personal data for the data controller, establishes and complies with the security
measures specified under this Act.
(2) The processing of personal data for a data controller by a data
processor shall be governed by a written contract.
(3) A contract between a data controller and a data processor shall require
the data processor to establish and maintain the confidentiality and security
measures necessary to ensure the integrity of the personal data.
(4) Where a data processor is not domiciled in this country, the data
controller shall ensure that the data processor complies with the relevant laws
of this country.
Notification of security compromises
31. (1) Where there are reasonable grounds to believe that the
personal data of a data subject has been accessed or acquired by an
unauthorised person, the data controller or a third party who processes data
under the authority of the data controller shall notify the
(a) Commission, and
(b) the data subject
of the unauthorised access or acquisition.
(2) The notification shall be made as soon as reasonably practicable after
the discovery of the unauthorised access or acquisition of the data. (3) The
data controller shall take steps to ensure the restoration of
the integrity of the information system.
(4) The data controller shall delay notification to the data subject where
the security agencies or the Commission inform the data controller that
notification will impede a criminal investigation.
(5) The notification to a data subject shall be communicated by
(a) registered mail to the last known residential or postal address
of the data subject;
(b) electronic mail to the last known electronic mail address of the
data subject;
(c) placement in a prominent position on the website of the
responsible party;
(d) publication in the media; or
(e) any other manner that the Commission may direct.
(6) A notification shall provide sufficient information to allow the data
subject to take protective measures against the consequences of unauthorised
access or acquisition of the data.
(7) The information shall include, if known to the data controller, the
identity of the unauthorised person who may have accessed or acquired the
personal data.
(8) Where the Commission has grounds to believe that publicity would