Report a Personal Data Incident

Personal Data Incident Report

Should there be cause to suspect a personal data incident involving NUS and/or its Staff/Students, please email to alert us at All reports will be taken seriously.

To facilitate a timely review, the following details should be included in your report:

  1. full name and contact information*
  2. affiliation to NUS (e.g. Alumni, Faculty, Staff, Student, No Affiliation etc.)
  3. Details of the incident, including:
    • Name of School/College/Centre/Department involved*
    • Name of individuals involved (if known)
    • Number of individuals involved (if known)
    • Date/time when you became aware of the incident *
    • Type(s) of PD affected(1)
    • Cause (actual/suspected) of the incident (2)
    • Impact on PD (3)
    • Summary of the incident (Where incident occurred, means of detection, any remedial steps taken)
    • Any other relevant information or supporting documentation

* indicates compulsory details

(1) Types of Personal Data Affected:-

  • “Personal Data” is defined under the PDPA to mean:-
    • data,
    • whether true or not,
    • about an individual who can be identified:
    • from that data; or
    • from that data and other information to which an organization has or is likely to have access.
  • By way of illustration, examples of Personal Data include (but are not limited to) the following:-
    • Individual’s name
    • Date of birth
    • NRIC number, FIN (Foreign Identification Number), passport numbers and other national
    • identification
    • numbers
    • contact details such as residential address, personal phone number, personal email address
    • Human Resource data about employees (e.g. Staff ID numbers)
    • Employment appraisal or evaluation
    • Student matriculation number
    • Student academic data (e.g. assessment results)
    • Health information / medical records 
    • biometric information (e.g. fingerprint, iris image, DNA profile, voice recording) and research data (4)
    • facial image of an individual (e.g. photograph / video recording) 
    • a reference about an individual

(2) Cause (actual/suspected) of the incident:-

  • The cause could include one or more of the following:-
    • Cyber security issues (e.g. malware, ransomware, data exportation, hacking)
    • Loss of data (e.g. loss of physical copies of data, soft copies of data, device containing the PD such
    • as laptop/ external drive)
    • Theft of data
    • Human error (oversight/carelessness)
    • Technical error (e.g. system error, access settings)

(3) Impact on Personal Data:-

Examples of how PD could be affected include, inter alia:-

  • PD disclosed to unintended recipients
  • PD disclosed without consent of the data subject
  • Unauthorised transfer of PD
  • Data held to ransom
  • Data lost/expunged