or is likely to result in a low risk, to the rights and freedoms of the data subjects, in the form specified therein. 

In this regard, the Breach Notification Rules stipulates that the controller must notify the Authority of such personal data breach with the requisite information set out therein, to the extent feasible, within seventy two (72) hours after:

  1. the controller (or the relevant processor or sub processor) becomes aware that a personal data breach has occurred; or
  2. the controller has determined, or shall have reasonably determined, based on the information available to it (or the relevant processor or sub processor) at the time that a personal data breach is reasonably likely to have occurred.  

Where it is not feasible to notify the Authority within seventy two (72) hours, such notification must be accompanied by reasons for the delay.

Additionally, the Breach Notification Rules requires a controller to notify the data subjects where the controller is of the opinion that the data subjects are affected or likely to be affected by a personal data breach that is likely to result in a high risk to rights and freedoms of the data subjects, in the form specified therein.

A controller must make such notification of the breach to data subjects at the same time i.e. within seventy two (72) hours, as making the notification to the Authority with respect to the same personal data breach.

Further, the Breach Notification Rules provide that the notification to data subjects may be made using one or more reasonably effective and available means, such as:

  1. emails
  2. concise text messages (SMS);
  3. phone calls;
  4. social media and direct messaging applications or other applications with widespread usage;
  5. video messaging, webinars and informational sessions for large scale personal data breaches; and
  6. physical mail, where other means of notification are inefficient, or other contact information is outdated or compromised.

The Breach Notification Rules further provide that if the aforesaid methods of direct notification to data subjects involve disproportionate effort or expense or are otherwise not feasible, a controller may make a public notification in one or more widely used media sources by which affected data subjects are likely to be informed, including, without limitation, newspapers, magazines, websites, social media, online advertising, radio, television and billboards and any other media, electronic or otherwise.

Additionally, as mentioned in Collection and processing, the Data Protection Management programme, which is required to be implemented by every controller, must also include a robust mechanism to detect breaches of personal data. 

Continue reading

  • no results

Previous topic
Back to top